Edit tour

Windows Analysis Report
2E7ZdlxkOL.exe

Overview

General Information

Sample name:	2E7ZdlxkOL.exe renamed because original name is a hash value
Original sample name:	6320d63025e1764e578680e24906def3.exe
Analysis ID:	1464578
MD5:	6320d63025e1764e578680e24906def3
SHA1:	b452cb8f5fe2b5683b8ea94b90c5d3f415e53832
SHA256:	d4b22461e379bba07e2e2f6cf1833884c0ff656b84afdd3b2284be856f598ae0
Tags:	32exe
Infos:

Detection

PureLog Stealer, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected Vidar stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

2E7ZdlxkOL.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\2E7ZdlxkOL.exe" MD5: 6320D63025E1764E578680E24906DEF3)

MSBuild.exe (PID: 6624 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "254862acdd5c5d2dddb209d751490c15"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
2E7ZdlxkOL.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
2E7ZdlxkOL.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2E7ZdlxkOL.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x24aed5:$s1: file:/// 0x24adc1:$s2: {11111-22222-10009-11112} 0x24ae65:$s3: {11111-22222-50001-00000} 0x247cd3:$s4: get_Module 0x234329:$s5: Reverse 0x24a32e:$s6: BlockCopy 0x24a4f8:$s7: ReadByte 0x24aee7:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1660052063.0000000003773000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1661322102.00000000045F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1661322102.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1661322102.0000000004C16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000000.1653989209.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: 2E7ZdlxkOL.exe PID: 6520	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 2E7ZdlxkOL.exe PID: 6520	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 2E7ZdlxkOL.exe PID: 6520	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 6624	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 6624	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: MSBuild.exe PID: 6624	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.2E7ZdlxkOL.exe.4c16540.7.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.2E7ZdlxkOL.exe.4c16540.7.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.2E7ZdlxkOL.exe.4be2b10.5.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.2E7ZdlxkOL.exe.465cdf0.9.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.MSBuild.exe.400000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.2E7ZdlxkOL.exe.46293c0.12.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.2E7ZdlxkOL.exe.465cdf0.9.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.2E7ZdlxkOL.exe.46293c0.12.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.MSBuild.exe.400000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.0.2E7ZdlxkOL.exe.be0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.2E7ZdlxkOL.exe.be0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.2E7ZdlxkOL.exe.be0000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x24aed5:$s1: file:/// 0x24adc1:$s2: {11111-22222-10009-11112} 0x24ae65:$s3: {11111-22222-50001-00000} 0x247cd3:$s4: get_Module 0x234329:$s5: Reverse 0x24a32e:$s6: BlockCopy 0x24a4f8:$s7: ReadByte 0x24aee7:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 149.154.167.99, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6624, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199707802586	Avira URL Cloud: Label: malware
Source: https://t.me/g067n	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "254862acdd5c5d2dddb209d751490c15"}

Multi AV Scanner detection for submitted file

Source: 2E7ZdlxkOL.exe

Virustotal: Detection: 16%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 2E7ZdlxkOL.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: lstrcatA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: OpenEventA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CreateEventA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CloseHandle
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Sleep
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: VirtualFree
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: lstrlenA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: ExitProcess
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: user32.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CreateDCA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: sscanf
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: NtQueryInformationProcess
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: HAL9TH
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: JohnDoe
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: DISPLAY
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GlobalLock
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: HeapFree
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetFileSize
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GlobalSize
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Process32Next
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Process32First
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: LocalFree
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: FindClose
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: ReadFile
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: WriteFile
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CreateFileA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CopyFileA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetLastError
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GlobalFree
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: OpenProcess
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: ole32.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: wininet.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: shell32.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: psapi.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SelectObject
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: BitBlt
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: DeleteObject
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GdipFree
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CoInitialize
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetDC
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CloseWindow
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: wsprintfA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CharToOemW
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: wsprintfW
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: StrStrA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: RmStartSession
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: RmGetList
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: RmEndSession
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: encrypted_key
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: PATH
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: NSS_Init
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Soft:
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: profile:
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Host:
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Login:
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Password:
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Opera
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: OperaGX
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Network
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Cookies
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: .txt
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: TRUE
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: FALSE
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Autofill
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: History
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Name:
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Month:
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Year:
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Card:
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Cookies
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Login Data
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Web Data
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: History
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: logins.json
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: usernameField
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: guid
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: places.sqlite
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Plugins
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: IndexedDB
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Opera Stable
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: CURRENT
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Local State
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: profiles.ini
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: chrome
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: opera
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: firefox
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Wallets
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: ProductName
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: ProcessorNameString
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: DisplayName
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: nss3.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: \Temp\
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: .exe
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: runas
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: open
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: /c start
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: %RECENT%
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: *.lnk
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Files
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: \discord\
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: key_datas
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: map*
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Telegram
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: *.tox
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: *.ini
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Password
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: 00000001
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: 00000002
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: 00000003
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: 00000004
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Pidgin
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: \.purple\
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: accounts.xml
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: token:
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: SteamPath
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: \config\
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: ssfn*
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: config.vdf
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: \Steam\
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: browsers
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: done
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Soft
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: https
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: POST
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: hwid
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: build
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: token
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: file_name
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: file
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: message
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00407E41 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00407E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041302D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_0041302D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00407DC2 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00407DC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040AB80 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	1_2_0040AB80

Source: 2E7ZdlxkOL.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: 2E7ZdlxkOL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\uwLSekH.pdb source: 2E7ZdlxkOL.exe, 00000000.00000002.1663654994.0000000005EE3000.00000004.08000000.00040000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.000000000476B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sharesoft.pdb source: 2E7ZdlxkOL.exe
Source:	Binary string: PE.pdbH] source: 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1663335267.0000000005940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PE.pdb source: 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1663335267.0000000005940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	1_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	1_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_0041738D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,

1_2_004169EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h

0_2_061BD0C8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199707802586
Source: Malware configuration extractor	URLs: https://t.me/g067n

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 195.201.251.214:9000

Source: global traffic

HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 195.201.251.214 195.201.251.214
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.251.214

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004058C4 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_004058C4

Source: global traffic

HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: t.me

Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: 2E7ZdlxkOL.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214/
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214/j.
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000
Source: MSBuild.exe, 00000001.00000002.2895536190.000000000113C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/
Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/;jj
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/Mac
Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/Rk
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/al
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/c3osoft
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/freebl3.dll
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/freebl3.dll;
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/freebl3.dllge
Source: MSBuild.exe, 00000001.00000002.2895536190.000000000113C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/h
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/icrosoft
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/ivaldi
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/mozglue.dll
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/mozglue.dllK
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/mozglue.dllge
Source: MSBuild.exe, 00000001.00000002.2895536190.0000000001146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/msvcp140.dll
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/msvcp140.dllc
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/msvcp140.dlle
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/nss3.dll
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/nss3.dllM
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/softokn3.dll
Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/softokn3.dll7i
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/softokn3.dlle
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/sqlt.dll
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/sqlt.dll9
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2895536190.0000000001146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/vcruntime140.dll
Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/vcruntime140.dllN$8
Source: MSBuild.exe, 00000001.00000002.2895536190.0000000001146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/vcruntime140.dllU
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/vcruntime140.dller
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/vcruntime140.dllrv:129.0)
Source: MSBuild.exe, 00000001.00000002.2895536190.0000000001146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/vcruntime140.dllz
Source: MSBuild.exe, 00000001.00000002.2895536190.000000000113C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000/y
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:90007c3le
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000Microsoft
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000g
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://195.201.251.214:9000ontent-Disposition:
Source: JKEHII.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: JKEHII.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: JKEHII.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: JKEHII.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: JKEHII.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JKEHII.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: JKEHII.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 2E7ZdlxkOL.exe	String found in binary or memory: https://github.com/mullvad/mullvadvpn-app#readme0
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.0000000003773000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.0000000003773000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll
Source: MSBuild.exe, 00000001.00000002.2899808496.00000000197AD000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, FCBFBG.1.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: FCBFBG.1.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: MSBuild.exe, 00000001.00000002.2899808496.00000000197AD000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, FCBFBG.1.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: FCBFBG.1.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me//
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.0000000003773000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2894948188.0000000001038000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067n
Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067n8
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.0000000003773000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067nry1neMozilla/5.0
Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 2E7ZdlxkOL.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: JKEHII.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: JKEHII.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00413160 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

1_2_00413160

System Summary

Malicious sample detected (through community Yara rule)

Source: 2E7ZdlxkOL.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.2E7ZdlxkOL.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_01B0EFB8	0_2_01B0EFB8
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_01B09E48	0_2_01B09E48
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_05999CB8	0_2_05999CB8
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_05990006	0_2_05990006
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_05990040	0_2_05990040
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_05995ADF	0_2_05995ADF
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_059D36F0	0_2_059D36F0
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_059DC070	0_2_059DC070
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_059D8BF8	0_2_059D8BF8
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_059D4F28	0_2_059D4F28
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_059D36E1	0_2_059D36E1
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_059DFB60	0_2_059DFB60
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_061B1B10	0_2_061B1B10
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_061B3036	0_2_061B3036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041ECEC	1_2_0041ECEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041E919	1_2_0041E919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041EEC1	1_2_0041EEC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041F6CF	1_2_0041F6CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220A4CF0	1_2_220A4CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2211A0B0	1_2_2211A0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2209209F	1_2_2209209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220A66C0	1_2_220A66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220947AF	1_2_220947AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220BA560	1_2_220BA560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2218A590	1_2_2218A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2209AA40	1_2_2209AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2209EA80	1_2_2209EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221CE800	1_2_221CE800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22093E3B	1_2_22093E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2209481D	1_2_2209481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221AA900	1_2_221AA900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2218A940	1_2_2218A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221769C0	1_2_221769C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220D6E80	1_2_220D6E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2226AEBE	1_2_2226AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220F2EE0	1_2_220F2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220919DD	1_2_220919DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220C3370	1_2_220C3370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2209F160	1_2_2209F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2209174E	1_2_2209174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220BBAB0	1_2_220BBAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2209251D	1_2_2209251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2209290A	1_2_2209290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22093AB2	1_2_22093AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221B8030	1_2_221B8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22110090	1_2_22110090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22118120	1_2_22118120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220B8680	1_2_220B8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220B8763	1_2_220B8763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220F4760	1_2_220F4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22128760	1_2_22128760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221D0480	1_2_221D0480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22194A60	1_2_22194A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22091EF1	1_2_22091EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220B8D2A	1_2_220B8D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2226D209	1_2_2226D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221253B0	1_2_221253B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22093580	1_2_22093580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220A9000	1_2_220A9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221B5040	1_2_221B5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22139690	1_2_22139690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2214D6D0	1_2_2214D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221F9430	1_2_221F9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22092018	1_2_22092018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221B9A20	1_2_221B9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22091C9E	1_2_22091C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22145940	1_2_22145940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22092AA9	1_2_22092AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220912A8	1_2_220912A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2209292D	1_2_2209292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221F9CC0	1_2_221F9CC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00404239 appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 2209395E appears 78 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 22093AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 22091F5A appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 2209415B appears 133 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 222706B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 22091C2B appears 47 times

Source: 2E7ZdlxkOL.exe

Static PE information: invalid certificate

Source: 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.00000000036FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs 2E7ZdlxkOL.exe
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.00000000036FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 2E7ZdlxkOL.exe
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.00000000036FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs 2E7ZdlxkOL.exe
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.00000000035F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePE.dll& vs 2E7ZdlxkOL.exe
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1663335267.0000000005940000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePE.dll& vs 2E7ZdlxkOL.exe
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1663654994.0000000005EE3000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameuwLSekH.dll0 vs 2E7ZdlxkOL.exe
Source: 2E7ZdlxkOL.exe, 00000000.00000000.1654488937.0000000001081000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesharesoft.exe$ vs 2E7ZdlxkOL.exe
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuwLSekH.dll0 vs 2E7ZdlxkOL.exe
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1659207761.000000000186E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 2E7ZdlxkOL.exe
Source: 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.000000000476B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuwLSekH.dll0 vs 2E7ZdlxkOL.exe
Source: 2E7ZdlxkOL.exe	Binary or memory string: OriginalFilenamesharesoft.exe$ vs 2E7ZdlxkOL.exe

Source: 2E7ZdlxkOL.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 2E7ZdlxkOL.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.2E7ZdlxkOL.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 0.2.2E7ZdlxkOL.exe.5940000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.2E7ZdlxkOL.exe.5940000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.2E7ZdlxkOL.exe.366ba4c.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.2E7ZdlxkOL.exe.366ba4c.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.2E7ZdlxkOL.exe.3657024.2.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.2E7ZdlxkOL.exe.3657024.2.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/11@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_0041246A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_0041246A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004129BF CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

1_2_004129BF

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2E7ZdlxkOL.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Mutant created: NULL

Source: 2E7ZdlxkOL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2E7ZdlxkOL.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001030000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cardss*;B
Source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: GIJECG.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: 2E7ZdlxkOL.exe

Virustotal: Detection: 16%

Source: unknown	Process created: C:\Users\user\Desktop\2E7ZdlxkOL.exe "C:\Users\user\Desktop\2E7ZdlxkOL.exe"
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 2E7ZdlxkOL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 2E7ZdlxkOL.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 2E7ZdlxkOL.exe

Static file information: File size 4954328 > 1048576

Source: 2E7ZdlxkOL.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x498e00

Source: 2E7ZdlxkOL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 2E7ZdlxkOL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\uwLSekH.pdb source: 2E7ZdlxkOL.exe, 00000000.00000002.1663654994.0000000005EE3000.00000004.08000000.00040000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.000000000476B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sharesoft.pdb source: 2E7ZdlxkOL.exe
Source:	Binary string: PE.pdbH] source: 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1663335267.0000000005940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PE.pdb source: 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1663335267.0000000005940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.2E7ZdlxkOL.exe.5940000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.2E7ZdlxkOL.exe.366ba4c.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.2E7ZdlxkOL.exe.3657024.2.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_0041B050 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0041B050

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_01B04B7E push es; ret	0_2_01B04B81
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_05990526 push ss; ret	0_2_05990527
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_0599449F pushfd ; retf	0_2_059944A0
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_05992BEB pushad ; retf	0_2_05992BEC
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Code function: 0_2_05993707 pushad ; retf	0_2_05993708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00421EF5 push ecx; ret	1_2_00421F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220910C8 push ecx; ret	1_2_22293552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22091BF9 push ecx; ret	1_2_22234C03

Source: 0.2.2E7ZdlxkOL.exe.5940000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 0.2.2E7ZdlxkOL.exe.5940000.13.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'
Source: 0.2.2E7ZdlxkOL.exe.366ba4c.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 0.2.2E7ZdlxkOL.exe.366ba4c.0.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'
Source: 0.2.2E7ZdlxkOL.exe.3657024.2.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 0.2.2E7ZdlxkOL.exe.3657024.2.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

1_2_0041B050

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 2E7ZdlxkOL.exe PID: 6520, type: MEMORYSTR

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Memory allocated: 1B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Memory allocated: 35F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll

Jump to dropped file

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe TID: 6560

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	1_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	1_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_0041738D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,

1_2_004169EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411F21 GetSystemInfo,wsprintfA,

1_2_00411F21

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001038000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: MSBuild.exe, 00000001.00000002.2894948188.0000000001038000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2894948188.0000000001093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

API call chain: ExitProcess graph end node

graph_1-82318

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00421C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00421C0B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

1_2_0041B050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_0041ACF3 mov eax, dword ptr fs:[00000030h]

1_2_0041ACF3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

1_2_004058C4

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00421C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00421C0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00423DCD SetUnhandledExceptionFilter,	1_2_00423DCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0042224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0042224F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220942AF SetUnhandledExceptionFilter,	1_2_220942AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22092C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_22092C8E

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 2E7ZdlxkOL.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6624, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410A14 memset,memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

1_2_00410A14

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004138BA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,		1_2_004138BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004137BD CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		1_2_004137BD

Writes to foreign memory regions

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 425000	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 643000	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B24008	Jump to behavior

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00401000 cpuid

1_2_00401000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00411D31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	1_2_22282CB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	1_2_22282D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	1_2_22282DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_22283300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_22093AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	1_2_2226FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	1_2_22092112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	1_2_22092112

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Queries volume information: C:\Users\user\Desktop\2E7ZdlxkOL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411C63 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

1_2_00411C63

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411BEC GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_00411BEC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411CBF GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_00411CBF

Source: C:\Users\user\Desktop\2E7ZdlxkOL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: MSBuild.exe, 00000001.00000002.2894948188.00000000010EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 2E7ZdlxkOL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2E7ZdlxkOL.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1653989209.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.4c16540.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.4c16540.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.465cdf0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.46293c0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.465cdf0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.46293c0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660052063.0000000003773000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1661322102.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1661322102.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1661322102.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2E7ZdlxkOL.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6624, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 2E7ZdlxkOL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2E7ZdlxkOL.exe.be0000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 6624, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 2E7ZdlxkOL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2E7ZdlxkOL.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1653989209.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.4c16540.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.4c16540.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.4be2b10.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.465cdf0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.46293c0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.465cdf0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E7ZdlxkOL.exe.46293c0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660052063.0000000003773000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1661322102.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1661322102.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1661322102.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2E7ZdlxkOL.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6624, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 2E7ZdlxkOL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2E7ZdlxkOL.exe.be0000.0.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220FE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	1_2_220FE200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220FE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_220FE090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2210E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_2210E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220A66C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_220A66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2210A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	1_2_2210A6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220EEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	1_2_220EEF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22153770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_22153770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221737E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_221737E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220BB400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	1_2_220BB400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22108200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	1_2_22108200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220B8680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	1_2_220B8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220E06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_220E06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220E8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	1_2_220E8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220A4820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	1_2_220A4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220C0FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_220C0FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22174D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_22174D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2214D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_2214D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22129090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	1_2_22129090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221351D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_221351D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2216D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_2216D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221B14D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_221B14D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221BD4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_221BD4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221355B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_221355B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2210DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_2210DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22135910 sqlite3_mprintf,sqlite3_bind_int64,	1_2_22135910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_221BD9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_221BD9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_2210DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	1_2_2210DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_22111FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_22111FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_220A5C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_220A5C70

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	511 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	511 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2E7ZdlxkOL.exe	16%	Virustotal		Browse
2E7ZdlxkOL.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
t.me	0%	Virustotal		Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://t.me/	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/;jj	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/freebl3.dll;	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://195.201.251.214:9000/mozglue.dll	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/vcruntime140.dllN$8	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://t.me/	0%	Virustotal		Browse
https://195.201.251.214:9000/nss3.dll	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/y	0%	Avira URL Cloud	safe
https://web.telegram.org	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/nss3.dll	0%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/mozglue.dll	0%	Virustotal		Browse
https://t.me//	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/mozglue.dllge	0%	Avira URL Cloud	safe
https://web.telegram.org	0%	Virustotal		Browse
https://195.201.251.214:9000/h	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll	0%	Virustotal		Browse
https://195.201.251.214:9000/Mac	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/y	0%	Virustotal		Browse
https://195.201.251.214:9000/	0%	Virustotal		Browse
https://195.201.251.214:9000/mozglue.dllK	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/icrosoft	0%	Avira URL Cloud	safe
https://t.me//	0%	Virustotal		Browse
https://195.201.251.214:9000/vcruntime140.dllz	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/nss3.dllM	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	0%	Avira URL Cloud	safe
https://github.com/mullvad/mullvadvpn-app#readme0	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/al	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/h	0%	Virustotal		Browse
https://github.com/mullvad/mullvadvpn-app#readme0	0%	Virustotal		Browse
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/freebl3.dll	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/softokn3.dll	0%	Avira URL Cloud	safe
https://t.me/g067nry1neMozilla/5.0	0%	Avira URL Cloud	safe
http://www.sqlite.org/copyright.html.	0%	Avira URL Cloud	safe
https://195.201.251.214:9000g	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://t.me/g067nry1neMozilla/5.0	0%	Virustotal		Browse
https://195.201.251.214:9000/freebl3.dll	0%	Virustotal		Browse
https://195.201.251.214:9000/softokn3.dll	0%	Virustotal		Browse
https://t.me/g067n8	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/msvcp140.dll	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/sqlt.dll9	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://195.201.251.214:9000/ivaldi	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/vcruntime140.dllrv:129.0)	0%	Avira URL Cloud	safe
https://t.me/g067n8	0%	Virustotal		Browse
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://195.201.251.214:9000/vcruntime140.dller	0%	Avira URL Cloud	safe
http://www.sqlite.org/copyright.html.	0%	Virustotal		Browse
https://195.201.251.214:9000/msvcp140.dllc	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/vcruntime140.dll	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/msvcp140.dlle	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/softokn3.dlle	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/sqlt.dll9	0%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199707802586	100%	Avira URL Cloud	malware
https://t.me/g067n	100%	Avira URL Cloud	malware
https://195.201.251.214:9000/freebl3.dllge	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/c3osoft	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/softokn3.dll7i	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/vcruntime140.dllU	0%	Avira URL Cloud	safe
https://195.201.251.214/	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/Rk	0%	Avira URL Cloud	safe
https://195.201.251.214/j.	0%	Avira URL Cloud	safe
https://195.201.251.214:9000	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe
https://195.201.251.214:9000/sqlt.dll	0%	Avira URL Cloud	safe
https://195.201.251.214:9000ontent-Disposition:	0%	Avira URL Cloud	safe
https://195.201.251.214:90007c3le	0%	Avira URL Cloud	safe
https://195.201.251.214:9000Microsoft	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	true	0%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199707802586	true	Avira URL Cloud: malware	unknown
https://t.me/g067n	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	JKEHII.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/	MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/;jj	MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	JKEHII.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/freebl3.dll;	MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/mozglue.dll	MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/vcruntime140.dllN$8	MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/nss3.dll	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/y	MSBuild.exe, 00000001.00000002.2895536190.000000000113C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://web.telegram.org	MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll	2E7ZdlxkOL.exe, 00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.0000000003773000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/	MSBuild.exe, 00000001.00000002.2895536190.000000000113C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me//	MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/mozglue.dllge	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	JKEHII.1.dr	false	URL Reputation: safe	unknown
https://195.201.251.214:9000/Mac	MSBuild.exe, 00000001.00000002.2894948188.00000000010EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/h	MSBuild.exe, 00000001.00000002.2895536190.000000000113C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	MSBuild.exe, 00000001.00000002.2899808496.00000000197AD000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, FCBFBG.1.dr	false	URL Reputation: safe	unknown
https://195.201.251.214:9000/mozglue.dllK	MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/icrosoft	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/vcruntime140.dllz	MSBuild.exe, 00000001.00000002.2895536190.0000000001146000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/nss3.dllM	MSBuild.exe, 00000001.00000002.2894948188.00000000010EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mullvad/mullvadvpn-app#readme0	2E7ZdlxkOL.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/al	MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	FCBFBG.1.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	JKEHII.1.dr	false	URL Reputation: safe	unknown
https://195.201.251.214:9000/freebl3.dll	MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/softokn3.dll	MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/g067nry1neMozilla/5.0	2E7ZdlxkOL.exe, 00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1660052063.0000000003773000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, 2E7ZdlxkOL.exe, 00000000.00000002.1661322102.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	MSBuild.exe, 00000001.00000002.2900116919.000000001C339000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000g	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	JKEHII.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/g067n8	MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/msvcp140.dll	MSBuild.exe, 00000001.00000002.2895536190.0000000001146000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/sqlt.dll9	MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/ivaldi	MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	JKEHII.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	MSBuild.exe, 00000001.00000002.2899808496.00000000197AD000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, FCBFBG.1.dr	false	URL Reputation: safe	unknown
https://195.201.251.214:9000/vcruntime140.dllrv:129.0)	MSBuild.exe, 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	JKEHII.1.dr	false	URL Reputation: safe	unknown
https://195.201.251.214:9000/vcruntime140.dller	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/msvcp140.dllc	MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/vcruntime140.dll	MSBuild.exe, 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2895536190.0000000001146000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	JKEHII.1.dr	false	URL Reputation: safe	unknown
https://195.201.251.214:9000/msvcp140.dlle	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/softokn3.dlle	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/freebl3.dllge	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/c3osoft	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/softokn3.dll7i	MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/vcruntime140.dllU	MSBuild.exe, 00000001.00000002.2895536190.0000000001146000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214/	MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000/Rk	MSBuild.exe, 00000001.00000002.2894948188.0000000001078000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214/j.	MSBuild.exe, 00000001.00000002.2894948188.00000000010CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	FCBFBG.1.dr	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	JKEHII.1.dr	false	URL Reputation: safe	unknown
https://195.201.251.214:9000/sqlt.dll	MSBuild.exe, 00000001.00000002.2894948188.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000ontent-Disposition:	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:90007c3le	MSBuild.exe, 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://195.201.251.214:9000Microsoft	MSBuild.exe, 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
195.201.251.214	unknown	Germany		24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464578
Start date and time:	2024-06-29 05:41:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2E7ZdlxkOL.exe renamed because original name is a hash value
Original Sample Name:	6320d63025e1764e578680e24906def3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/11@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 88% Number of executed functions: 104 Number of non-executed functions: 200
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 40.68.123.157, 13.95.31.18, 192.229.221.95, 20.166.126.56
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, hlb.apr-52dd2-0.edgecastdns.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:42:09	API Interceptor	1x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
195.201.251.214	S8co1ACRdn.exe	Get hash	malicious	CryptOne, Vidar	Browse
	M9dfZzH3qn.exe	Get hash	malicious	CryptOne, Vidar	Browse
	5IRIk4f1PO.exe	Get hash	malicious	CryptOne, Vidar	Browse
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse
149.154.167.99	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	vSlVoTPrmP.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	RO67OsrIWi.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	t.me/cinoshibot
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	S8co1ACRdn.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	M9dfZzH3qn.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	5IRIk4f1PO.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse	149.154.167.99
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse	149.154.167.99
	project.exe	Get hash	malicious	RedLine	Browse	149.154.167.99
	WR0fuHnEVW.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	BRWgvKaqbg.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse	149.154.167.99
	Resolucion Juridica Bloqueo Cuentas y servicios SRI.vbs.xz	Get hash	malicious	Unknown	Browse	104.21.51.236
	vidar2406.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
fp2e7a.wpc.phicdn.net	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://jiedian.dadabing023.workers.dev/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://aradcofeenet1.aradcofeenet1.workers.dev/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://www.youkonew.anakembok.de/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://purchase-order-workers-playground-weathered-moon-6962.mslee.workers.dev/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://cloudflare-workers-pages-vless-2gi.pages.dev/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://www.services-nickel.yayra-food.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://pub-a4db5d6837084a76bc5f6d9216e7e57d.r2.dev/a38.html	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	192.229.221.95
	https://sumydeko.blogspot.in/	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	S8co1ACRdn.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	M9dfZzH3qn.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	5IRIk4f1PO.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	https://telegrambot-resolved.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse	149.154.167.99
	Kyeryong Construction - Products List & Spec.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse	149.154.167.220
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse	149.154.167.99
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	w5APKwp5DD.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind Stealer	Browse	149.154.167.220
HETZNER-ASDE	S8co1ACRdn.exe	Get hash	malicious	CryptOne, Vidar	Browse	195.201.251.214
	M9dfZzH3qn.exe	Get hash	malicious	CryptOne, Vidar	Browse	195.201.251.214
	5IRIk4f1PO.exe	Get hash	malicious	CryptOne, Vidar	Browse	195.201.251.214
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	5.161.214.209
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	5.161.214.209
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse	195.201.251.214
	http://hostedonsporestack.com	Get hash	malicious	Unknown	Browse	95.216.25.250
	https://email.abad-ca.com/	Get hash	malicious	Unknown	Browse	135.181.16.82

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	S8co1ACRdn.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	M9dfZzH3qn.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	5IRIk4f1PO.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse	149.154.167.99
	3443424611#U00b7pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.99
	UTN RFP_24-0676#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.99
	RFQ_22Q7305A-N23A-01#U00b7pdf.exe	Get hash	malicious	Remcos	Browse	149.154.167.99
	UPS_Bill_of_lading_291098829T_28_06_2024_000000_pdf.vbs	Get hash	malicious	GuLoader, Remcos	Browse	149.154.167.99
	PLANT PROJECT PROPOSAL BID_24-0676#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.99
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse	149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll	S8co1ACRdn.exe	Get hash	malicious	CryptOne, Vidar	Browse
	M9dfZzH3qn.exe	Get hash	malicious	CryptOne, Vidar	Browse
	5IRIk4f1PO.exe	Get hash	malicious	CryptOne, Vidar	Browse
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse
	WR0fuHnEVW.exe	Get hash	malicious	Vidar	Browse
	BRWgvKaqbg.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse
	vidar2406.exe	Get hash	malicious	Vidar	Browse
	RW3MLiFPzL.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse

Created / dropped Files

C:\ProgramData\CGHCGIIDGDAK\DAEHJJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHCGIIDGDAK\DHCBAE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	modified
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHCGIIDGDAK\EHCAEG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHCGIIDGDAK\FCBFBG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHCGIIDGDAK\GIJECG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHCGIIDGDAK\JKEHII

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHCGIIDGDAK\KFBGCA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.137989037915285
Encrypted:	false
SSDEEP:	6:kKBnH9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:8DnLNkPlE99SNxAhUe/3
MD5:	12F1F6B205642027B4560A8F034120DE
SHA1:	9A3331563C481C9A598711511D3344A2DB46A858
SHA-256:	EC9100469CC1B76B8163DAB7AD0E1AF8AAA326D252CA959000A4696E5BC59B0D
SHA-512:	555E6A28AA4794DC1E22EA947D2173C4EF5B86B4161E24E339F2AA52A62CA62B6B1D1D362A006955A81EE5EB1D7A82E61514406D510611F36063D602F245F098
Malicious:	false
Preview:	p...... ........N.N....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2E7ZdlxkOL.exe.log

Download File

Process:	C:\Users\user\Desktop\2E7ZdlxkOL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	929
Entropy (8bit):	5.357810516297776
Encrypted:	false
SSDEEP:	24:MLU84qrE4/A1E4K0AE4KIR/KDE4KhKiKhk:MgvUH/AHKbHKo/YHKh3ok
MD5:	DD1A4BE867D82920ED15E778193554A9
SHA1:	CF9AEE5975225930A374D91604F74ACAC9EE9F33
SHA-256:	3562A0BF5CDD5AEB614D85C22C5247B15282C89A53AB6C64D8159A0CE949A078
SHA-512:	12CE12C27222A1C66D11F5D01531F8F9DA671B7318C0CC593007424B794B17D94D77DDEF4D78FAF2309944867DB5B68FFE924EFC9F27366D900DA2E3ACB42796
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime\32bcd6ad56338e82b2e9ecba5600bdb4\System.Runtime.ni.dll",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Xaml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\4a6b3689887244ce68a20c5d8154ca54\System.Xaml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: S8co1ACRdn.exe, Detection: malicious, Browse Filename: M9dfZzH3qn.exe, Detection: malicious, Browse Filename: 5IRIk4f1PO.exe, Detection: malicious, Browse Filename: 1719520929.094843_setup.exe, Detection: malicious, Browse Filename: 1Cvd8TyYPm.exe, Detection: malicious, Browse Filename: WR0fuHnEVW.exe, Detection: malicious, Browse Filename: BRWgvKaqbg.exe, Detection: malicious, Browse Filename: vidar2406.exe, Detection: malicious, Browse Filename: RW3MLiFPzL.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.226479788932778
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2E7ZdlxkOL.exe
File size:	4'954'328 bytes
MD5:	6320d63025e1764e578680e24906def3
SHA1:	b452cb8f5fe2b5683b8ea94b90c5d3f415e53832
SHA256:	d4b22461e379bba07e2e2f6cf1833884c0ff656b84afdd3b2284be856f598ae0
SHA512:	f75d2700fafea373de7f2c4131a650128d38146ef8fd7edef0c186ce3ebc1fb51b116f91596891d68f893a56b30e14035e565a55d0e5d228462c9e3e7a68dc51
SSDEEP:	98304:KjG9asZlqf3mTJBMAxu8l+yzWCdlPtclKfWN6D:KjGgsZlqvmT8wu8lZWCzo+
TLSH:	9C36AF2FB9948E63C14D1B33C1E580649393CB8AA367E70FB99522272D527EE0D4E5CD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s~f..................I...........I.. ....I...@.. ........................K...........@................................

File Icon


Icon Hash:	57d6dbcdc8c8cc63

Static PE Info

General

Entrypoint:	0x89acde
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x667E7319 [Fri Jun 28 08:23:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	21/04/2021 01:00:00 26/04/2024 00:59:59
Subject Chain	E=app@mullvad.net, CN=Mullvad VPN AB, OU=App, O=Mullvad VPN AB, L=G\xf6teborg, C=SE
Version:	3
Thumbprint MD5:	F69B32EAED37B1B18DB85D1A26EA1E27
Thumbprint SHA-1:	628787B4D78415D28418171B7FE53BAA333B92AD
Thumbprint SHA-256:	1D18B53318E748C836C9C4E13EE8AAAD826EEEAB393144A890A9AF062797AFDE
Serial:	0CBF470C61F3C3CC0B53FCE724C15E82

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x49ac90	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49c000	0x1de78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4b7200	0x26d8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4ba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x49ac40	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x498ce4	0x498e00	e175fa9e90a8f8667164d473f8508023	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x49c000	0x1de78	0x1e000	38bcb0b0750525dfdd021ca98fa27792	False	0.5244222005208333	data	5.983579330877694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4ba000	0xc	0x200	9f72bda50c602547e2be9f9bdfaee0b7	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x49c1f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m	0.6125886524822695
RT_ICON	0x49c658	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	0.4828799249530957
RT_ICON	0x49d700	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m	0.4148340248962656
RT_ICON	0x49fca8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	0.27895421743759613
RT_ICON	0x4b04d0	0x9408	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9942210259658011
RT_GROUP_ICON	0x4b98d8	0x4c	data	0.8026315789473685
RT_VERSION	0x4b9924	0x368	data	0.42660550458715596
RT_MANIFEST	0x4b9c8c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 29, 2024 05:41:53.597716093 CEST	49675	443	192.168.2.4	173.222.162.32
Jun 29, 2024 05:42:01.820858955 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:01.820887089 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:01.821012974 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:01.824924946 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:01.824937105 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.496417046 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.496653080 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:02.556778908 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:02.556796074 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.557162046 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.557224989 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:02.559119940 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:02.600501060 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.782931089 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.782990932 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.783010960 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:02.783035040 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.783055067 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.783068895 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:02.783128977 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:02.783135891 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.783180952 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.783183098 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:02.783235073 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:02.785655975 CEST	49732	443	192.168.2.4	149.154.167.99
Jun 29, 2024 05:42:02.785670996 CEST	443	49732	149.154.167.99	192.168.2.4
Jun 29, 2024 05:42:02.794416904 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:02.799190998 CEST	9000	49733	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:02.799287081 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:02.800585032 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:02.805433989 CEST	9000	49733	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:03.207007885 CEST	49675	443	192.168.2.4	173.222.162.32
Jun 29, 2024 05:42:03.466319084 CEST	9000	49733	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:03.466382980 CEST	9000	49733	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:03.466451883 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:03.466451883 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:04.412584066 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:04.417767048 CEST	9000	49733	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:04.605135918 CEST	9000	49733	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:04.605221987 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:04.605756998 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:04.610594034 CEST	9000	49733	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:05.061645985 CEST	9000	49733	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:05.061734915 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:05.067051888 CEST	49735	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:05.072022915 CEST	9000	49735	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:05.079484940 CEST	49735	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:05.079936028 CEST	49735	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:05.084901094 CEST	9000	49735	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:05.727416039 CEST	9000	49735	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:05.727485895 CEST	49735	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:05.732248068 CEST	49735	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:05.737095118 CEST	49735	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:05.737108946 CEST	9000	49735	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:05.741981983 CEST	9000	49735	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:06.374206066 CEST	9000	49735	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:06.374362946 CEST	49735	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:06.375654936 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:06.376063108 CEST	49736	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:06.380805016 CEST	9000	49736	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:06.380899906 CEST	49736	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:06.380920887 CEST	9000	49733	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:06.380975962 CEST	49733	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:06.381161928 CEST	49736	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:06.385890961 CEST	9000	49736	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:07.042047977 CEST	9000	49736	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:07.042136908 CEST	49736	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:07.042582035 CEST	49736	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:07.044190884 CEST	49736	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:07.047339916 CEST	9000	49736	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:07.048918009 CEST	9000	49736	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:07.683118105 CEST	9000	49736	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:07.683136940 CEST	9000	49736	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:07.683238983 CEST	49736	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:07.684426069 CEST	49735	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:07.684807062 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:07.689733982 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:07.689745903 CEST	9000	49735	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:07.689825058 CEST	49735	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:07.690006018 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:07.690006018 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:07.694780111 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:08.362548113 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:08.362715006 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:08.363070011 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:08.364845037 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:08.367847919 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:08.369643927 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.004059076 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.004113913 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.004129887 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.004184961 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.004264116 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.004395008 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.004405975 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.004446983 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.006525040 CEST	49736	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.007019997 CEST	49738	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.011845112 CEST	9000	49736	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.011936903 CEST	49736	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.012311935 CEST	9000	49738	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.012386084 CEST	49738	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.012700081 CEST	49738	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.017983913 CEST	9000	49738	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.670902014 CEST	9000	49738	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.670969963 CEST	49738	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.671437979 CEST	49738	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.673763037 CEST	49738	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:09.676651955 CEST	9000	49738	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:09.679028988 CEST	9000	49738	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:10.306262016 CEST	9000	49738	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:10.306339025 CEST	49738	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:10.381609917 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:10.382373095 CEST	49739	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:10.388077974 CEST	9000	49737	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:10.388153076 CEST	49737	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:10.388391018 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:10.388470888 CEST	49739	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:10.388731003 CEST	49739	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:10.393543959 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.052269936 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.052397966 CEST	49739	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:11.053040028 CEST	49739	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:11.054584026 CEST	49739	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:11.054678917 CEST	49739	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:11.057945013 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.059571981 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.059916019 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.059923887 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.059931040 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.059937954 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.059946060 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.379343987 CEST	49738	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:11.379856110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:11.384671926 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.384778976 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:11.384974957 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:11.385417938 CEST	9000	49738	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.385504007 CEST	49738	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:11.389739037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.715996981 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:11.716155052 CEST	49739	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.055602074 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.055783033 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.088653088 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.093452930 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.097898006 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.102726936 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.423486948 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.423584938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.423595905 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.423624992 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.423662901 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.423883915 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.423894882 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.423906088 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.423916101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.423948050 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.423978090 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.424269915 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.424287081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.424298048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.424333096 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.424371958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.424815893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.424871922 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.428704977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.428760052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.430188894 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.430239916 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.515794039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.515830994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.516026974 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.520978928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.521019936 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.521029949 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.521044970 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.521094084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.524353027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.524421930 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.524445057 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.524456024 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.524498940 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.524525881 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.531553030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.531622887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.531631947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.531641960 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.531673908 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.531691074 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.538535118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.538592100 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.538619995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.538630962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.538675070 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.544986010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.545058012 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.545109987 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.545120955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.545161963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.551908016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.551985979 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.551991940 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.552001953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.552043915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.558701992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.558775902 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.558798075 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.558809042 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.558852911 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.565516949 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.565568924 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.565577984 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.565587997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.565628052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.572478056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.572554111 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.572612047 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.572659016 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.608474970 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.608534098 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.608572006 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.608589888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.608653069 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.608697891 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.613668919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.613724947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.613753080 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.613765001 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.613809109 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.615906000 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.615953922 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.618911982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.618990898 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.619157076 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.619177103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.619188070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.619210005 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.619230032 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.622898102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.622945070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.622951031 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.622956038 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.622992992 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.623016119 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.629264116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.629340887 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.629354954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.629364967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.629410028 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.637073040 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.637121916 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.637147903 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.637157917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.637197971 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.644287109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.644366980 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.644387960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.644397974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.644454956 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.649640083 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.649682045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.649698973 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.649734020 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.649753094 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.649799109 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.649847984 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.649897099 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.656657934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.656733036 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.656891108 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.656902075 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.656945944 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.663130045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.663182974 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.663213015 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.663223982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.663264990 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.669395924 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.669445038 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.669455051 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.669485092 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.669512987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.675107956 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.675157070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.675160885 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.675183058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.675196886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.675230980 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.675299883 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.675348043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.680573940 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.680619955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.680660963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.680679083 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.683216095 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.683268070 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.683296919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.683307886 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.683346987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.688563108 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.688613892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.688648939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.688658953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.688700914 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.693464994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.693532944 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.693568945 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.693581104 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.693619013 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.693644047 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.693689108 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.698318958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.698381901 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.698421955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.698432922 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.698476076 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.703386068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.703433990 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.703463078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.703473091 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.703517914 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.708271980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.708349943 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.708355904 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.708365917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.708412886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.713203907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.713248014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.713289022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.713304043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.713341951 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.713390112 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.713443041 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.718277931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.718348980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.718358994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.718375921 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.718409061 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.721476078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.721487999 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.721498013 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.721534967 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.721561909 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.724719048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.724785089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.724795103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.724824905 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.724875927 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.727593899 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.727653027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.727663040 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.727672100 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.727718115 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.730603933 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.730695009 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.730701923 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.730705023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.730750084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.733668089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.733736992 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.733746052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.733757019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.733803034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.736777067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.736824036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.736843109 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.736865997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.736871958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.736918926 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.736928940 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.736984015 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.739862919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.739918947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.739931107 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.739974976 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.749480963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.749566078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.749576092 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.749613047 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.749655962 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.749891043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.749902010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.749953985 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.750092030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.750143051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.750188112 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.750197887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.750237942 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.750405073 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.750454903 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.752036095 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.752093077 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.752121925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.752132893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.752176046 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.755233049 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.755307913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.755312920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.755359888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.755650043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.755697012 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.755707026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.755753994 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.758146048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.758217096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.758227110 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.758227110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.758276939 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.761197090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.761255026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.761255026 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.761316061 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.761920929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.761964083 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.761974096 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.762011051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.764343023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.764395952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.764417887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.764427900 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.764476061 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.767348051 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.767369986 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.767433882 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.767600060 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.767617941 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.767663956 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.767683029 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.770333052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.770385981 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.770392895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.770402908 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.770492077 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.773464918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.773545027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.773560047 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.773577929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.773587942 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.773621082 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.773660898 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.776551962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.776568890 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.776623964 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.776648045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.776702881 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.776706934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.776760101 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.779422998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.779500961 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.779505014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.779515982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.779561996 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.779592991 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.782424927 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.782480955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.782490969 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.782506943 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.782546043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.785378933 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.785428047 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.785437107 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.785473108 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.785481930 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.785512924 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.785517931 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.785559893 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.788238049 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.788309097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.788319111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.788353920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.788398027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.791152954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.791254997 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.793016911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.793034077 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.793112993 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.793905020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.793966055 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.795994043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.796051025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.797715902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.797728062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.797733068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.797816038 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.798705101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.798719883 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.798765898 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.798801899 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.800806046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.800857067 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.802439928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.802450895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.802500963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.802526951 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.804728031 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.804738998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.804794073 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.807166100 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.807178974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.807248116 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.807266951 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.807279110 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.807327032 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.809583902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.809643984 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.811862946 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.811875105 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.811923981 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.814362049 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.814373970 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.814382076 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.814443111 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.816520929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.816533089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.816541910 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.816546917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.816598892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.816631079 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.819083929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.819094896 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.819103956 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.819154024 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.819197893 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.821247101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.821258068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.821265936 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.821269989 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.821326971 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.821377993 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.823780060 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.823791981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.823875904 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.825963974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.825974941 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.825984955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.826030016 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.826073885 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.828469992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.828485966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.828500032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.828552008 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.828598976 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.830645084 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.830657005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.830715895 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.833158016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.833169937 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.833178997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.833219051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.833237886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.835736036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.835747957 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.835757017 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.835762024 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.835822105 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.835871935 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.837997913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.838010073 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.838013887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.838021994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.838079929 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.841123104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.841135025 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.841142893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.841182947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.841213942 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.842971087 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.842983007 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.843050003 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.846218109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.846230030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.846239090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.846296072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.847712994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.847724915 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.847733021 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.847742081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.847781897 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.847827911 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.850951910 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.850964069 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.850971937 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.851006985 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.851027966 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.852433920 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.852446079 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.852454901 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.852488995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.852500916 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.855638981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.855650902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.855690002 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.857122898 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.857136011 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.857145071 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.857202053 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.857225895 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.860357046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.860368967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.860411882 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.861851931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.861862898 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.861874104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.861910105 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.861933947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.865046024 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.865057945 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.865067005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.865113020 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.866578102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.866595030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.866614103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.866633892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.866667032 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.869744062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.869755030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.869764090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.869822979 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.869844913 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.871361017 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.871372938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.871417046 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.874468088 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.874486923 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.874496937 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.874527931 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.874563932 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.876089096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.876101017 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.876108885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.876143932 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.876172066 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.879271030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.879282951 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.879292011 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.879323959 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.879345894 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.880808115 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.880820036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.880829096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.880891085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.880903006 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.884057045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.884068966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.884077072 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.884085894 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.884113073 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.884136915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.885488033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.885499001 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.885507107 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.885544062 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.885560989 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.888780117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.888793945 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.888803005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.888834953 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.888858080 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.890199900 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.890212059 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.890254021 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.893501043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.893512964 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.893522024 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.893580914 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.893599987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.894912958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.894925117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.894933939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.894972086 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.894995928 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.898221016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.898232937 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.898241997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.898251057 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.898279905 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.898298025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.899585009 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.899596930 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.899636984 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.902966022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.902977943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.902987003 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.903023005 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.903047085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.904280901 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.904293060 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.904357910 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.907675028 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.907686949 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.907740116 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.909004927 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.909018040 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.909029007 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.909056902 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.909092903 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.912652016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.912664890 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.912719011 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.913719893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.913738966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.913748026 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.913778067 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.913813114 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.917433023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.917447090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.917535067 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.918401003 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.918414116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.918457031 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.922164917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.922178030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.922188044 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.922241926 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.923110962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.923124075 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.923175097 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.926888943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.926902056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.926911116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.926951885 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.926975965 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.927817106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.927829027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.927836895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.927895069 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.927930117 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.931590080 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.931602001 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.931610107 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.931644917 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.931669950 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.932820082 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.932831049 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.932876110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.936300993 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.936312914 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.936321974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.936358929 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.936376095 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.937515020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.937525988 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.937535048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.937573910 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.937607050 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.941037893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.941050053 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.941112041 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.942215919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.942226887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.942235947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.942271948 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.942293882 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.945863008 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.945874929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.945919037 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.947170019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.947181940 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.947221994 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.950622082 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.950634003 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.950642109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.950680017 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.950697899 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.952002048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.952014923 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.952081919 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.955813885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.955826044 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.955873013 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.957298994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.957318068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.957329035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.957357883 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.957391024 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.961781025 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.961793900 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.961838961 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.963538885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.963551998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.963561058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.963610888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.963646889 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.968425035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.968436956 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.968446016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.968502998 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.968502998 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.970166922 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.970179081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.970221043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.973145962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.973156929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.973197937 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.973229885 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.975023031 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.975034952 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.975044012 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.975102901 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.975130081 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.977869034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.977880955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.977926016 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.979863882 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.979876995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.979927063 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.982705116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.982717037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.982726097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.982974052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.984642029 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.984656096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.984707117 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.987458944 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.987471104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.987479925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.987510920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.987530947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.989356041 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.989367962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.989407063 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.992202044 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.992213011 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.992248058 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.994141102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994153023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994162083 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994172096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994182110 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994189024 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.994194031 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994204998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994204998 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.994218111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994220018 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.994235039 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.994260073 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.994621038 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994632959 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994642019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994652033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994661093 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994672060 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994672060 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.994688034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994693995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.994699955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.994707108 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.994729996 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.995568037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.995584965 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.995594978 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.995604992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.995615005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.995616913 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.995626926 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.995636940 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.995641947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.995656967 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.995668888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.996545076 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.996556997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.996566057 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.996576071 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.996586084 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.996592999 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.996598005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.996608019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.996614933 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.996618986 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.996627092 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.996650934 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.996670961 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.997483969 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.997495890 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.997505903 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.997515917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.997524977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.997535944 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.997535944 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.997545958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.997555971 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.997559071 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.997566938 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.997591972 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.998390913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.998403072 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.998411894 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.998421907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.998431921 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.998436928 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.998445034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.998445034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.998472929 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.998488903 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.999039888 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.999052048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.999089956 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.999288082 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.999298096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.999334097 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.999572039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.999582052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.999593019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.999623060 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.999634981 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:12.999902010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.999912977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:12.999948025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.000139952 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.000184059 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.000262022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.000272036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.000303030 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.000586987 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.000629902 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.003266096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.003310919 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.003344059 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.003354073 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.003390074 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.003565073 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.003606081 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.003634930 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.003645897 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.003679991 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.003880978 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.003890991 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.003927946 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.009206057 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.009251118 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.009279013 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.009289026 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.009324074 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.009413004 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.009459972 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.009629965 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.009640932 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.009676933 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.009787083 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.009798050 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.009834051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.014763117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.014810085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.014830112 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.014839888 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.014874935 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.014974117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.015017033 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.015141964 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.015153885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.015185118 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.015388966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.015399933 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.015435934 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.018426895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.018470049 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.018517971 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.018528938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.018563032 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.018727064 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.018744946 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.018764973 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.018785954 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.019054890 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.019095898 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.019098043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.019135952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.023813963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.023864031 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.023911953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.023922920 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.023957014 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.024136066 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.024147034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.024180889 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.024370909 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.024415016 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.024447918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.024502039 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.029221058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.029268026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.029297113 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.029308081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.029344082 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.029460907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.029500008 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.029644012 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.029654980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.029690027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.029830933 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.029845953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.029871941 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.029890060 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.033670902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.033716917 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.033766985 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.033778906 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.033813000 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.033972025 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.034015894 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.034044981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.034085989 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.034182072 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.034193039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.034202099 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.034225941 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.034245014 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.038206100 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.038223982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.038242102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.038268089 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.038280010 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.038350105 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.038392067 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.038398027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.038408995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.038443089 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.038677931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.038718939 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.039069891 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.039115906 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.041241884 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.041286945 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.041320086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.041330099 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.041366100 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.041518927 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.041529894 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.041563988 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.041771889 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.041783094 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.041817904 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.045938969 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.045984030 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.045994997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.046005011 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.046039104 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.046154022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.046164036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.046199083 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.046288967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.046335936 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.046365023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.046375990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.046408892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.046493053 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.046538115 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.051270008 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.051323891 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.051325083 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.051369905 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.051371098 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.051412106 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.051480055 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.051527023 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.051559925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.051604986 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.051686049 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.051697016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.051738977 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.056337118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.056390047 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.056401014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.056401968 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.056437016 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.056456089 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.056606054 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.056617022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.056657076 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.056742907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.056780100 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.056865931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.056906939 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.062601089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.062618971 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.062628031 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.062661886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.062686920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.062803984 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.062814951 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.062851906 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.062877893 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.063091040 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.063102007 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.063143969 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.063416004 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.063467979 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.074873924 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.074954033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.074964046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.074960947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.074992895 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.075006008 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.075093985 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.075133085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.075256109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.075265884 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.075294971 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.075306892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.075493097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.075531960 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.075546026 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.075581074 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.080702066 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.080754995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.080777884 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.080790043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.080820084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.080991030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.081015110 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.081036091 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.081053972 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.081265926 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.081276894 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.081310987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.088548899 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.088624954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.088634968 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.088706017 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.088879108 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.088888884 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.088927031 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.089086056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.089133024 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.089206934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.089251041 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.095958948 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.096009016 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.096049070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.096059084 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.096095085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.096281052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.096323967 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.096345901 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.096390963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.096498966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.096508980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.096518040 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.096540928 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.096559048 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.102117062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.102168083 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.102212906 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.102224112 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.102257967 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.102453947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.102469921 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.102498055 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.102511883 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.102649927 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.102694988 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.102782011 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.102828026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.107700109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.107748985 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.107795000 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.107806921 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.107850075 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.108016014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.108030081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.108067036 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.108232975 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.108275890 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.108385086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.108426094 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.111304998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.111346960 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.111386061 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.111397028 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.111427069 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.111639023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.111649990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.111685038 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.111860991 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.111903906 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.111972094 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.112016916 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.116471052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.116514921 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.116555929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.116566896 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.116600037 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.116744041 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.116754055 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.116791964 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.116894007 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.116935015 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.116990089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.117034912 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.121819019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.121865034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.121903896 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.121916056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.121949911 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.122126102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.122140884 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.122174025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.122359991 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.122407913 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.122478008 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.122524023 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.126348019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.126390934 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.126462936 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.126472950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.126512051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.126573086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.126621962 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.126712084 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.126722097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.126759052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.126944065 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.126955032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.126991987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.131091118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.131136894 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.131289005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.131299019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.131336927 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.131370068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.131381035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.131417036 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.131541014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.131587982 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.131608963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.131652117 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.133939981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.133987904 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.134020090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.134028912 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.134068966 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.134244919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.134254932 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.134290934 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.134381056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.134422064 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.134453058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.134497881 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.138746977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.138791084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.138813972 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.138825893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.138859987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.138983965 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.139028072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.139034033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.139077902 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.139153004 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.139194012 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.139317036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.139326096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.139364004 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.144268990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.144315958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.144345999 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.144356966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.144391060 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.144742966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.144754887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.144793034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.144826889 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.144838095 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.144874096 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.149225950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.149270058 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.149326086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.149336100 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.149365902 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.149378061 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.149508953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.149518967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.149554014 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.149708986 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.149750948 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.149764061 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.149801970 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.155725956 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.155772924 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.155783892 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.155795097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.155827999 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.155998945 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.156016111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.156043053 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.156056881 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.156270981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.156281948 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.156317949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.167709112 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.167761087 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.167795897 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.167807102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.167968035 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.168054104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.168088913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.168097019 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.168119907 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.168220997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.168231964 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.168241024 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.168267965 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.168286085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.173346996 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.173394918 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.173468113 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.173480034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.173516035 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.173672915 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.173683882 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.173727036 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.173888922 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.173901081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.173935890 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.181221962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.181276083 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.181299925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.181312084 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.181349039 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.181545973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.181591988 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.181629896 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.181674957 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.181766987 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.181777954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.181787014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.181808949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.181833029 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.189466953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.189519882 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.189547062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.189558983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.189594984 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.189856052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.189866066 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.189877033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.189902067 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.189913034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.190037966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.190083027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.194813967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.194864988 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.194895983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.194907904 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.194942951 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.195168972 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.195179939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.195215940 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.195298910 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.195341110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.195473909 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.195517063 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.200391054 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.200437069 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.200501919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.200514078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.200546980 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.200726032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.200736046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.200773954 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.200941086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.200953007 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.200988054 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.204019070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.204066038 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.204104900 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.204116106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.204150915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.204448938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.204458952 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.204468012 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.204514027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.204514027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.204693079 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.204735041 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.209222078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.209237099 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.209268093 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.209335089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.209381104 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.209395885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.209408045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.209443092 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.209676027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.209686041 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.209695101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.209721088 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.209737062 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.214807034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.214850903 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.214854002 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.214863062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.214894056 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.215020895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.215032101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.215065956 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.215250015 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.215260983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.215293884 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.219300985 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.219351053 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.219352007 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.219363928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.219391108 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.219403028 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.219614983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.219625950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.219665051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.219816923 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.219831944 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.219861031 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.219878912 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.223772049 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.223812103 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.223839045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.223850012 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.223881960 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.224064112 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.224075079 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.224088907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.224109888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.224133968 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.224390030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.224436045 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.224457979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.224503994 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.226660013 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.226710081 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.226795912 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.226805925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.226844072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.226869106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.226911068 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.226989985 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.227000952 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.227030039 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.227171898 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.227181911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.227219105 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.232129097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.232175112 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.232193947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.232204914 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.232239962 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.237090111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237102032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237112045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237122059 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237132072 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237140894 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.237153053 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.237168074 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.237293959 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237306118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237317085 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237328053 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237334013 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.237345934 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.237366915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.237628937 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237679005 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.237709045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.237752914 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.242163897 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.242206097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.242212057 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.242218971 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.242249012 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.242259979 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.242438078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.242449999 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.242460012 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.242485046 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.242502928 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.242650032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.242692947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.248450041 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.248501062 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.248524904 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.248537064 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.248574018 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.248729944 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.248800993 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.248821974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.248863935 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.248984098 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.248995066 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.249002934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.249027967 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.249047041 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.260436058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.260488033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.260495901 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.260535002 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.260550022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.260596991 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.260704041 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.260715008 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.260751963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.260890007 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.260934114 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.261126041 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.261172056 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.261200905 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.261240005 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.266164064 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.266206026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.266247988 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.266258955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.266289949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.266499043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.266510963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.266520977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.266542912 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.266555071 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.266835928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.266880989 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.274056911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.274105072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.274142027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.274153948 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.274184942 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.274353027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.274395943 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.274403095 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.274415016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.274450064 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.274713039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.274755001 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.282018900 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.282066107 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.282097101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.282108068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.282141924 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.282301903 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.282344103 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.282377958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.282423019 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.282512903 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.282522917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.282531977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.282556057 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.282573938 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.287579060 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.287626982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.287637949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.287663937 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.287672997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.287713051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.287784100 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.287827015 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.287934065 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.287945032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.287977934 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.288162947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.288173914 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.288209915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.293066978 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.293112993 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.293133020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.293143034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.293179035 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.293308973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.293353081 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.293446064 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.293457985 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.293487072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.293498039 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.293680906 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.293690920 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.293725014 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.296869993 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.296915054 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.296952009 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.296962976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.296998978 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.297183990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.297195911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.297205925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.297230959 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.297240973 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.297524929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.297568083 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.302227974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.302274942 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.302324057 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.302335978 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.302371025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.302454948 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.302496910 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.302530050 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.302573919 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.302654982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.302666903 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.302675962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.302695036 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.302711964 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.307956934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.308002949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.308010101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.308049917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.308062077 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.308089018 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.308125973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.308167934 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.308228016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.308269978 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.308346987 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.308357954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.308391094 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.308587074 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.308633089 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.308660984 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.308700085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.312084913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.312134027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.312167883 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.312177896 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.312211990 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.312370062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.312417030 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.312460899 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.312500954 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.312575102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.312592983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.312602043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.312618017 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.312628984 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.316541910 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.316587925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.316589117 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.316601038 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.316634893 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.316780090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.316791058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.316801071 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.316824913 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.316842079 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.317034006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.317044973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.317079067 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.319708109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.319753885 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.319782972 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.319794893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.319825888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.319994926 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.320007086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.320015907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.320040941 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.320051908 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.320245981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.320288897 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.324733019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.324779987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.324843884 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.324853897 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.324887037 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.325030088 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.325041056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.325077057 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.325155973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.325196981 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.325313091 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.325356960 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.329658031 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.329675913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.329687119 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.329710960 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.329721928 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.329838991 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.329850912 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.329859972 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.329884052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.329900026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.330270052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.330315113 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.330322027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.330363989 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.334871054 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.334917068 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.334992886 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.335005045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.335040092 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.335151911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.335163116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.335172892 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.335201025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.335201025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.335407019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.335450888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.341391087 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.341439009 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.341473103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.341485023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.341519117 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.341830015 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.341841936 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.341850996 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.341861010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.341871977 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.341888905 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.353621006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.353672028 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.353703022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.353713989 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.353748083 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.353910923 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.353952885 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.353974104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.353986025 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.353996038 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.354021072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.354043961 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.358900070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.358984947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.358998060 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.359009027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.359045982 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.359214067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.359235048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.359261990 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.359285116 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.359452009 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.359462976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.359498978 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.366869926 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.366918087 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.366954088 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.366966009 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.367072105 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.367166042 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.367208958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.367248058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.367290974 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.367407084 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.367422104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.367430925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.367449045 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.367461920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.384941101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385005951 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.385036945 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385047913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385087013 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.385274887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385287046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385298014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385308027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385327101 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.385358095 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.385792971 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385803938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385813951 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385824919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385835886 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385843039 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.385847092 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385859966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.385869026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.385881901 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.385900021 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.386487961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.386535883 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.386615992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.386626005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.386662006 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.386831045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.386874914 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.386890888 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.386903048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.386913061 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.386938095 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.386953115 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.389986992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.390031099 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.390053034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.390064001 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.390095949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.390105963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.390278101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.390289068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.390324116 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.390403032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.390438080 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.390449047 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.390474081 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.395311117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.395354033 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.395415068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.395426035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.395462036 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.395637989 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.395648003 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.395658016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.395675898 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.395699978 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.395970106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.396018028 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.402247906 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.402259111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.402275085 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.402286053 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.402297020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.402302027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.402307987 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.402319908 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.402334929 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.402348995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.405282974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.405349016 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.405369043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.405380964 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.405409098 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.405421019 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.405584097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.405623913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.405632973 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.405636072 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.405658960 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.405668020 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.405952930 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.405997038 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.409857988 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.409910917 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.410068989 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.410084963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.410111904 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.410123110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.410470963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.410481930 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.410491943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.410501957 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.410520077 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.410547972 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.412748098 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.412792921 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.412821054 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.412832975 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.412859917 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.412873030 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.413041115 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.413052082 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.413062096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.413073063 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.413081884 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.413090944 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.413119078 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.423598051 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.423643112 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.423722029 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.423733950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.423779011 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.423952103 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.423962116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.423973083 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.423983097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.423994064 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.424014091 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.424038887 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.424405098 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.424448013 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.424537897 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.424550056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.424576998 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.424587965 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.424758911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.424806118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.424814939 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.424818993 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.424829960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.424843073 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.424860001 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.424874067 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.427891016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.427943945 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.427979946 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.427990913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.428030014 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.428195000 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.428240061 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.428293943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.428339005 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.428971052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.428982973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.428992987 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.429016113 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.429025888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.434115887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.434164047 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.434223890 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.434233904 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.434271097 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.434283972 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.434334993 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.434379101 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.434462070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.434472084 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.434500933 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.434504032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.434506893 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.434516907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.434547901 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.434559107 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.446151972 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.446197987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.446208954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.446244001 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.446386099 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.446398020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.446408987 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.446439028 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.446449995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.446885109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.446896076 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.446928978 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.446939945 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.447488070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.447535038 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.451690912 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.451739073 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.451769114 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.451780081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.451951027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.451961040 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.451980114 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.452017069 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.452105045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.452157021 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.452217102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.452261925 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.459712982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.459759951 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.459767103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.459810972 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.459819078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.459861994 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.459984064 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.460000992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.460010052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.460032940 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.460062981 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.460304976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.460315943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.460350990 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.460369110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.467823982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.467875957 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.467911959 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.467924118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.467959881 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.468127966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.468138933 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.468172073 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.468338013 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.468354940 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.468384027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.468400955 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.473469973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.473521948 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.473525047 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.473536968 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.473568916 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.473579884 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.473836899 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.473846912 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.473881006 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.473896980 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.473977089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.473988056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.474024057 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.474035025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.478955030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.479024887 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.479027033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.479070902 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.479167938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.479178905 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.479214907 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.479372978 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.479418039 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.479486942 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.479532957 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.479602098 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.479646921 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.482695103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.482739925 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.482758999 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.482769966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.482800961 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.482975006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.482985020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.483020067 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.483202934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.483213902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.483251095 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.488048077 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.488096952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.488101006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.488111019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.488140106 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.488151073 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.488270998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.488311052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.488373995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.488385916 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.488415956 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.488426924 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.488550901 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.488591909 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.489084005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.489135027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.495532036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.495543957 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.495553970 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.495575905 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.495588064 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.495701075 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.495740891 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.495919943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.495930910 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.495968103 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.496134043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.496149063 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.496186018 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.499031067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.499078989 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.499217033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.499228954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.499265909 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.499397039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.499408960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.499444962 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.499572039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.499617100 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.499763012 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.499805927 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.503505945 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.503552914 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.503654957 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.503667116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.503703117 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.503797054 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.503808022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.503853083 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.503947973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.503958941 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.503993034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.504005909 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.506592035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.506603003 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.506612062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.506640911 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.506659985 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.506736040 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.506777048 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.506912947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.506926060 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.506954908 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.507097006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.507107973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.507139921 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.515857935 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.515868902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.515880108 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.515933990 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.515959024 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.515997887 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.516021967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.516064882 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.516171932 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.516182899 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.516192913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.516217947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.516232967 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.516541958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.516552925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.516563892 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.516590118 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.516608000 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.516886950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.516932964 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.517015934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.517026901 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.517055988 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.520819902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.520873070 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.520880938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.520890951 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.520926952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.521053076 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.521064997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.521076918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.521087885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.521099091 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.521121979 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.521356106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.521399975 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.526915073 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.526963949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.527041912 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.527053118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.527092934 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.527218103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.527261019 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.527291059 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.527333975 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.527426004 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.527436972 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.527446032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.527472019 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.527487040 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.538942099 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.538991928 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.539028883 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.539038897 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.539067030 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.539083958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.539277077 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.539288044 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.539323092 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.539334059 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.539499998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.539510965 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.539544106 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.539563894 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.544368029 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.544416904 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.544419050 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.544440031 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.544456959 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.544467926 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.544572115 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.544583082 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.544620037 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.544783115 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.544794083 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.544804096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.544830084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.544841051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.552674055 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.552737951 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.552752972 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.552764893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.552798033 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.552809000 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.552977085 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.552988052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.552998066 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.553021908 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.553042889 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.553327084 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.553365946 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.560585022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.560635090 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.560663939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.560676098 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.560709953 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.560872078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.560911894 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.560940981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.560985088 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.561105967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.561116934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.561126947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.561151028 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.561168909 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.566214085 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.566260099 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.566301107 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.566312075 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.566342115 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.566596985 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.566608906 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.566620111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.566632986 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.566659927 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.566688061 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.571787119 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.571835995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.571854115 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.571866035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.571902990 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.572065115 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.572101116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.572108984 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.572112083 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.572124958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.572137117 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.572149992 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.572159052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.575470924 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.575519085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.575561047 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.575572014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.575606108 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.575828075 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.575839996 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.575850010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.575860977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.575879097 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.575887918 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.575906992 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.580888033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.580940008 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.580974102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.580986023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.581024885 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.581212044 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.581234932 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.581247091 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.581257105 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.581258059 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.581286907 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.581309080 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.587204933 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.587254047 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.587258101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.587301016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.587301970 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.587341070 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.587435961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.587447882 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.587482929 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.587644100 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.587656021 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.587666035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.587692976 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.587707043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.590758085 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.590806007 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.590846062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.590857029 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.590892076 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.591078997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.591094971 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.591105938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.591115952 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.591121912 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.591144085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.591162920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.595284939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.595333099 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.595360994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.595371962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.595406055 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.595557928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.595568895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.595604897 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.595702887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.595745087 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.595828056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.595865011 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.598273993 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.598321915 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.598324060 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.598332882 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.598362923 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.598376036 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.598437071 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.598480940 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.598567009 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.598577976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.598608971 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.598619938 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.598757029 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.598767042 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.598802090 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.608498096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.608546019 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.608572960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.608584881 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.608613014 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.608623981 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.608791113 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.608804941 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.608839035 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.608855009 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.609003067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.609047890 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.609127998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.609138966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.609165907 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.609177113 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.609419107 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.609430075 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.609443903 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.609456062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.609463930 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.609488010 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.609514952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.609884977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.609926939 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.609966993 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.610013962 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.613404036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.613421917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.613457918 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.613467932 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.613483906 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.613527060 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.613605976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.613616943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.613651037 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.613661051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.613814116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.613826036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.613835096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.613859892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.613871098 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.619652033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.619738102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.619748116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.619817972 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.619874954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.619929075 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.620043039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.620054960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.620106936 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.620270014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.620280027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.620320082 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.620337963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.632703066 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.632757902 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.632777929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.632790089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.632823944 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.632839918 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.632991076 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.633038998 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.633063078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.633106947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.633198977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.633208990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.633218050 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.633243084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.633258104 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.637151957 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.637201071 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.637236118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.637247086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.637283087 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.637294054 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.637465000 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.637510061 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.637547970 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.637593985 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.637747049 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.637758017 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.637767076 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.637792110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.637808084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.645490885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.645540953 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.645581007 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.645592928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.645627022 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.645890951 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.645901918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.645911932 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.645921946 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.645940065 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.645952940 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.653373003 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.653419018 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.653445005 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.653465033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.653476000 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.653502941 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.653635025 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.653645992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.653656006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.653686047 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.653698921 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.653966904 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.653976917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.654012918 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.659053087 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.659100056 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.659131050 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.659142017 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.659176111 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.659343004 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.659394026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.659399986 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.659411907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.659420967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.659440994 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.659462929 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.664407015 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.664464951 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.664505959 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.664518118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.664550066 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.664561987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.664742947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.664755106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.664788961 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.664798975 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.664968967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.664979935 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.665014029 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.665039062 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.668267965 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.668313026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.668343067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.668353081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.668385983 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.668395042 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.668561935 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.668606043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.668611050 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.668622971 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.668632030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.668654919 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.668665886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.675438881 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.675483942 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.675515890 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.675527096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.675558090 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.675569057 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.675801992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.675812006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.675822020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.675832033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.675849915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.675873995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.679877996 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.679924965 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.679991961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.680001020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.680116892 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.680124998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.680145025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.680169106 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.680567026 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.680618048 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.680646896 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.680658102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.680696964 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.680978060 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.681022882 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.683532953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.683581114 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.683597088 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.683608055 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.683640957 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.683651924 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.683712006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.683762074 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.683811903 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.683823109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.683856964 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.683867931 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.684010983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.684020996 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.684055090 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.684063911 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.688143015 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.688189030 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.688194990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.688205004 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.688235998 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.688250065 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.688396931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.688440084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.688446045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.688500881 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.688575029 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.688586950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.688596010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.688618898 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.688630104 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.691035986 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.691092014 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.691119909 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.691129923 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.691162109 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.691263914 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.691274881 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.691284895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.691294909 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.691313028 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.691350937 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.691566944 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.691607952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.701173067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.701215982 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.701251030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.701261044 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.701288939 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.701302052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.701476097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.701486111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.701515913 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.701527119 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.701716900 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.701726913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.701754093 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.701770067 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.701935053 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.701971054 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.701997995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.702008963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.702018023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.702028036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.702037096 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.702054977 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.702075958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.702542067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.702581882 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.702637911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.702676058 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.706284046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.706322908 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.706366062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.706377983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.706513882 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.706582069 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.706593990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.706604004 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.706614017 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.706628084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.706646919 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.712445974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.712496042 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.712522030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.712531090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.712564945 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.712574959 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.712704897 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.712716103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.712747097 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.712769032 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.712965965 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.712976933 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.712986946 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.713006973 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.713018894 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.725519896 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.725579023 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.725600958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.725610018 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.725644112 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.725667953 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.725783110 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.725794077 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.725804090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.725814104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.725827932 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.725838900 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.725867033 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.726210117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.726259947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.730047941 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.730096102 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.730130911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.730140924 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.730343103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.730360031 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.730401039 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.730428934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.730441093 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.730451107 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.730458975 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.730473995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.730496883 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.738370895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.738425970 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.738461971 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.738472939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.738503933 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.738519907 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.738677979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.738720894 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.738729954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.738742113 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.738750935 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.738773108 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.738786936 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.751765966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.751835108 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.751871109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.751882076 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.751914978 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.752098083 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.752108097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.752119064 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.752129078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.752139091 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.752166986 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.752624035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.752635002 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.752650976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.752664089 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.752687931 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.752974987 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.752985954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.752995968 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.753005028 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.753014088 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.753035069 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.757169008 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.757230043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.757266998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.757278919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.757309914 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.757323980 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.757494926 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.757505894 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.757515907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.757525921 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.757536888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.757548094 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.757582903 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.761924028 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.761985064 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.762016058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.762027979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.762059927 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.762228012 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.762238026 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.762253046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.762265921 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.762269020 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.762290955 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.762310028 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.768167973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.768241882 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.768258095 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.768270016 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.768306971 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.768498898 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.768513918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.768523932 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.768533945 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.768546104 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.768573999 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.773983002 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.774040937 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.774041891 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.774056911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.774080992 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.774092913 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.774290085 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.774307013 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.774317980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.774327993 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.774333954 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.774363041 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.776456118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.776504993 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.776540041 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.776551008 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.776580095 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.776602983 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.776772022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.776782990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.776813030 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.776824951 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.776998997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.777009964 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.777039051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.777050018 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.780951023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.781013966 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.781028032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.781039000 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.781073093 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.781092882 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.781244993 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.781255960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.781266928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.781287909 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.781301975 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.781522036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.781569958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.783834934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.783894062 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.783906937 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.783919096 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.783951044 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.783962965 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.784075022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.784120083 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.784198046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.784209967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.784220934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.784229994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.784243107 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.784255028 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.784286976 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.794384003 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.794445992 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.794498920 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.794508934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.794538975 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.794553041 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.794678926 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.794720888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.794740915 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.794753075 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.794764042 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.794783115 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.794795036 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.794812918 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.795206070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.795217037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.795227051 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.795253038 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.795277119 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.795572996 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.795583963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.795594931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.795603991 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.795617104 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.795640945 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.798948050 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.799002886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.799031973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.799042940 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.799072027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.799319983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.799331903 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.799341917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.799351931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.799364090 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.799390078 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.805243969 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.805294991 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.805314064 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.805325031 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.805351019 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.805362940 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.805557966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.805576086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.805586100 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.805596113 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.805603027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.805619955 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.805646896 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.818402052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.818439960 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.818492889 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.818504095 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.818576097 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.818576097 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.818759918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.818770885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.818784952 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.818803072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.818803072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.818825960 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.819055080 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.819093943 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.822824955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.822866917 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.822902918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.822913885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.822943926 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.822953939 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.823174953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.823185921 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.823194981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.823215008 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.823234081 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.823489904 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.823529959 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.831043005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.831089973 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.831120014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.831130028 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.831157923 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.831170082 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.831304073 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.831314087 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.831343889 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.831367016 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.831513882 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.831525087 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.831533909 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.831558943 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.831558943 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.831577063 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.844455004 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.844472885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.844507933 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.844513893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.844546080 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.844546080 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.844644070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.844655037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.844681978 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.844701052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.844837904 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.844849110 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.844876051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.844887018 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.844960928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.845001936 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.845065117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.845103979 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.845107079 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.845144987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.845313072 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.845324039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.845333099 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.845350027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.845362902 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.845526934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.845566034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.845619917 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.845659971 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.849971056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.850018978 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.850029945 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.850039959 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.850069046 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.850080013 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.850187063 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.850198984 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.850227118 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.850238085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.850393057 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.850404024 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.850413084 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.850434065 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.850455046 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.854856968 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.854902029 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.854906082 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.854917049 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.854945898 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.854958057 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.855144024 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.855154991 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.855164051 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.855182886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.855206013 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.855362892 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.855402946 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.860996962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.861084938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.861094952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.861104965 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.861145973 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.861159086 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.861339092 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.861349106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.861365080 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.861376047 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.861378908 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.861392975 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.861426115 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.865947962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.866002083 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.866039038 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.866050959 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.866077900 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.866089106 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.866240025 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.866250992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.866277933 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.866288900 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.866394997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.866406918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.866434097 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.866451025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.869087934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.869127035 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.869158983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.869169950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.869195938 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.869205952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.869307995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.869321108 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.869345903 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.869381905 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.869491100 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.869501114 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.869510889 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.869529009 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.869539022 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.873770952 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.873853922 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.873864889 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.873884916 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.873908043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.874057055 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.874067068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.874077082 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.874088049 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.874095917 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.874114037 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.874125004 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.876671076 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.876708984 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.876748085 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.876764059 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.876786947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.876797915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.876976967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.876987934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.876997948 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.877007961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.877017021 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.877038002 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.887027979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.887068033 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.887132883 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.887145042 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.887173891 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.887187958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.887332916 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.887370110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.887487888 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.887497902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.887507915 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.887518883 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.887525082 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.887537003 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.887542963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.887967110 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.887978077 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.887993097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.888003111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.888014078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.888024092 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.888024092 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.888025045 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.888046980 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.888056040 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.891655922 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.891694069 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.891731024 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.891741991 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.891769886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.891781092 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.891881943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.891894102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.891921043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.891937971 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.892113924 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.892148972 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.892230988 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.892241001 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.892270088 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.892281055 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.897845984 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.897890091 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.897905111 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.897929907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.897941113 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.897970915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.898094893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.898107052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.898118019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.898135900 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.898152113 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.898442984 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.898459911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.898492098 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.912719011 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.912729979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.912739992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.912766933 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.912782907 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.913177967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.913188934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.913197994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.913208961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.913225889 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.913244009 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.916826963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.916836977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.916857958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.916874886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.916965961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.916976929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.916989088 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.917000055 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.917000055 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.917006969 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.917011976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.917032957 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.917053938 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.923858881 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.923918009 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.923938990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.923950911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.923991919 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.924114943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.924127102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.924160004 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.924420118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.924432039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.924442053 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.924464941 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.924478054 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.937864065 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.937910080 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.937943935 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.937956095 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.937988997 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.938003063 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.938338995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.938349009 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.938359976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.938370943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.938386917 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.938416004 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.938739061 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.938750029 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.938779116 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.938796043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.938802004 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.938808918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.938819885 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.938833952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.938853025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.938859940 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.939599037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.939610004 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.939645052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.939654112 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.944053888 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.944066048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.944077015 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.944087029 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.944097042 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.944116116 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.944154978 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.944176912 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.944216967 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.944331884 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.944343090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.944370985 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.944381952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.948978901 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.949037075 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.949143887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.949156046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.949182987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.949194908 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.949323893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.949335098 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.949345112 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.949354887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.949368000 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.949381113 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.949407101 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.954823017 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.954833984 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.954843998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.954869032 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.954899073 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.954983950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.954993963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.955025911 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.955116034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.955127954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.955154896 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.955178976 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.955449104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.955485106 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.960454941 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.960465908 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.960475922 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.960510969 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.960541964 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.960568905 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.960613966 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.960772991 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.960784912 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.960796118 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.960804939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.960810900 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.960815907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.960825920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.960855007 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.963216066 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.963227034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.963238001 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.963263035 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.963294983 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.963371038 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.963382006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.963392973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.963413000 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.963424921 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.963746071 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.963757038 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.963787079 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.963812113 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.967657089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.967717886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.967859030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.967874050 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.967909098 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.967910051 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.967936039 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.967948914 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.968080044 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.968091965 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.968102932 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.968112946 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.968118906 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.968130112 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.968153000 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.970778942 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.970791101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.970801115 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.970828056 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.970840931 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.970916033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.970927000 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.970952034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.970971107 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.971092939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.971137047 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.971250057 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.971290112 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.979850054 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.979897022 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.979969025 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.979980946 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.980015993 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.980030060 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.980169058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.980180979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.980211020 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.980379105 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.980422974 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.980448008 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.980459929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.980469942 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.980495930 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.980496883 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.980504990 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.980532885 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.981014013 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.981025934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.981071949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.981250048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.981261969 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.981292009 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.981304884 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.984517097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.984561920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.984601021 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.984612942 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.984646082 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.984776020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.984816074 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.984822035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.984860897 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.984960079 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.984971046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.984981060 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.985001087 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.985018969 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.990643978 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.990664005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.990684986 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.990698099 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.990709066 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.990797997 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.990833998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.990845919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.990856886 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.990879059 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.990890980 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:13.991211891 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.991223097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:13.991260052 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.004446983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.004496098 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.004579067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.004590988 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.004638910 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.004796982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.004807949 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.004818916 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.004834890 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.004839897 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.004868984 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.004885912 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.008869886 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.008917093 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.008939028 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.008951902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.008981943 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.008994102 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.009177923 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.009195089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.009206057 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.009216070 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.009227991 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.009244919 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.016746044 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.016799927 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.016829967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.016840935 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.016875982 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.016889095 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.017046928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.017086983 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.017102957 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.017113924 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.017123938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.017143011 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.017158985 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.031506062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.031517982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.031527996 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.031559944 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.031577110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.031811953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.031822920 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.031832933 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.031842947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.031857014 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.031892061 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.032291889 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.032344103 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.032471895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.032495022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.032517910 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.032546043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.032660961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.032672882 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.032718897 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.032840014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.032850027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.032886028 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.036722898 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.036775112 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.036890030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.036899090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.036936998 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.037034988 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.037045956 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.037076950 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.037101030 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.037220001 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.037264109 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.037403107 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.037412882 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.037448883 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.037461996 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.041703939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.041759014 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.041892052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.041904926 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.041944981 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.042073965 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.042083979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.042114973 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.042126894 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.042222977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.042233944 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.042243958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.042268038 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.042295933 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.047759056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.047810078 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.047940969 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.047950983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.047961950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.047988892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.048002005 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.048125982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.048136950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.048168898 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.048196077 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.048294067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.048304081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.048341990 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.053261995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.053277969 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.053324938 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.053333998 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.053636074 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.053646088 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.053656101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.053667068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.053677082 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.053678036 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.053697109 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.053726912 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.056179047 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.056229115 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.056317091 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.056333065 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.056370020 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.056385994 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.056471109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.056493998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.056514025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.056564093 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.056655884 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.056668043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.056699991 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.060317039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.060326099 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.060369015 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.060376883 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.060415983 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.060528040 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.060539961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.060549974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.060570002 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.060587883 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.060775995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.060786963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.060822964 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.063621998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.063663960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.063673019 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.063673973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.063719034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.063719034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.063889027 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.063899994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.063932896 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.064042091 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.064052105 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.064060926 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.064085007 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.064102888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.081263065 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.081317902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.081330061 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.081353903 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.081374884 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.081531048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.081542015 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.081583977 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.081717968 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.081729889 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.081770897 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.081909895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.081918955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.081979036 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.082041979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082052946 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082062960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082075119 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082077026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.082087994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082091093 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.082112074 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.082129955 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.082410097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082452059 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.082580090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082623959 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.082639933 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082650900 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082679987 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.082693100 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.082767963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082779884 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082808971 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.082968950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082979918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.082989931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.083009958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.083025932 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.083714962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.083733082 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.083762884 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.083775043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.083787918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.083826065 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.083910942 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.083920956 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.083951950 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.084029913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.084072113 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.084116936 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.084126949 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.084158897 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.084240913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.084281921 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.100255966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.100266933 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.100277901 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.100286961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.100297928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.100308895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.100318909 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.100344896 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.100392103 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.103436947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.103512049 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.103727102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.103739023 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.103777885 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.103857994 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.103868961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.103895903 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.103923082 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.104034901 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.104046106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.104079008 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.104093075 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.110857010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.110910892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.111020088 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.111032009 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.111069918 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.111149073 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.111159086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.111191034 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.111327887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.111339092 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.111349106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.111368895 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.111397982 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.124455929 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.124464989 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.124475002 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.124535084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.124607086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.124618053 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.124648094 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.124813080 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.124825001 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.124855995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.124880075 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.124946117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.124983072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.125093937 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.125144005 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.125272036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.125283957 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.125313997 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.125325918 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.125402927 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.125449896 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.125602007 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.125612974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.125622988 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.125632048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.125648975 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.125685930 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.129740953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.129807949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.129879951 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.129892111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.129920006 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.129931927 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.130024910 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.130065918 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.130215883 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.130233049 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.130245924 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.130254030 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.130254984 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.130269051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.130292892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.133238077 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.133301973 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.133306980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.133318901 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.133358002 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.133440971 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.133487940 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.133517981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.133528948 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.133567095 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.133687019 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.133697987 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.133708000 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.133735895 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.133764982 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.139288902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.139301062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.139313936 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.139358044 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.139390945 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.139520884 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.139532089 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.139543056 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.139564037 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.139590025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.139790058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.139801025 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.139830112 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.144754887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.144823074 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.144844055 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.144855022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.144891977 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.145030022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.145041943 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.145083904 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.145411015 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.145421982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.145457983 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.145481110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.147461891 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.147526026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.147543907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.147555113 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.147588968 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.147655010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.147699118 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.147768021 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.147778988 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.147806883 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.147818089 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.147950888 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.147963047 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.147989988 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.153044939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.153115034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.153115988 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.153129101 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.153158903 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.153181076 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.153249979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.153263092 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.153297901 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.153476000 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.153486967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.153496981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.153525114 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.153537035 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.156454086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.156521082 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.156527996 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.156538963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.156569958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.156692982 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.156735897 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.156783104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.156795979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.156806946 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.156816006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.156822920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.156836033 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.156863928 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.173976898 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174060106 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.174068928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174081087 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174114943 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.174137115 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.174243927 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174297094 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.174308062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174318075 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174356937 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.174437046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174448013 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174489021 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.174787998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174798012 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174808979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174835920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.174848080 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.174926996 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174940109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174951077 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174962044 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.174967051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.174978018 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.175000906 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.175746918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.175761938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.175772905 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.175784111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.175793886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.175818920 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.176093102 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.176105976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.176115990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.176140070 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.176153898 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.176457882 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.176506042 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.176537037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.176548958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.176574945 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.176604986 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.176736116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.176748037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.176785946 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.176872969 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.176884890 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.176914930 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.176934958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.189965963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.190035105 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.190052986 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.190064907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.190098047 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.190218925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.190265894 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.190315962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.190356970 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.190395117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.190406084 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.190434933 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.190448046 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.194880009 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.194927931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.194937944 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.194958925 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.194978952 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.195147038 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.195158005 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.195168018 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.195178032 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.195197105 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.195209980 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.202532053 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.202595949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.202621937 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.202632904 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.202662945 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.202675104 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.202845097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.202856064 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.202866077 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.202874899 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.202891111 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.202908039 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.215728998 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.215795994 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.215815067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.215826035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.215857983 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.216002941 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216023922 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216053963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.216073990 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.216145039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216156960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216183901 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.216196060 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.216448069 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216507912 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.216537952 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216547966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216582060 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.216667891 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216680050 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216715097 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.216861010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216872931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216881037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.216907978 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.216918945 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.221519947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.221573114 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.221601963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.221612930 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.221643925 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.221654892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.221812010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.221822977 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.221832991 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.221843004 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.221851110 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.221862078 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.221875906 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.226011992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.226093054 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.226103067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.226183891 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.226227999 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.226238966 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.226248980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.226258993 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.226284027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.226301908 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.226694107 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.226741076 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.231934071 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.231982946 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.232009888 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.232021093 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.232052088 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.232175112 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.232214928 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.232278109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.232290030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.232300043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.232309103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.232319117 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.232332945 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.232363939 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.237577915 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.237627029 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.237646103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.237656116 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.237695932 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.237709045 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.237786055 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.237797976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.237807989 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.237818956 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.237833977 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.237859011 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.238137960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.238183022 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.240217924 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.240267992 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.240338087 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.240349054 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.240359068 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.240382910 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.240408897 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.240592957 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.240634918 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.240674973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.240685940 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.240715027 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.240726948 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.245831013 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.245881081 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.245889902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.245904922 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.245934963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.245948076 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.245997906 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.246009111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.246045113 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.246247053 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.246258020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.246267080 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.246298075 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.246310949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.249387980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.249438047 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.249454021 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.249465942 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.249495983 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.249510050 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.249631882 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.249643087 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.249654055 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.249670982 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.249697924 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.249861956 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.249872923 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.249906063 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.249934912 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.267038107 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.267055035 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.267111063 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.267128944 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.267141104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.267151117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.267174959 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.267194986 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.267436981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.267450094 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.267458916 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.267481089 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.267505884 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.267700911 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.267746925 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.268013954 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268024921 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268037081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268054962 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.268079042 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.268234968 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268245935 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268255949 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268265963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268280983 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.268306971 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.268568039 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268578053 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268588066 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268599033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268621922 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.268637896 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.268851995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268863916 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268898964 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.268980980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.268991947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.269026995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.269526958 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.269572973 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.270059109 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.270070076 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.270119905 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.271420002 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.271482944 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.271573067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.271625042 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.273318052 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.273329020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.273339033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.273366928 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.273396969 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.287050962 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.287060976 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.287070036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.287138939 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.287200928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.287244081 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.287378073 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.287388086 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.287427902 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.287751913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.287761927 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.287800074 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.289292097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.289302111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.289311886 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.289344072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.289356947 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.289633036 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.289644003 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.289680004 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.289786100 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.289798021 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.289807081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.289830923 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.289843082 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.296777010 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.296838045 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.296936989 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.296948910 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.297012091 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.297061920 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.297100067 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.297252893 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.297262907 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.297274113 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.297282934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.297297955 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.297322035 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.308500051 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.308556080 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.308564901 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.308689117 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.308701992 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.308713913 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.308723927 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.308752060 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.308764935 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.308917046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.308960915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.308990955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.309027910 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.309226990 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.309242964 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.309278011 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.309284925 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.309288025 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.309329033 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.309426069 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.309437037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.309447050 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.309472084 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.309489965 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.309648037 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.309696913 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.310039043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.310086966 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.314279079 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.314327955 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.314398050 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.314409018 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.314445972 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.314515114 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.314553976 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.315260887 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.315272093 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.315282106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.315289974 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.315320969 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.315349102 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.318970919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.319029093 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.319029093 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.319040060 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.319073915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.319091082 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.319253922 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.319266081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.319276094 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.319286108 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.319299936 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.319310904 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.319339037 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.319515944 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.319561958 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.324770927 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.324821949 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.324846983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.324857950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.324883938 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.324896097 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.325016975 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.325053930 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.325082064 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.325120926 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.325208902 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.325220108 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.325228930 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.325253963 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.325264931 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.330517054 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.330528021 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.330537081 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.330547094 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.330574989 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.330610037 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.330661058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.330672026 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.330704927 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.330730915 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.331010103 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.331022024 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.331056118 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.331067085 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.334331989 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.334342957 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.334358931 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.334371090 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.334381104 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.334391117 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.334400892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.334429026 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.334883928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.334933043 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.339664936 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.339675903 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.339684963 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.339726925 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.339756966 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.339852095 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.339911938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.339922905 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.339932919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.339942932 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.339956999 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.339987993 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.343333006 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.343342066 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.343353033 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.343364000 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.343374014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.343384981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.343394995 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.343399048 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.343406916 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.343408108 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.343436956 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.343446970 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.370274067 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.370285034 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.370295048 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.370362997 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.370573044 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.370584011 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.370594025 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.370604038 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.370629072 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.370650053 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.371016026 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.371031046 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.371042013 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.371058941 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.371081114 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.371093988 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.371324062 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.371335030 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.371346951 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.371373892 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.371386051 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.373832941 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.373961926 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.374020100 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.374119997 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.374131918 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.374161005 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.374172926 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.376357079 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.376368999 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.376378059 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.376393080 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.376414061 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.376451015 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.376801014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.376811028 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.376847982 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.376871109 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.376938105 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.376949072 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.376976013 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.376987934 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.377116919 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.377127886 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.377139091 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.377163887 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.377188921 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.377424955 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.379225016 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.403203011 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.403357983 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.403368950 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.403426886 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.403513908 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.403525114 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.403564930 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.403637886 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.404048920 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.404057980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.404102087 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.408226967 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.408236980 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.408247948 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.408281088 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.408296108 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.408387899 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.408399105 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.408409119 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.408432007 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.408449888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.408529043 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.408813953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.408860922 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.418838978 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.418849945 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.418860912 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.418869972 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.418880939 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.418890953 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.418901920 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.418911934 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.418912888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.418956995 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.438520908 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.438530922 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.438612938 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.438823938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.438834906 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.438846111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.438855886 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.438867092 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.438875914 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.438904047 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.439273119 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.439301014 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.439312935 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.440639973 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.440651894 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.440711975 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.440789938 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.440802097 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.440812111 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.440823078 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.440833092 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.440843105 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.440860033 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.440872908 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.443231106 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.444031000 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.444041014 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.444051981 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.444088936 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.444112062 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.444179058 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.444190979 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.444200993 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.444211960 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.444221020 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.444228888 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.444257021 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.445065022 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.445076942 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.445086956 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.445122957 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.445142984 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.445806026 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.445817947 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.445827007 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.445858955 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.445905924 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.446821928 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.446832895 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.446842909 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.446882010 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.446908951 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.539592981 CEST	49739	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.539994001 CEST	49741	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.546281099 CEST	9000	49739	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.546293020 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:14.546351910 CEST	49739	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.546391010 CEST	49741	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.546680927 CEST	49741	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:14.551532030 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.234868050 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.234958887 CEST	49741	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:15.235414028 CEST	49741	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:15.237751007 CEST	49741	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:15.237838030 CEST	49741	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:15.240911007 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.243778944 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.243793011 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.243802071 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.243808985 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.243817091 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.723176956 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:15.723706007 CEST	49742	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:15.729465961 CEST	9000	49740	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.729528904 CEST	49740	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:15.730278969 CEST	9000	49742	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.730349064 CEST	49742	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:15.730570078 CEST	49742	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:15.736109018 CEST	9000	49742	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.872179031 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:15.872240067 CEST	49741	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:16.401870012 CEST	9000	49742	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:16.401963949 CEST	49742	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:16.402431011 CEST	49742	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:16.404122114 CEST	49742	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:16.404244900 CEST	49742	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:16.409274101 CEST	9000	49742	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:16.409598112 CEST	9000	49742	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:16.409606934 CEST	9000	49742	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:16.409615040 CEST	9000	49742	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:16.771706104 CEST	49741	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:16.772102118 CEST	49744	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:16.777887106 CEST	9000	49744	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:16.778129101 CEST	49744	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:16.778426886 CEST	9000	49741	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:16.778484106 CEST	49741	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:16.786353111 CEST	49744	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:16.794635057 CEST	9000	49744	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:17.033998966 CEST	9000	49742	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:17.034070015 CEST	49742	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:17.436240911 CEST	9000	49744	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:17.436352968 CEST	49744	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:17.436758041 CEST	49744	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:17.439225912 CEST	49744	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:17.442178011 CEST	9000	49744	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:17.444272041 CEST	9000	49744	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:17.852842093 CEST	49742	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:17.853379965 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:17.858112097 CEST	9000	49742	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:17.858160973 CEST	9000	49748	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:17.858302116 CEST	49742	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:17.858350039 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:17.858678102 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:17.864356995 CEST	9000	49748	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:18.187434912 CEST	9000	49744	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:18.187503099 CEST	49744	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:18.529531956 CEST	9000	49748	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:18.529599905 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:18.530200958 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:18.535196066 CEST	9000	49748	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:18.569005013 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:18.574273109 CEST	9000	49748	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:19.005700111 CEST	49744	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.006203890 CEST	49750	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.011050940 CEST	9000	49750	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:19.011068106 CEST	9000	49744	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:19.011142969 CEST	49744	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.011157990 CEST	49750	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.011466026 CEST	49750	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.016176939 CEST	9000	49750	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:19.337488890 CEST	9000	49748	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:19.339648008 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.676856995 CEST	9000	49750	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:19.679740906 CEST	49750	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.680255890 CEST	49750	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.684993982 CEST	9000	49750	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:19.705519915 CEST	49750	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.707705975 CEST	49751	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.710612059 CEST	9000	49750	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:19.710673094 CEST	49750	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.712532997 CEST	9000	49751	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:19.715655088 CEST	49751	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.715863943 CEST	49751	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:19.720654964 CEST	9000	49751	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:20.363856077 CEST	9000	49751	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:20.363940001 CEST	49751	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:20.364556074 CEST	49751	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:20.366313934 CEST	49751	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:20.368648052 CEST	49753	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:20.369343042 CEST	9000	49751	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:20.371840000 CEST	9000	49751	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:20.371896982 CEST	49751	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:20.373493910 CEST	9000	49753	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:20.373565912 CEST	49753	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:20.373759031 CEST	49753	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:20.378566027 CEST	9000	49753	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:21.047389030 CEST	9000	49753	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:21.047467947 CEST	49753	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.048100948 CEST	49753	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.052958965 CEST	9000	49753	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:21.053627968 CEST	49753	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.055340052 CEST	49754	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.059261084 CEST	9000	49753	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:21.059314013 CEST	49753	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.060115099 CEST	9000	49754	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:21.060183048 CEST	49754	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.060406923 CEST	49754	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.065149069 CEST	9000	49754	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:21.716244936 CEST	9000	49754	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:21.716454029 CEST	49754	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.716825962 CEST	49754	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.718456030 CEST	49754	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.719999075 CEST	49755	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.721631050 CEST	9000	49754	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:21.723546982 CEST	9000	49754	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:21.723726988 CEST	49754	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.724841118 CEST	9000	49755	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:21.724915028 CEST	49755	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.725066900 CEST	49755	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:21.729832888 CEST	9000	49755	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:22.379405022 CEST	9000	49755	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:22.379574060 CEST	49755	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:22.379955053 CEST	49755	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:22.381617069 CEST	49755	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:22.383716106 CEST	49756	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:22.385035992 CEST	9000	49755	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:22.387183905 CEST	9000	49755	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:22.387234926 CEST	49755	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:22.388549089 CEST	9000	49756	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:22.388622046 CEST	49756	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:22.388825893 CEST	49756	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:22.393579960 CEST	9000	49756	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:23.043951988 CEST	9000	49756	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:23.044004917 CEST	49756	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:23.044317007 CEST	49756	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:23.045645952 CEST	49756	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:23.049164057 CEST	9000	49756	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:23.050901890 CEST	9000	49756	195.201.251.214	192.168.2.4
Jun 29, 2024 05:42:23.050957918 CEST	49756	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:42:40.676122904 CEST	49730	80	192.168.2.4	192.229.211.108
Jun 29, 2024 05:42:40.681992054 CEST	80	49730	192.229.211.108	192.168.2.4
Jun 29, 2024 05:42:40.682123899 CEST	49730	80	192.168.2.4	192.229.211.108
Jun 29, 2024 05:43:29.337723970 CEST	9000	49748	195.201.251.214	192.168.2.4
Jun 29, 2024 05:43:29.337779045 CEST	9000	49748	195.201.251.214	192.168.2.4
Jun 29, 2024 05:43:29.338071108 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:43:29.338110924 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:43:51.771136999 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:43:51.771245003 CEST	49748	9000	192.168.2.4	195.201.251.214
Jun 29, 2024 05:43:51.781835079 CEST	9000	49748	195.201.251.214	192.168.2.4
Jun 29, 2024 05:43:51.782033920 CEST	49748	9000	192.168.2.4	195.201.251.214

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 29, 2024 05:42:01.808440924 CEST	56412	53	192.168.2.4	1.1.1.1
Jun 29, 2024 05:42:01.815257072 CEST	53	56412	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 29, 2024 05:42:01.808440924 CEST	192.168.2.4	1.1.1.1	0xab01	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 29, 2024 05:42:01.815257072 CEST	1.1.1.1	192.168.2.4	0xab01	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Jun 29, 2024 05:42:18.747904062 CEST	1.1.1.1	192.168.2.4	0xd002	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 29, 2024 05:42:18.747904062 CEST	1.1.1.1	192.168.2.4	0xd002	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	149.154.167.99	443	6624	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-29 03:42:02 UTC	84	OUT	GET /g067n HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-06-29 03:42:02 UTC	510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 29 Jun 2024 03:42:02 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12310 Connection: close Set-Cookie: stel_ssid=0adda0f515f3f233c7_623343860389968175; expires=Sun, 30 Jun 2024 03:42:02 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-06-29 03:42:02 UTC	12310	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 67 30 36 37 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 2e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @g067n</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent.

Target ID:	0
Start time:	23:41:58
Start date:	28/06/2024
Path:	C:\Users\user\Desktop\2E7ZdlxkOL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2E7ZdlxkOL.exe"
Imagebase:	0xbe0000
File size:	4'954'328 bytes
MD5 hash:	6320D63025E1764E578680E24906DEF3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1661322102.000000000465C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1660052063.0000000003773000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1661322102.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1661322102.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1661322102.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1653989209.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:41:58
Start date:	28/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x8a0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	76.9%
Signature Coverage:	43.6%
Total number of Nodes:	39
Total number of Limit Nodes:	0

Executed Functions

Function 059D8BF8 Relevance: 50.6, Strings: 40, Instructions: 646
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 059D939F
Q, xrefs: 059D920C
E, xrefs: 059D8F09
b, xrefs: 059D8F63
3, xrefs: 059D8E91
S, xrefs: 059D942E
5, xrefs: 059D912C
[, xrefs: 059D8FA6
Q, xrefs: 059D8F77
:, xrefs: 059D9705
), xrefs: 059D9516
], xrefs: 059D9304
,=6?, xrefs: 059D94C8
/, xrefs: 059D91B9
+e(B, xrefs: 059D92C9
F, xrefs: 059D8D70
/, xrefs: 059D9065
R, xrefs: 059D9262
!, xrefs: 059D8DF4
T, xrefs: 059D8ED3
^6A, xrefs: 059D9258
], xrefs: 059D8D5C
G, xrefs: 059D915C
,, xrefs: 059D8F4D
B, xrefs: 059D932C
", xrefs: 059D96A9
S, xrefs: 059D92D3
L, xrefs: 059D9098
[, xrefs: 059D8EEF
%, xrefs: 059D94BE
D, xrefs: 059D93BF
M, xrefs: 059D9001
5, xrefs: 059D90D6
N, xrefs: 059D9078
, xrefs: 059D9576
V, xrefs: 059D93F9
H, xrefs: 059D8EAB
<$*B, xrefs: 059D956F
], xrefs: 059D93B5
%, xrefs: 059D9116

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: $!$"$%$%$)$+e(B$,$,=6?$/$/$3$5$5$:$<$*B$B$D$E$F$G$H$L$M$N$Q$Q$R$S$S$T$V$V$[$[$]$]$]$^6A$b
API String ID: 0-3812153224
Opcode ID: 56180107a5f89f1882088b1ea794ef8a18e7ec5a28803831c4c8beb7e7c424ab
Instruction ID: 2ae11b186b5792a6481ce354103b7e0468df3fa3517f7239cbb7f393a7345921
Opcode Fuzzy Hash: 56180107a5f89f1882088b1ea794ef8a18e7ec5a28803831c4c8beb7e7c424ab
Instruction Fuzzy Hash: 6F828DB0D016298FDB65CF29D984799BBF6FB88300F1081EAA50CE7351EB795E859F01

Function 059DC070 Relevance: 50.6, Strings: 40, Instructions: 582
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G, xrefs: 059DC66B
b, xrefs: 059DC46C
,=6?, xrefs: 059DC9E6
S, xrefs: 059DC946
,, xrefs: 059DC459
^6A, xrefs: 059DC76D
+e(B, xrefs: 059DC7E1
F, xrefs: 059DC282
], xrefs: 059DC8CA
], xrefs: 059DC26E
V, xrefs: 059DC911
5, xrefs: 059DC5E5
3, xrefs: 059DC3A6
[, xrefs: 059DC4AC
Q, xrefs: 059DC724
5, xrefs: 059DC63B
<$*B, xrefs: 059DCA81
B, xrefs: 059DC847
!, xrefs: 059DC306
), xrefs: 059DCA31
/, xrefs: 059DC6CB
", xrefs: 059DCBBE
R, xrefs: 059DC777
H, xrefs: 059DC3C0
%, xrefs: 059DC625
T, xrefs: 059DC3E8
%, xrefs: 059DC9DC
E, xrefs: 059DC41B
V, xrefs: 059DC8B4
[, xrefs: 059DC401
M, xrefs: 059DC507
/, xrefs: 059DC571
:, xrefs: 059DCC1A
Q, xrefs: 059DC47D
N, xrefs: 059DC587
, xrefs: 059DCA8B
L, xrefs: 059DC5A7
S, xrefs: 059DC7EB
D, xrefs: 059DC8D4
], xrefs: 059DC81F

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: $!$"$%$%$)$+e(B$,$,=6?$/$/$3$5$5$:$<$*B$B$D$E$F$G$H$L$M$N$Q$Q$R$S$S$T$V$V$[$[$]$]$]$^6A$b
API String ID: 0-3812153224
Opcode ID: c318e589f5b1f56fafaa35ec9937314334345e8ebc76af25a04b64d3cf32c84d
Instruction ID: ec23e767d63a64978ca0a4726255b0f9d44f78b70d4529d3c8c577d45f9f308b
Opcode Fuzzy Hash: c318e589f5b1f56fafaa35ec9937314334345e8ebc76af25a04b64d3cf32c84d
Instruction Fuzzy Hash: 7A728EB1E016298FEB69CF2AD944799BBF6FB88300F1481EA940CE7355E7754A85DF00

Function 05999CB8 Relevance: 6.0, Strings: 4, Instructions: 1043
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xbaq, xrefs: 05999DF3
Te^q, xrefs: 0599A509
pbq, xrefs: 0599A99D
TJcq, xrefs: 05999E68

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$pbq$xbaq
API String ID: 0-1954897716
Opcode ID: 41317257c1a60779907f938cbd7930dbedc6c0a20158c1c21d9da3bfab02d9bf
Instruction ID: 93123dd697ca853ffd73ed26eb73da973c90022fe6708acaa62d058f4779e159
Opcode Fuzzy Hash: 41317257c1a60779907f938cbd7930dbedc6c0a20158c1c21d9da3bfab02d9bf
Instruction Fuzzy Hash: 48B2B474E00228DFDB64DF69C984AD9BBB2FF89300F1581E9D549AB225DB319E81CF50

Function 01B0EFB8 Relevance: 1.8, Strings: 1, Instructions: 578
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 01B0F70C

Memory Dump Source

Source File: 00000000.00000002.1659711690.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b00000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 700766d540691d116cd1280b99943a72f91c9247665fe2f65dcfe0ca2fa7c713
Instruction ID: 56bc4ac92d79e142ce69b08b8a5f572eca3dbc217a0b3efb1790f99f9f96ae8a
Opcode Fuzzy Hash: 700766d540691d116cd1280b99943a72f91c9247665fe2f65dcfe0ca2fa7c713
Instruction Fuzzy Hash: 7E52C270E00228CFDB69DF69C954BEDBBB2FB88304F1081EAD509A7295DB305A85CF41

Function 059D36E1 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ddfb325e5d42d39887e17551698c9570ba9f5e04893ab5f44a1ae600d1d5e5
Instruction ID: 40ac014ec595689e09fe0a15d25a33c210733ba7e32087c861a7d516dc0b82f9
Opcode Fuzzy Hash: 67ddfb325e5d42d39887e17551698c9570ba9f5e04893ab5f44a1ae600d1d5e5
Instruction Fuzzy Hash: 7EB1D174E002189FDB54DFA9D884B9EBBF6FF89300F10846AD909AB364DB345985CF51

Function 059D36F0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56c8970532e73a02af6332c4951dabb194e958b17be93f6d0dfd816c38f6af8
Instruction ID: d2006d4fc13cda3c6647b137efff8ba3e5c534dcd86215064fc83e33256bdc6c
Opcode Fuzzy Hash: b56c8970532e73a02af6332c4951dabb194e958b17be93f6d0dfd816c38f6af8
Instruction Fuzzy Hash: 30B1DF74E002189FDB54DFA9D884B9EBBF6FF89300F10846AD909AB364DB349985CF51

Function 059D5318 Relevance: 6.6, Strings: 5, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 059D542F
Hbq, xrefs: 059D56D7
,bq, xrefs: 059D543B
(o^q, xrefs: 059D545D
(o^q, xrefs: 059D5469

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-3486158592
Opcode ID: d3766671730bca7e3e67b9f7bf24172a1ccb768206ac409ba08e9dd6309d842a
Instruction ID: f78b547987fcc830129e1820fa8f06a75fe6778e60b4673c76c4b43c566f94e9
Opcode Fuzzy Hash: d3766671730bca7e3e67b9f7bf24172a1ccb768206ac409ba08e9dd6309d842a
Instruction Fuzzy Hash: DBC15C30B002199FCB15DF68D954A6EBBBAFF88350F158429E806E73A0DB35DC45CBA1

Function 061BFA10 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 061BFCD7

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f9bb46903e0fa41d4e6a3c21dd31d590b84f5bfd67de711b2234e3f1ad2cef19
Instruction ID: e0ef1742fad4a7b038affe7379e228a46724d185dae28ceb35e5bcc18e025144
Opcode Fuzzy Hash: f9bb46903e0fa41d4e6a3c21dd31d590b84f5bfd67de711b2234e3f1ad2cef19
Instruction Fuzzy Hash: 17C12470D002298FDB64CFA8CD41BEEBBB1BB09304F1495A9D849B7250DB749A86CF95

Function 061BF5E0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 061BF6B3

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 83a1383442626ffeaad4bec369f4539d18fa3c231398a4f878557114db42d5b5
Instruction ID: f8f14b04c776bf0006ace743345fa953a49f1dc285536b06aba95f68f3021a0a
Opcode Fuzzy Hash: 83a1383442626ffeaad4bec369f4539d18fa3c231398a4f878557114db42d5b5
Instruction Fuzzy Hash: C441AAB5D012589FCF00CFA9D984ADEFBF1BB49310F24942AE818B7250D774AA45CF64

Function 061BCEC0 Relevance: 1.6, APIs: 1, Instructions: 112
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 061BCFC9

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 90af56dd9948495fe19c29655b8cbabf128e71e9c0006670ed7b14ab9be10e86
Instruction ID: 92da9d4a619dad41a39eaa056ebcb719d85dffb0cff81b8401ee3cedc101cc3a
Opcode Fuzzy Hash: 90af56dd9948495fe19c29655b8cbabf128e71e9c0006670ed7b14ab9be10e86
Instruction Fuzzy Hash: 164101B0D00258DFDB54CFA9D885BDEBBF1FB09304F10A12AE818AB294D7749985CF95

Function 061BF488 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 061BF532

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c9ecefbc0190f27c518f81d6bf3fb87c9f3dc84e9c9a8289a7f8121112edec5a
Instruction ID: d06d19f7a984af2cb5b2347ce1490c487b10c6b335dcfc0789e898bdf03cd60d
Opcode Fuzzy Hash: c9ecefbc0190f27c518f81d6bf3fb87c9f3dc84e9c9a8289a7f8121112edec5a
Instruction Fuzzy Hash: 7D3188B9D002589FCF10CFA9D980ADEFBB1BB49310F10A42AE815B7210D735A946CF68

Function 061BF280 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 061BF32F

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e49137ad1eb634a8f771956ce096a6319cd1a39cbe0a4c8f975445694fae06bb
Instruction ID: b9f6d9fe7c8a04d14868ca72482bbbf780435620c664cd95a29d15e7224719eb
Opcode Fuzzy Hash: e49137ad1eb634a8f771956ce096a6319cd1a39cbe0a4c8f975445694fae06bb
Instruction Fuzzy Hash: 9431CDB4D012589FCB14DFA9D984AEEFBF0BF49310F24902AE418B7250C738A985CF94

Function 061BCBE8 Relevance: 1.6, APIs: 1, Instructions: 92
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 061BCC8F

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9d2d98e2afc2b5f35b8ad0890823f992f4eaaf4ab56688e9af0a79b8fba43555
Instruction ID: 32318d29d5d9011dfafd83c75a6108d98bec994c0eae0d204f59410d5ef10931
Opcode Fuzzy Hash: 9d2d98e2afc2b5f35b8ad0890823f992f4eaaf4ab56688e9af0a79b8fba43555
Instruction Fuzzy Hash: 403179B9D002589FCF14CFA9D984ADEFBB0BB19310F24A02AE814B7310D375A945CFA4

Function 061BF158 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 061BF1D6

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1f65aaac7e09e570ebe76f6fe03aff216c8991457044a1d3867f14b79387aa86
Instruction ID: 890255440100ec393745b9efa35e6ed43de49d0d7d5be2111c09db0105c12aef
Opcode Fuzzy Hash: 1f65aaac7e09e570ebe76f6fe03aff216c8991457044a1d3867f14b79387aa86
Instruction Fuzzy Hash: EB31CCB4D002589FCF14CFA9D980ADEFBB4AB49310F14942AE818B7310C734A945CF98

Function 059D75A2 Relevance: 1.5, Strings: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 059D79DB

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 5787b8aec3888c5afb7ca32154fc3cd43c051317566ce944e44aee11d3421cfc
Instruction ID: abd78e3aa5942418cb9e5605c1f93d8b9856141615225cb8e962257081f2d07e
Opcode Fuzzy Hash: 5787b8aec3888c5afb7ca32154fc3cd43c051317566ce944e44aee11d3421cfc
Instruction Fuzzy Hash: 5EB1C174E052288FDBA4EF28D954B9DB7B2FF89300F4080E9D50DA7254DB396E958F81

Function 01B0AA90 Relevance: 1.4, Strings: 1, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d8cq, xrefs: 01B0AE90

Memory Dump Source

Source File: 00000000.00000002.1659711690.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b00000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: d8cq
API String ID: 0-3601494702
Opcode ID: 4dbe282bdd04f634f5c9dae545fab6c070a98b84ef5392e161d5d77e09e4fe5b
Instruction ID: 055867e0e74cc71896f63f57c2fb302972b15aa1de6687f1d8e1d9e32b8cdfdc
Opcode Fuzzy Hash: 4dbe282bdd04f634f5c9dae545fab6c070a98b84ef5392e161d5d77e09e4fe5b
Instruction Fuzzy Hash: B2613E35B00208CFDB1ADF68D554A9E7FB6EB88711F1548A5E902EB3A4DB31DC45CB90

Function 0599BA48 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8bq, xrefs: 0599BB69

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: c2c928e7719ee82fa28a57b0aa15d270b46a0ab95d3301ae80e324bff639b2a9
Instruction ID: 449ffcc3c59081d01abf86bb4666a2078915d2fd44fe2578a7a98c478c6c763c
Opcode Fuzzy Hash: c2c928e7719ee82fa28a57b0aa15d270b46a0ab95d3301ae80e324bff639b2a9
Instruction Fuzzy Hash: 7F414BB4D09208DFDB04DFA9E444AEEBBF6FB88300F50842AD805A7354DB385A46DF51

Function 061BDF88 Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 061BE029

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0eaa969ac3c1150829d5d09e4b1915b4eeae89596a136576d72b191652da03c7
Instruction ID: 6e7066ca57dc279dde6c4b01d2f2a892270321aef76df38790df01809ef92290
Opcode Fuzzy Hash: 0eaa969ac3c1150829d5d09e4b1915b4eeae89596a136576d72b191652da03c7
Instruction Fuzzy Hash: A03156B9D002589FCF10CFA9D984ADEFBB5BB09310F24A42AE818B7310D775A945CF65

Function 0599F718 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0599F7AC

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 36c7e329c53c132d21e9d0f615399ef8c796289be93d1ffe56d1b8c97512a495
Instruction ID: d2e7afe8393cc9e881cf5b7f89b116b86ba00c9b29ae03f89d39b31cc0688562
Opcode Fuzzy Hash: 36c7e329c53c132d21e9d0f615399ef8c796289be93d1ffe56d1b8c97512a495
Instruction Fuzzy Hash: FA21A434A04208AFDB45AB78DC45FAEBBBAEB84300F14C466E505DA294DE319E0A8791

Function 01B03D34 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

v, xrefs: 01B03F0F

Memory Dump Source

Source File: 00000000.00000002.1659711690.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b00000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: 971f2b725b1ae747199548ab4008383e6e52ae8433c2fc47a35a85dce038441d
Instruction ID: b169b214c415dab86bb2e8d493d18e4a0351de67695b926999181b4d77f2234e
Opcode Fuzzy Hash: 971f2b725b1ae747199548ab4008383e6e52ae8433c2fc47a35a85dce038441d
Instruction Fuzzy Hash: 7B01D2B4D452AACFDB65DF24D8487A9BBB1FB09305F0409EAD40DB3680C7711E848F01

Function 059D1823 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08eb36347eeb1efe768d1adb62ebf185e47202078cb7103db2ab9fd4a04ce4cc
Instruction ID: aa4157145da7162461663775c69d3a31b443ba36411def1f3468b7dd07e4ab4e
Opcode Fuzzy Hash: 08eb36347eeb1efe768d1adb62ebf185e47202078cb7103db2ab9fd4a04ce4cc
Instruction Fuzzy Hash: 25D1C174E086288FCF65EF28DD546ADBBB2FB89201F4041EAD50DA3250DB396E94DF41

Function 0599B108 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3104897df3c95e7f72a6a43ca060106add417de3dffc42cdf355abcdf3de9c5f
Instruction ID: 3d50c896f8d11492a7416a75116c407e0f14211dde55016c027ba0caee350ae3
Opcode Fuzzy Hash: 3104897df3c95e7f72a6a43ca060106add417de3dffc42cdf355abcdf3de9c5f
Instruction Fuzzy Hash: 2B91E574E04218CFDB54DFA9D944A9EBBB6FF89300F10806AD909A7368DB305E86CF51

Function 01B0347B Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659711690.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b00000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a478c99033ad317487c2e9d27f88cfa21cbbb87b5e4d2838ae279d4f4e5e6de9
Instruction ID: 39c625b78f04d3ffe83aa09115ed6b44784e5baff934efb087219c403bf18e4b
Opcode Fuzzy Hash: a478c99033ad317487c2e9d27f88cfa21cbbb87b5e4d2838ae279d4f4e5e6de9
Instruction Fuzzy Hash: 1161C8B49012699FDB64DF64D944A9EBBB2FB48301F1041EAE909E3354DF345E80DF62

Function 059DB048 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f50b325855eef707a07971a1e164ed56053d0ec7f0a5641c40cd94300699844
Instruction ID: f547851af271d5822b6bfc0bf76125393e2bfd9995d6b7229b48491a7817aaeb
Opcode Fuzzy Hash: 7f50b325855eef707a07971a1e164ed56053d0ec7f0a5641c40cd94300699844
Instruction Fuzzy Hash: 7A416E74E01219DFCB44DFA9D98499EBBF2FF89310F148169E915AB364DB31A901CF60

Function 0599B4C0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667bad74ae8cecdef8a18269201cc5de4a70f0fff6c1a5bf506b89af52773ea2
Instruction ID: cadb9fbc496f2a92b151772dccba76e9a2fa9c88f619d2496135f5397321f33a
Opcode Fuzzy Hash: 667bad74ae8cecdef8a18269201cc5de4a70f0fff6c1a5bf506b89af52773ea2
Instruction Fuzzy Hash: 4B31D7B4D08209DFCF48DFAAE4446EEBBF6FB89300F10846AD819A3254DB385945DF51

Function 0196D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659572682.000000000196D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0196D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_196d000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3e449972c2465d8f40fbc5ac45f64d6ad4527054e0bbf04db0da3fbe39f143
Instruction ID: f2a109aeb5418ca515e8b88c39a82f02da816857c9c3e3453d1767ca69eca2bd
Opcode Fuzzy Hash: fa3e449972c2465d8f40fbc5ac45f64d6ad4527054e0bbf04db0da3fbe39f143
Instruction Fuzzy Hash: 04212271604244DFDB11DF58DAC4F26BFADFB84354F24C569E9890B246C336D44ACAB2

Function 0196D006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659572682.000000000196D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0196D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_196d000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2f31513af7b72ec9cd27f5c004afafdb9ad17e2efa9d73f727980cb8d3f13c
Instruction ID: 88186c1af4d84b573fbbbd7cb8fec0f38418cf675b04885182d4b8a37eef42c2
Opcode Fuzzy Hash: 1a2f31513af7b72ec9cd27f5c004afafdb9ad17e2efa9d73f727980cb8d3f13c
Instruction Fuzzy Hash: C821B0755093808FCB03CF24D994716BFB5EB86214F2881DAD8888F653C33AD80ACB72

Function 01B056B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659711690.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b00000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971f0c3cb81f0bdfa23bfe52b3702a013d5b3dfb2cd57f9d3a21a61635f21178
Instruction ID: a68927a798ee69572293b0d47caa319ebaef39faa1a088cfb3580f213e1d6d2a
Opcode Fuzzy Hash: 971f0c3cb81f0bdfa23bfe52b3702a013d5b3dfb2cd57f9d3a21a61635f21178
Instruction Fuzzy Hash: D5219378A04528CFCB61DF54DC846DABBB1FB99342F1041EAE50AA7394D7315E81CF51

Function 01B019EB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659711690.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b00000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fc78ce16378b872e23d1d0122820692e52437bb0b803c07f4606650b4fc2d6
Instruction ID: 80076406d40a33280fdfff1260ba94fa32b89eba110ab45f724700e0ae7ab7a8
Opcode Fuzzy Hash: f8fc78ce16378b872e23d1d0122820692e52437bb0b803c07f4606650b4fc2d6
Instruction Fuzzy Hash: 9221AF78900628CFCB60DF24DD446D9BBB1FB88302F1040EAE80AA7294DB315E81DF02

Function 059D52A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d576cf8875e67e7496f206546c0c61060b61d8f28522f1012984d674f59ba757
Instruction ID: 162ef17298f183642ca1ae571bfec72943fed68f78777e336b4587b696105b3e
Opcode Fuzzy Hash: d576cf8875e67e7496f206546c0c61060b61d8f28522f1012984d674f59ba757
Instruction Fuzzy Hash: D1F03C3094420DEFCB41EFA8D845A9DBBB5EB05310F10C16AE814A7261E7349659EB91

Function 059D402A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f079a8636c86b71987c72a76249741111cb7efbb77391db470c5d31dcdfa89
Instruction ID: d9b9082643e48920db7f81e44218ce9c02765abba3f0d8829f3350dbb0ca376c
Opcode Fuzzy Hash: 38f079a8636c86b71987c72a76249741111cb7efbb77391db470c5d31dcdfa89
Instruction Fuzzy Hash: 3DF0E53634411567EF196B45F804F6E7A66EBC4322F09803BF909C6194CF74C916A770

Function 059D8B90 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2198905d534dc6e689b4f78d369497fb3e881c7d906ed9f759df0a503349d059
Instruction ID: fcf6c6938142aff118c4195893604f7cf77d750b8b0c592ba213e8dcb214e743
Opcode Fuzzy Hash: 2198905d534dc6e689b4f78d369497fb3e881c7d906ed9f759df0a503349d059
Instruction Fuzzy Hash: 5DF01771D0420CEFCB40EFA8D8049DCBBB9EB09300F00C1A9E81862220E7349AA5EF91

Function 059D3FD0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030c1c151d69055a135740d28450adb47ad45303e9bc31b411bc4f05f22c8975
Instruction ID: 18a80cf8b952e00bb4daa18eb2fc23b5345cf242561bc9967ec935d6b5575383
Opcode Fuzzy Hash: 030c1c151d69055a135740d28450adb47ad45303e9bc31b411bc4f05f22c8975
Instruction Fuzzy Hash: DFF03475A08208AFCB80DFA8D841A9DFBB5EB49300F14C0AEAC1897351D7359A51DB91

Function 059D4EC8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cf5b7301e01c9b8b56dbb1ff33f32e43de334bdac271b8ed760521c9cfc6af
Instruction ID: 45fa9aaf42247072b8485a7ffa8f4fa0e6d2b5e8a9f3bf776485324f56709cae
Opcode Fuzzy Hash: 62cf5b7301e01c9b8b56dbb1ff33f32e43de334bdac271b8ed760521c9cfc6af
Instruction Fuzzy Hash: 88F01C34E45108EFCF94DFA8D481B9CBBB5EB89310F14C2A9D81997345C7359A46DF60

Function 0599F6B8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db45c9fc5f7a5581082a03c2790560e53c17c5f20bc4a19dfdf6d28fab3ab1c0
Instruction ID: a8238bcc697dee95bb2716008aa13eed160be342494c7b32da7e56c1e794ad83
Opcode Fuzzy Hash: db45c9fc5f7a5581082a03c2790560e53c17c5f20bc4a19dfdf6d28fab3ab1c0
Instruction Fuzzy Hash: AAF0D43590420CEFCF45DF98D94099DBBB5FB48310F10C099ED19A3221D7329A61EF91

Function 01B06C6F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659711690.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b00000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f2be2601bcdd69ca3fa1714429e5526a481aae3bbfb6ad809951ebf678f755
Instruction ID: 90371eb99f9287c6378a733000239372e4c94dbd847e7dbd2086c442e0df954d
Opcode Fuzzy Hash: 29f2be2601bcdd69ca3fa1714429e5526a481aae3bbfb6ad809951ebf678f755
Instruction Fuzzy Hash: 8801A478A082188FDB60DF64DC849DEBBB2FB58344F1401AAE409E3394DB319E85DF52

Function 0599C7B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57bb1d2d4a2383cf5923d70238e887dc48a30976db3a6e9f82337c4085e5ec0
Instruction ID: 9ca8e211dd8b47d737bd4d7eb36325b0d25bb31f71f8e54241538d541e2e115c
Opcode Fuzzy Hash: f57bb1d2d4a2383cf5923d70238e887dc48a30976db3a6e9f82337c4085e5ec0
Instruction Fuzzy Hash: E7F09875944208EFCB84DF98D840A9DBBB5FB48310F14C599A81893351D7329A51DF40

Function 0599AE08 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3e9704b1abe52fc3e8afd70966258f4bd5606755db9146583bcfbf969af96c
Instruction ID: 8f490d5f873f0dd2704e35025bd53b4be7220cdae5ebb704b4b6b814bc4f78ad
Opcode Fuzzy Hash: ae3e9704b1abe52fc3e8afd70966258f4bd5606755db9146583bcfbf969af96c
Instruction Fuzzy Hash: 72F0A574E04208EFCB84DFE8D440A9DBBB5FB48310F10C1AAAC1997350D7319A51DF90

Function 0599C718 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de0e518068605b0b2a50997abed2c026151718596dd99d03cd14aad1dda6b03
Instruction ID: 5bd58c06bd84421d938df7916629fde9ace46ca4d5eee24705f4888443a9dcae
Opcode Fuzzy Hash: 8de0e518068605b0b2a50997abed2c026151718596dd99d03cd14aad1dda6b03
Instruction Fuzzy Hash: A8E0C278E08208EFCB84DFA8E9416ACBBF4EB48314F14C1A9981993340D7319A02CB90

Function 05999C70 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e41486adc8a8c21e361f7fb9bd56be0a45282686126ea8ea754d3761d96c93
Instruction ID: 1fa766b8d303450702b4667af9b9386c168cc6b2f7869dad7a26c12808e1f586
Opcode Fuzzy Hash: 16e41486adc8a8c21e361f7fb9bd56be0a45282686126ea8ea754d3761d96c93
Instruction Fuzzy Hash: 68E0127194A208DBCB54DFF9D904599BBFDEB4A301F1059A9E40993124FB714A009BE1

Function 0599B070 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efcb68ac12c3f1c2537e5c6c0ff9a391d67e951e3b0487dc94a5fc228392315c
Instruction ID: 86822c3f6ce66a5225171f45b80fc54af01b0279496cd9535db1302e5b6f13a4
Opcode Fuzzy Hash: efcb68ac12c3f1c2537e5c6c0ff9a391d67e951e3b0487dc94a5fc228392315c
Instruction Fuzzy Hash: 4BE0127154A10CDBDB44DBE8A90459A77FEEB4A200F5059A9D40593164EB365B009B91

Function 0599AE60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3b1591f32f1b71be248bcfe39895dc47ca54391eb7efc54468bde08b817545
Instruction ID: 8135fcdd23d9d3a837278b15cfcb48c2d623f6103e5bcd70951e17eb48359ab1
Opcode Fuzzy Hash: 6a3b1591f32f1b71be248bcfe39895dc47ca54391eb7efc54468bde08b817545
Instruction Fuzzy Hash: 83E0127198910CDBCB44DBE895046997BEDEB49200F5059A9D50593160EB315E009791

Function 01B04EE2 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659711690.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b00000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b3a25613aeec91128e3d8f807567a1289c77befd570ecb27a5269a7f7f03e4
Instruction ID: 149238454744a8e4700b629d77f28aace8b2450b282f30d4d494907712c41c78
Opcode Fuzzy Hash: 67b3a25613aeec91128e3d8f807567a1289c77befd570ecb27a5269a7f7f03e4
Instruction Fuzzy Hash: 0CD0173494456ACFC726CE14CC651DCB7F2AB24320F1801E9D00997390EB3A5DC98F00

Function 059DFB30 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf82d35b63326b1653a2278d323df0be5a1b4778d4a9570e394445edadb8b39e
Instruction ID: d110b61920857ef4ef3c99b00e4b2d06bce9248c01f96c6ebb390faaf618f157
Opcode Fuzzy Hash: bf82d35b63326b1653a2278d323df0be5a1b4778d4a9570e394445edadb8b39e
Instruction Fuzzy Hash: 1BB022320003088AC20033E8BA0AB20F2FCA30032AF02A002E20E028200AA00088EAAA

Non-executed Functions

Function 061B1B10 Relevance: 6.7, Strings: 5, Instructions: 409COMMON

Download Yara Rule

Strings

i, xrefs: 061B1B5B
Xz^q, xrefs: 061B4A42
Xz^q, xrefs: 061B4AF2
Te^q, xrefs: 061B4C67
Te^q, xrefs: 061B1B37

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: Te^q$Te^q$Xz^q$Xz^q$i
API String ID: 0-2391991066
Opcode ID: cdd9eb70a5d573a14c72ff9f1e5ef9477fcf07abc750993817e740ba1a0167a3
Instruction ID: 444796d72ea104c5bffc5e7142dead639aa641de8740053f0994d0aadc25a4e7
Opcode Fuzzy Hash: cdd9eb70a5d573a14c72ff9f1e5ef9477fcf07abc750993817e740ba1a0167a3
Instruction Fuzzy Hash: 34228E74E05229CFDB64DF29D984AD8BBB2FB48300F0095EAD40DA7264DB35AE95CF40

Function 061B3036 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

H, xrefs: 061B308D
Xz^q, xrefs: 061B4A42
Xz^q, xrefs: 061B4AF2
Te^q, xrefs: 061B4C67

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: H$Te^q$Xz^q$Xz^q
API String ID: 0-359572378
Opcode ID: 9f735bb4810a83391e0c617c098f2953406207e96da71e49716ce9e2fc257d79
Instruction ID: fb6ee90e225c4f848d9f1dcad55866c15c60491a8d8597bf81331d27c225ec0d
Opcode Fuzzy Hash: 9f735bb4810a83391e0c617c098f2953406207e96da71e49716ce9e2fc257d79
Instruction Fuzzy Hash: B2128174D05229CFDB64DF28D984AD8BBB2FB88300F1095EAD40DA7264DB35AE95CF41

Function 059D4F28 Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

Xbq, xrefs: 059D4F57
$^q, xrefs: 059D4F3E

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 03f2adda4be3b4e815dc28902fde775eca24102f46a99bfe7683b26f3ba998ea
Instruction ID: 72f896954380abb67130d1bdaffb7e1c875c52fa99ca391f2c0950dd19de29f3
Opcode Fuzzy Hash: 03f2adda4be3b4e815dc28902fde775eca24102f46a99bfe7683b26f3ba998ea
Instruction Fuzzy Hash: 14818574B042189BDB1DEB78895467EBBB7BFC8750B15C92EE406E7388DE34C8068791

Function 01B09E48 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01B09F36

Memory Dump Source

Source File: 00000000.00000002.1659711690.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b00000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 4603239ecd14f4cd485a770e7a93605e8c59c783dc3fe9944242f4b3aac5f2fb
Instruction ID: 27f427156f77dd9ca89777887c8537d9a93b922c8e602ccd15cde38131136140
Opcode Fuzzy Hash: 4603239ecd14f4cd485a770e7a93605e8c59c783dc3fe9944242f4b3aac5f2fb
Instruction Fuzzy Hash: 1C612970A002099FD758DFBAE89069EBBF2FB95300F04C529D404EB278EB345949DB51

Function 05995ADF Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe63506acc0dd3fca9a68248e8d21a5dda0a16fa90b43b4d3adc8c4314e3ca4
Instruction ID: 885baca007a217ce93100e92333d4a4f7d4a315c8887d1d94dbe98d50a5bcde1
Opcode Fuzzy Hash: afe63506acc0dd3fca9a68248e8d21a5dda0a16fa90b43b4d3adc8c4314e3ca4
Instruction Fuzzy Hash: C0918074D126288FEB64DF69C994B9DFBF2FF98300F5081D9D098A2265DB315AA5CF00

Function 059DFB60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663451691.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7c95f11e8f5c8930414dc865d2c359fd8a29c0dd4cff881dd32dc35a97e64b
Instruction ID: 55a0b070fd75253d2c8d01a661c33d8b5ec2f3930c3a09564baf3ce51bf3e74f
Opcode Fuzzy Hash: 7b7c95f11e8f5c8930414dc865d2c359fd8a29c0dd4cff881dd32dc35a97e64b
Instruction Fuzzy Hash: 565120B09042098FDB44EF7EE550A9EBBF7FB88300F15C52AD405AB278EB74590ADB51

Function 061BD0C8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664508605.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5cc84d39d8e4cc5b780ce33865446ff6992a33efdd4a023317da33e178062c
Instruction ID: d852e12065060ae3bf16b9ad6731f38da54a277be196c90fb77fedb0e62e4160
Opcode Fuzzy Hash: 5e5cc84d39d8e4cc5b780ce33865446ff6992a33efdd4a023317da33e178062c
Instruction Fuzzy Hash: 3A41BEB4D002489FDB58CFA9D985BDDBBF1AF0A310F24A029E418BB250D7749885CF95

Function 05990006 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25685695afcedf3afd39c8ab892e6e9bf8a5b15faa9c3bfdaa7bc17fad8d8bc1
Instruction ID: 9fb69a6ef07680f7059f0f7a5b8296f145459e103a9826b0c56fa1f9f4f20b39
Opcode Fuzzy Hash: 25685695afcedf3afd39c8ab892e6e9bf8a5b15faa9c3bfdaa7bc17fad8d8bc1
Instruction Fuzzy Hash: 39416EB1E056548FEB5DCF6B8C40689FAF3AFC5200F19C1FA944CAB225EB3109968F51

Function 05990040 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663401270.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5990000_2E7ZdlxkOL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbc93fe5f0df40f348dccdcc3d0eca9db69242da011f858b51baf42ff66a82f
Instruction ID: 3b0256625f646f6cd74447f62d469260eb3f5953969a49314d99c97ec601d75d
Opcode Fuzzy Hash: 2fbc93fe5f0df40f348dccdcc3d0eca9db69242da011f858b51baf42ff66a82f
Instruction Fuzzy Hash: 3D4175B1E056188BEB2CCF6B8D4468AFAF7AFC9200F04C1FA845CAB255DB3105958F51

Analysis Process: MSBuild.exePID: 6624, Parent PID: 6520COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0.7%
Signature Coverage:	13%
Total number of Nodes:	2000
Total number of Limit Nodes:	38

Executed Functions

Function 0041B050 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 507
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,0041922C), ref: 0041B06C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B083
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B09A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0B1
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0C8
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0DF
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0F6
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B10D
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B124
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B13B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B152
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B169
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B180
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B197
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1AE
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1C5
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1DC
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1F3
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B20A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B221
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B238
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B24F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B266
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B27D
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B294
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2AB
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2C2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2D9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2F0
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B307
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B31E
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B335
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B34C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B363
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B37A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B391
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3A8
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3BF
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3D6
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3ED
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B404
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B41B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B432
GetProcAddress.KERNEL32(CreateProcessA), ref: 0041B448
GetProcAddress.KERNEL32(GetThreadContext), ref: 0041B45E
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 0041B474
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 0041B48A
GetProcAddress.KERNEL32(ResumeThread), ref: 0041B4A0
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 0041B4B6
GetProcAddress.KERNEL32(SetThreadContext), ref: 0041B4CC
LoadLibraryA.KERNELBASE(?,0041922C), ref: 0041B4DD
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B4EE
LoadLibraryA.KERNELBASE(?,0041922C), ref: 0041B4FF
LoadLibraryA.KERNELBASE(?,0041922C), ref: 0041B510
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B521
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B532
LoadLibraryA.KERNELBASE(?,0041922C), ref: 0041B543
LoadLibraryA.KERNELBASE(?,0041922C), ref: 0041B554
LoadLibraryA.KERNELBASE(dbghelp.dll,?,0041922C), ref: 0041B564
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B584
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B59B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B5B2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B5C9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B5E0
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B604
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B61B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B632
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B649
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B660
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B677
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B68E
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6A5
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6C5
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6DC
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6F3
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B70A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B721
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B745
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B75C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B773
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B78A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7A1
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7B8
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7DC
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7F3
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B80A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B821
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B838
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B84F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B866
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B87D
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B894
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8B4
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8CB
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8E2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8F9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B910
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B930
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B947
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B967
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B97E
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9A2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9B9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9D0
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9E7
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9FE
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA15
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA2C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA43
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 0041BA59
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041BA6F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA8F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BAA6
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BABD
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BAD4
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BAF4
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB14
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB2B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB42
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB59
GetProcAddress.KERNEL32(SymMatchString), ref: 0041BB78

Strings

SetThreadContext, xrefs: 0041B4C1
InternetSetOptionA, xrefs: 0041BA64
ReadProcessMemory, xrefs: 0041B469
CreateProcessA, xrefs: 0041B43D
VirtualAllocEx, xrefs: 0041B47F
HttpQueryInfoA, xrefs: 0041BA4E
GetThreadContext, xrefs: 0041B453
WriteProcessMemory, xrefs: 0041B4AB
ResumeThread, xrefs: 0041B495
SymMatchString, xrefs: 0041BB6D
dbghelp.dll, xrefs: 0041B55F

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: a4580aef7196ab40cac15de4e3c6625ffa806c5fa5d16c7cc0568451c0f19aac
Instruction ID: 64df46d759b3a8e539eb425d674754a75b55508f076e1d27ec912ac7423ac894
Opcode Fuzzy Hash: a4580aef7196ab40cac15de4e3c6625ffa806c5fa5d16c7cc0568451c0f19aac
Instruction Fuzzy Hash: 9552C57D481214EFEB025F61FE19AA43FB3F70B3417197129E91289671E77648A8EF80

Function 00409FC0 Relevance: 44.5, APIs: 20, Strings: 5, Instructions: 760
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

FindFirstFileA.KERNELBASE(00000000,?,00425200,00425200,00000000,?,?,?,00428F3C,00425200), ref: 0040A045
StrCmpCA.SHLWAPI(?,00425240), ref: 0040A0A0
StrCmpCA.SHLWAPI(?,0042523C), ref: 0040A0B6
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040AB2C
FindClose.KERNEL32(000000FF), ref: 0040AB3D

Strings

Brave, xrefs: 0040A2F9
Preferences, xrefs: 0040A318
Google Chrome, xrefs: 0040A834
\BraveWallet\Preferences, xrefs: 0040A40E
Opera GX, xrefs: 0040A144

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3334442632-1189830961
Opcode ID: b6171a64cfc6ab4f13282320838a7735dbd279b900ab7de6f694e87253319736
Instruction ID: 263e58a2a74b46f478eabfba2e73a67f6604dac1ca14d90e5786d28d1d592fab
Opcode Fuzzy Hash: b6171a64cfc6ab4f13282320838a7735dbd279b900ab7de6f694e87253319736
Instruction Fuzzy Hash: 225241719002089BDF24FBB1DC56EED737DAF15304F40416AF61AA21A1EE399B88CF59

Function 004058C4 Relevance: 42.6, APIs: 20, Strings: 4, Instructions: 565
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040595F
StrCmpCA.SHLWAPI(?), ref: 00405975
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AEF
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 00405B4C
lstrlenA.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00428D7C,00000000), ref: 00405F2B
lstrlenA.KERNEL32(00000000), ref: 00405F3C
GetProcessHeap.KERNEL32(00000000,?), ref: 00405F4C
HeapAlloc.KERNEL32(00000000), ref: 00405F53
lstrlenA.KERNEL32(00000000), ref: 00405F68
memcpy.MSVCRT ref: 00405F7E
lstrlenA.KERNEL32(00000000), ref: 00405F8F
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405FA8
memcpy.MSVCRT ref: 00405FB5
lstrlenA.KERNEL32(00000000,?,?), ref: 00405FCF
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405FE2
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405FFE
InternetCloseHandle.WININET(00000000), ref: 00406061
InternetCloseHandle.WININET(00000000), ref: 0040606D
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00405B84

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

InternetCloseHandle.WININET(00000000), ref: 00406076

Strings

mode, xrefs: 00405EAB
", xrefs: 00405C53, 00405D92, 00405ED3
build_id, xrefs: 00405D6A
------, xrefs: 004059F7, 00405B8A, 00405CCA, 00405E0B

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
String ID: "$------$build_id$mode
API String ID: 487080699-3829489455
Opcode ID: 99e7d839f9470243f8a500febddaa2585a4ce8104e375d9646ee5b01df51d87c
Instruction ID: c3a436f612394fb5ea9af5c3dff246c6ebafd40c3fbf54516d0a2530dbd512cc
Opcode Fuzzy Hash: 99e7d839f9470243f8a500febddaa2585a4ce8104e375d9646ee5b01df51d87c
Instruction Fuzzy Hash: 0632EB71920118AADB15FBA1DC96FDEB379BF14305F5001AAF216B21B1DF386B88CE54

Function 220A4CF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 461fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 220A4EE1

Strings

exclusive, xrefs: 220A4E81
winOpen, xrefs: 220A5110
delayed %dms for lock/sharing conflict at line %d, xrefs: 220A4FB5
psow, xrefs: 220A51F5

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: 6b4d5d7db53420132aa14b478a53d96c30bbe8ddaf10222edc6a42492bcadec9
Instruction ID: 249711266966cfa8990820755b0ddd2f2f5455f11df12d83bda9fc932722a979
Opcode Fuzzy Hash: 6b4d5d7db53420132aa14b478a53d96c30bbe8ddaf10222edc6a42492bcadec9
Instruction Fuzzy Hash: B3F1D071D443008FDB01CFA4C9A9B1E77E4BB54709F800A29FE85C629AD77AD944EB92

Function 004129BF Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 142comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory,00000000,?,00428E48,00000000), ref: 004129E9
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4), ref: 00412A01
CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?), ref: 00412A1D
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000), ref: 00412A65
VariantInit.OLEAUT32(?), ref: 00412AC6
VariantClear.OLEAUT32(?), ref: 00412AFC

Strings

displayName, xrefs: 00412AD6
root\SecurityCenter2, xrefs: 00412A27
WQL, xrefs: 00412A81
Select * From AntiVirusProduct, xrefs: 00412A6B
Unknown, xrefs: 00412B0E, 00412B22, 00412B44

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InitializeVariant$BlanketClearCreateInitInstanceProxySecurity
String ID: Select * From AntiVirusProduct$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 3243281124-2561087649
Opcode ID: 01e7d32d45ff0252796b17b99a1afcd933ba27ea36f00a65b271f1c55a8e973d
Instruction ID: cc2f9b12050fb50489b4dacd928ba9f1606622a753a49b6d6fc2a760caa5f7a5
Opcode Fuzzy Hash: 01e7d32d45ff0252796b17b99a1afcd933ba27ea36f00a65b271f1c55a8e973d
Instruction Fuzzy Hash: 01512971A44208AFEB10CF94DD46FEDBBB8EB08711F604116F611FA1E0C7B8A951CB69

Function 004138BA Relevance: 7.6, APIs: 5, Instructions: 51processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004138F5
Process32First.KERNEL32(00429888,00000128), ref: 00413908
Process32Next.KERNEL32(00429888,00000128), ref: 0041391C
StrCmpCA.SHLWAPI(?,0042988C), ref: 00413930
FindCloseChangeNotification.KERNELBASE(00429888), ref: 00413943

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 2a4b200a08ed556fe0b76f61f99fc73be8100933646605b45de0898bc31b2ca7
Instruction ID: c76ae2ebba4cdfdbec52cc22ef4db84e697ee2aab148ee9ae3442f35c02f241c
Opcode Fuzzy Hash: 2a4b200a08ed556fe0b76f61f99fc73be8100933646605b45de0898bc31b2ca7
Instruction Fuzzy Hash: 2B11C2B5900249EFDF118F91CD09BEFBBBDFB06791F00016AE505A62A0D7B88B40CB65

Function 0041246A Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412491
Process32First.KERNEL32(00000000,00000128), ref: 004124A4
Process32Next.KERNEL32(00000000,00000128), ref: 004124B8

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

CloseHandle.KERNEL32(00000000), ref: 00412525

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 977ae0b600e9dfa5c8bb5876995a90588de119cf502625faec0d1e404a198b9a
Instruction ID: 2c0229d212547161a0eb93f3d0d5d82303ca8f07f9ab92fbeb1aaa96aca691bd
Opcode Fuzzy Hash: 977ae0b600e9dfa5c8bb5876995a90588de119cf502625faec0d1e404a198b9a
Instruction Fuzzy Hash: CC212935900118EBCB11EB60DD56AEDB379AF15309F5041EAA60AB61A0EF349FC8CF94

Function 00411CBF Relevance: 6.0, APIs: 4, Instructions: 31memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00428E48,00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000), ref: 00411CCF
HeapAlloc.KERNEL32(00000000), ref: 00411CD6
GetTimeZoneInformation.KERNELBASE(?), ref: 00411CE9
wsprintfA.USER32 ref: 00411D20

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 203e413fed742de3b00b513deca226d0cff61aa8e2789412112a4631cc96891a
Instruction ID: daf70193e9c0513ecb3072794c83a438d37f7fdfa3376bc861271b49892c1553
Opcode Fuzzy Hash: 203e413fed742de3b00b513deca226d0cff61aa8e2789412112a4631cc96891a
Instruction Fuzzy Hash: 2BF0BE70A003289FDB20AB24FC0AB9977BBBB02345F1001D5F209AA2E0D7749EC0CF02

Function 00407E41 Relevance: 4.5, APIs: 3, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00407E65
LocalAlloc.KERNEL32(00000040,00000000), ref: 00407E83
LocalFree.KERNEL32(?), ref: 00407EAB

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: ec7d2c3964d9433e1bd8db3b7e97589d228e91b9e021ed9bd7c00834a8d4e7c8
Instruction ID: c73416beba9d1fde4238afde8a7e84a4d4aa4311c1f55aef6ad3ec00fa4115b4
Opcode Fuzzy Hash: ec7d2c3964d9433e1bd8db3b7e97589d228e91b9e021ed9bd7c00834a8d4e7c8
Instruction Fuzzy Hash: 72019279900209EFCB01DF98D945A9E7BF5FB09300F0000A5F901AB2A0D774AE50DF61

Function 00411BEC Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0041A955), ref: 00411BF8
HeapAlloc.KERNEL32(00000000,?,?,?,0041A955), ref: 00411BFF
GetUserNameA.ADVAPI32(?,00000104), ref: 00411C16

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: cdb89f3b8d2170a32c4f5d9c7d109af83218dd3f9df08350fd3753d412c9dc7b
Instruction ID: 6ad48150bf72aad5a6046b0908b1c33b434ec51fc494a64bf18a9d81697ab1ea
Opcode Fuzzy Hash: cdb89f3b8d2170a32c4f5d9c7d109af83218dd3f9df08350fd3753d412c9dc7b
Instruction Fuzzy Hash: B3E04CB4A00608FFDB10DBD4DC49FADBBB8FB04749F904065F601E2160D7B45A459B64

Function 00411F21 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(00000000), ref: 00411F2E
wsprintfA.USER32 ref: 00411F43

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 2f2772df9e2289074dc65a3b003ee837af4eb9d8d63b789a1da4cf5f031d46f7
Instruction ID: 9caa33327a18f9dae679d202d2ba32c4f74d5e180e33a6cc9dfb65b88a9d38f3
Opcode Fuzzy Hash: 2f2772df9e2289074dc65a3b003ee837af4eb9d8d63b789a1da4cf5f031d46f7
Instruction Fuzzy Hash: F6D05EB180011CABCB00DBE0FC499D977BCBB09208F4408B1E614E2040E3B8EAD88BA8

Function 0041A76B Relevance: 257.6, APIs: 139, Strings: 8, Instructions: 337
sleepstringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea), ref: 0041A776
lstrlenW.KERNEL32(The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On), ref: 0041A781
lstrlenW.KERNEL32(Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l), ref: 0041A78C
lstrlenW.KERNEL32(The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia), ref: 0041A797
lstrlenW.KERNEL32(I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and), ref: 0041A7A2
LoadLibraryA.KERNEL32(kernel32.dll), ref: 0041A7AD
GetProcAddress.KERNEL32(00000000,Sleep), ref: 0041A7C4
GetProcAddress.KERNEL32(00000000,GetSystemTime), ref: 0041A7D7

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Sleep.KERNELBASE(00000014), ref: 0041A7E4
Sleep.KERNELBASE(00000014), ref: 0041A7EC
Sleep.KERNEL32(00000014), ref: 0041A7F4
Sleep.KERNEL32(00000014), ref: 0041A7FC
Sleep.KERNEL32(00000014), ref: 0041A804
Sleep.KERNEL32(00000014), ref: 0041A80C
lstrlenW.KERNEL32(Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea), ref: 0041A817
lstrlenW.KERNEL32(The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On), ref: 0041A822
lstrlenW.KERNEL32(Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l), ref: 0041A82D
lstrlenW.KERNEL32(The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia), ref: 0041A838
lstrlenW.KERNEL32(I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and), ref: 0041A843
Sleep.KERNEL32(00000014), ref: 0041A84B
Sleep.KERNEL32(00000014), ref: 0041A853
Sleep.KERNEL32(00000014), ref: 0041A85B
Sleep.KERNEL32(00000014), ref: 0041A863
Sleep.KERNEL32(00000014), ref: 0041A86B
Sleep.KERNEL32(00000014), ref: 0041A873
Sleep.KERNEL32(00000014), ref: 0041A880
Sleep.KERNEL32(00000014), ref: 0041A888
Sleep.KERNEL32(00000014), ref: 0041A890
Sleep.KERNEL32(00000014), ref: 0041A898
Sleep.KERNEL32(00000014), ref: 0041A8A0
Sleep.KERNEL32(00000014), ref: 0041A8A8
Sleep.KERNELBASE(00000014), ref: 0041A8B5
Sleep.KERNEL32(00000014), ref: 0041A8BD
Sleep.KERNEL32(00000014), ref: 0041A8C5
Sleep.KERNEL32(00000014), ref: 0041A8CD
Sleep.KERNEL32(00000014), ref: 0041A8D5
Sleep.KERNEL32(00000014), ref: 0041A8DD
Sleep.KERNEL32(00000014), ref: 0041A8E5
Sleep.KERNEL32(00000014), ref: 0041A8ED
Sleep.KERNEL32(00000014), ref: 0041A8F5
Sleep.KERNEL32(00000014), ref: 0041A8FD
Sleep.KERNEL32(00000014), ref: 0041A905
Sleep.KERNEL32(00000014), ref: 0041A90D
Sleep.KERNEL32(00000014,00425200), ref: 0041A922
Sleep.KERNEL32(00000014), ref: 0041A92A
Sleep.KERNEL32(00000014), ref: 0041A932
Sleep.KERNEL32(00000014), ref: 0041A93A
Sleep.KERNEL32(00000014), ref: 0041A942
Sleep.KERNEL32(00000014), ref: 0041A94A
Sleep.KERNELBASE(00000014,00000000,?,?,00428E5C,?,00000000), ref: 0041A9A6
Sleep.KERNEL32(00000014), ref: 0041A9AE
Sleep.KERNEL32(00000014), ref: 0041A9B6
Sleep.KERNEL32(00000014), ref: 0041A9BE
Sleep.KERNEL32(00000014), ref: 0041A9C6
Sleep.KERNEL32(00000014), ref: 0041A9CE
Sleep.KERNEL32(00000014), ref: 0041A9D6
Sleep.KERNEL32(00000014), ref: 0041A9DE
Sleep.KERNEL32(00000014), ref: 0041A9E6
Sleep.KERNEL32(00000014), ref: 0041A9EE
Sleep.KERNEL32(00000014), ref: 0041A9F6
Sleep.KERNEL32(00000014), ref: 0041A9FE
Sleep.KERNEL32(00000014), ref: 0041AA0F
Sleep.KERNEL32(00000014), ref: 0041AA17
Sleep.KERNEL32(00000014), ref: 0041AA1F
Sleep.KERNEL32(00000014), ref: 0041AA27
Sleep.KERNEL32(00000014), ref: 0041AA2F
Sleep.KERNEL32(00000014), ref: 0041AA37
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 0041AA4D
Sleep.KERNEL32(00000014), ref: 0041AA5E
Sleep.KERNEL32(00000014), ref: 0041AA66
Sleep.KERNEL32(00000014), ref: 0041AA6E
Sleep.KERNEL32(00000014), ref: 0041AA76
Sleep.KERNEL32(00000014), ref: 0041AA7E
Sleep.KERNEL32(00000014), ref: 0041AA86
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041AA9B
Sleep.KERNEL32(00000014), ref: 0041AAA6
Sleep.KERNEL32(00000014), ref: 0041AAAE
Sleep.KERNEL32(00000014), ref: 0041AAB6
Sleep.KERNEL32(00000014), ref: 0041AABE
Sleep.KERNEL32(00000014), ref: 0041AAC6
Sleep.KERNEL32(00000014), ref: 0041AACE
Sleep.KERNEL32(00000014), ref: 0041AADA
Sleep.KERNEL32(00000014), ref: 0041AAE2
Sleep.KERNEL32(00000014), ref: 0041AAEA
Sleep.KERNEL32(00000014), ref: 0041AAF2
Sleep.KERNEL32(00000014), ref: 0041AAFA
Sleep.KERNEL32(00000014), ref: 0041AB02
CloseHandle.KERNEL32(00000000), ref: 0041AB0B
Sleep.KERNEL32(00001B58), ref: 0041AB16
Sleep.KERNEL32(00000014), ref: 0041AB1E
Sleep.KERNEL32(00000014), ref: 0041AB26
Sleep.KERNEL32(00000014), ref: 0041AB2E
Sleep.KERNEL32(00000014), ref: 0041AB36
Sleep.KERNEL32(00000014), ref: 0041AB3E
Sleep.KERNEL32(00000014), ref: 0041AB46
Sleep.KERNEL32(00000014), ref: 0041AB53
Sleep.KERNEL32(00000014), ref: 0041AB5B
Sleep.KERNEL32(00000014), ref: 0041AB63
Sleep.KERNEL32(00000014), ref: 0041AB6B
Sleep.KERNEL32(00000014), ref: 0041AB73
Sleep.KERNEL32(00000014), ref: 0041AB7B
Sleep.KERNEL32(00000014), ref: 0041AB83
Sleep.KERNEL32(00000014), ref: 0041AB8B
Sleep.KERNEL32(00000014), ref: 0041AB93
Sleep.KERNEL32(00000014), ref: 0041AB9B
Sleep.KERNEL32(00000014), ref: 0041ABA3
Sleep.KERNEL32(00000014), ref: 0041ABAB
Sleep.KERNEL32(00000014), ref: 0041ABB8
Sleep.KERNEL32(00000014), ref: 0041ABC0
Sleep.KERNEL32(00000014), ref: 0041ABC8
Sleep.KERNEL32(00000014), ref: 0041ABD0
Sleep.KERNEL32(00000014), ref: 0041ABD8
Sleep.KERNEL32(00000014), ref: 0041ABE0
Sleep.KERNEL32(00000014), ref: 0041ABE8
Sleep.KERNEL32(00000014), ref: 0041ABF0
Sleep.KERNEL32(00000014), ref: 0041ABF8
Sleep.KERNEL32(00000014), ref: 0041AC00
Sleep.KERNEL32(00000014), ref: 0041AC08
Sleep.KERNEL32(00000014), ref: 0041AC10
CloseHandle.KERNEL32(?), ref: 0041AC19
Sleep.KERNEL32(00000014), ref: 0041AC21
Sleep.KERNEL32(00000014), ref: 0041AC29
Sleep.KERNEL32(00000014), ref: 0041AC31
Sleep.KERNEL32(00000014), ref: 0041AC39
Sleep.KERNEL32(00000014), ref: 0041AC41
Sleep.KERNEL32(00000014), ref: 0041AC49
Sleep.KERNEL32(00000014), ref: 0041AC51
Sleep.KERNEL32(00000014), ref: 0041AC59
Sleep.KERNEL32(00000014), ref: 0041AC61
Sleep.KERNEL32(00000014), ref: 0041AC69
Sleep.KERNEL32(00000014), ref: 0041AC71
Sleep.KERNEL32(00000014), ref: 0041AC79
Sleep.KERNEL32(00000014), ref: 0041AC81
Sleep.KERNEL32(00000014), ref: 0041AC89
Sleep.KERNEL32(00000014), ref: 0041AC91
Sleep.KERNEL32(00000014), ref: 0041AC99
Sleep.KERNEL32(00000014), ref: 0041ACA1
Sleep.KERNEL32(00000014), ref: 0041ACA9
ExitProcess.KERNEL32 ref: 0041ACB1

Strings

Sleep, xrefs: 0041A7BC
Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea, xrefs: 0041A771, 0041A812
kernel32.dll, xrefs: 0041A7A8
I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and, xrefs: 0041A79D, 0041A83E
GetSystemTime, xrefs: 0041A7CF
The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia, xrefs: 0041A792, 0041A833
The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On, xrefs: 0041A77C, 0041A81D
Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l, xrefs: 0041A787, 0041A828

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Sleep$lstrlen$AddressCloseEventHandleProclstrcpy$CreateExitLibraryLoadOpenProcesslstrcat
String ID: GetSystemTime$I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and$Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l$Sleep$Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea$The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia$The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On$kernel32.dll
API String ID: 1968030747-1157189060
Opcode ID: 54532dd25730401e9619ccf941eb7a63a5c16019b915d8d70357fc5f908c5c95
Instruction ID: d0fc9c7f70cd4d74f070b5276f1611ca398b8472acf39be3ffb0404d49fc07f7
Opcode Fuzzy Hash: 54532dd25730401e9619ccf941eb7a63a5c16019b915d8d70357fc5f908c5c95
Instruction Fuzzy Hash: 40D1AB356E121DEFDB006BE0AC2EBE87A6AAB17702F551125B30E9D0F0DAB444C19F75

Function 0041AAD6 Relevance: 105.2, APIs: 70, Instructions: 160
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000014), ref: 0041AA0F
Sleep.KERNEL32(00000014), ref: 0041AA17
Sleep.KERNEL32(00000014), ref: 0041AA1F
Sleep.KERNEL32(00000014), ref: 0041AA27
Sleep.KERNEL32(00000014), ref: 0041AA2F
Sleep.KERNEL32(00000014), ref: 0041AA37
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 0041AA4D
Sleep.KERNEL32(00000014), ref: 0041AA5E
Sleep.KERNEL32(00000014), ref: 0041AA66
Sleep.KERNEL32(00000014), ref: 0041AA6E
Sleep.KERNEL32(00000014), ref: 0041AA76
Sleep.KERNEL32(00000014), ref: 0041AA7E
Sleep.KERNEL32(00000014), ref: 0041AA86
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041AA9B
Sleep.KERNEL32(00000014), ref: 0041AAA6
Sleep.KERNEL32(00000014), ref: 0041AAAE
Sleep.KERNEL32(00000014), ref: 0041AAB6
Sleep.KERNEL32(00000014), ref: 0041AABE
Sleep.KERNEL32(00000014), ref: 0041AAC6
Sleep.KERNEL32(00000014), ref: 0041AACE
Sleep.KERNEL32(00000014), ref: 0041AADA
Sleep.KERNEL32(00000014), ref: 0041AAE2
Sleep.KERNEL32(00000014), ref: 0041AAEA
Sleep.KERNEL32(00000014), ref: 0041AAF2
Sleep.KERNEL32(00000014), ref: 0041AAFA
Sleep.KERNEL32(00000014), ref: 0041AB02
CloseHandle.KERNEL32(00000000), ref: 0041AB0B
Sleep.KERNEL32(00001B58), ref: 0041AB16
Sleep.KERNEL32(00000014), ref: 0041AB1E
Sleep.KERNEL32(00000014), ref: 0041AB26
Sleep.KERNEL32(00000014), ref: 0041AB2E
Sleep.KERNEL32(00000014), ref: 0041AB36
Sleep.KERNEL32(00000014), ref: 0041AB3E
Sleep.KERNEL32(00000014), ref: 0041AB46
Sleep.KERNEL32(00000014), ref: 0041AB53
Sleep.KERNEL32(00000014), ref: 0041AB5B
Sleep.KERNEL32(00000014), ref: 0041AB63
Sleep.KERNEL32(00000014), ref: 0041AB6B
Sleep.KERNEL32(00000014), ref: 0041AB73
Sleep.KERNEL32(00000014), ref: 0041AB7B
Sleep.KERNEL32(00000014), ref: 0041AB83
Sleep.KERNEL32(00000014), ref: 0041AB8B
Sleep.KERNEL32(00000014), ref: 0041AB93
Sleep.KERNEL32(00000014), ref: 0041AB9B
Sleep.KERNEL32(00000014), ref: 0041ABA3
Sleep.KERNEL32(00000014), ref: 0041ABAB
Sleep.KERNEL32(00000014), ref: 0041ABB8
Sleep.KERNEL32(00000014), ref: 0041ABC0
Sleep.KERNEL32(00000014), ref: 0041ABC8
Sleep.KERNEL32(00000014), ref: 0041ABD0
Sleep.KERNEL32(00000014), ref: 0041ABD8
Sleep.KERNEL32(00000014), ref: 0041ABE0
Sleep.KERNEL32(00000014), ref: 0041ABE8
Sleep.KERNEL32(00000014), ref: 0041ABF0
Sleep.KERNEL32(00000014), ref: 0041ABF8
Sleep.KERNEL32(00000014), ref: 0041AC00
Sleep.KERNEL32(00000014), ref: 0041AC08
Sleep.KERNEL32(00000014), ref: 0041AC10
CloseHandle.KERNEL32(?), ref: 0041AC19
Sleep.KERNEL32(00000014), ref: 0041AC21
Sleep.KERNEL32(00000014), ref: 0041AC29
Sleep.KERNEL32(00000014), ref: 0041AC31
Sleep.KERNEL32(00000014), ref: 0041AC39
Sleep.KERNEL32(00000014), ref: 0041AC41
Sleep.KERNEL32(00000014), ref: 0041AC49
Sleep.KERNEL32(00000014), ref: 0041AC51
Sleep.KERNEL32(00000014), ref: 0041AC59
Sleep.KERNEL32(00000014), ref: 0041AC61
Sleep.KERNEL32(00000014), ref: 0041AC69
Sleep.KERNEL32(00000014), ref: 0041AC71
Sleep.KERNEL32(00000014), ref: 0041AC79
Sleep.KERNEL32(00000014), ref: 0041AC81
Sleep.KERNEL32(00000014), ref: 0041AC89
Sleep.KERNEL32(00000014), ref: 0041AC91
Sleep.KERNEL32(00000014), ref: 0041AC99
Sleep.KERNEL32(00000014), ref: 0041ACA1
Sleep.KERNEL32(00000014), ref: 0041ACA9
ExitProcess.KERNEL32 ref: 0041ACB1

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Sleep$CloseEventHandle$CreateExitOpenProcess
String ID:
API String ID: 3990214622-0
Opcode ID: 939382f14eacfc35bc189caa75c6057b8e340a7325aef0680f6e940db5972843
Instruction ID: 010346d2f35c5d2b6dfb22c7d70376198b9011b0162d7776d674804ad5e558a3
Opcode Fuzzy Hash: 939382f14eacfc35bc189caa75c6057b8e340a7325aef0680f6e940db5972843
Instruction Fuzzy Hash: AC5157395E620DEFEB006BE09D1EBE83666AB17706F151015B30E9C0F0CA7444C59F36

Function 00404E03 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 713
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

lstrlenA.KERNEL32(00000000), ref: 00404E8B

Part of subcall function 0041302D: CryptBinaryToStringA.CRYPT32(00000000,00404E7F,40000001,00000000,00000000), ref: 0041304A

StrCmpCA.SHLWAPI(?,00425200,00425200,00425200,00425200), ref: 00404EEF
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F17
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405025
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 00405082
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004050BA

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00428D7C,00000000,?,00000000,00000000), ref: 00405579
lstrlenA.KERNEL32(00000000), ref: 0040558D
GetProcessHeap.KERNEL32(00000000,?), ref: 0040559D
HeapAlloc.KERNEL32(00000000), ref: 004055A4
lstrlenA.KERNEL32(00000000), ref: 004055B9
memcpy.MSVCRT ref: 004055CF
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 004055E6
memcpy.MSVCRT ref: 004055F3
lstrlenA.KERNEL32(00000000), ref: 00405604
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 0040561D
memcpy.MSVCRT ref: 0040562D
lstrlenA.KERNEL32(00000000,?,?), ref: 00405647
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 0040565A
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040568D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405730
StrCmpCA.SHLWAPI(00000000,block), ref: 004057A1
ExitProcess.KERNEL32 ref: 004057AD
InternetCloseHandle.WININET(00000000), ref: 00405824

Strings

", xrefs: 00405189, 004052C8, 0040540A, 00405548
--, xrefs: 00404F69
------, xrefs: 00404F80
build_id, xrefs: 004052A0
block, xrefs: 00405790
file_data, xrefs: 00405520
------, xrefs: 004050C0, 00405200, 00405341, 00405480
ERROR, xrefs: 00405697, 004057B5

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$Httpmemcpy$HeapOpenProcessRequestlstrcat$AllocBinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
String ID: ------$"$--$------$ERROR$block$build_id$file_data
API String ID: 291296625-1063948816
Opcode ID: 941268b52b4c2f1080921e961083cd3901daec87e8b66a8e899ed6db65051c96
Instruction ID: 347b2e4d89f66f0c0c6539a9aa54472735362a414d5b47530b2be4bc622c77f0
Opcode Fuzzy Hash: 941268b52b4c2f1080921e961083cd3901daec87e8b66a8e899ed6db65051c96
Instruction Fuzzy Hash: 76520E729101189ADB14FBA1EC96FDE7379AF15305F5080AAF216B21F1DF386A88CF54

Function 0041AD16 Relevance: 49.7, APIs: 33, Instructions: 151
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 0041AD54
GetProcAddress.KERNEL32 ref: 0041AD6B
GetProcAddress.KERNEL32 ref: 0041AD82
GetProcAddress.KERNEL32 ref: 0041AD99
GetProcAddress.KERNEL32 ref: 0041ADB0
GetProcAddress.KERNEL32 ref: 0041ADC7
GetProcAddress.KERNEL32 ref: 0041ADDE
GetProcAddress.KERNEL32 ref: 0041ADF5
GetProcAddress.KERNEL32 ref: 0041AE0C
GetProcAddress.KERNEL32 ref: 0041AE23
GetProcAddress.KERNEL32 ref: 0041AE3A
GetProcAddress.KERNEL32 ref: 0041AE51
GetProcAddress.KERNEL32 ref: 0041AE68
GetProcAddress.KERNEL32 ref: 0041AE7F
GetProcAddress.KERNEL32 ref: 0041AE96
GetProcAddress.KERNEL32 ref: 0041AEAD
GetProcAddress.KERNEL32 ref: 0041AEC4
GetProcAddress.KERNEL32 ref: 0041AEDB
GetProcAddress.KERNEL32 ref: 0041AEF2
GetProcAddress.KERNEL32 ref: 0041AF09
GetProcAddress.KERNEL32 ref: 0041AF20
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF31
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF42
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF53
LoadLibraryA.KERNELBASE(?,0041A8B3), ref: 0041AF64
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF75
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AF95
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AFB5
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AFCC
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AFEC
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041B00C
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041B02C
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041B043

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 8ed0b4f8c3e954e1fc1dc6971364bbe040f0f26000e4905d9b82ffd922f5bdfa
Instruction ID: e6d1e2ba0aaa9db7fee79aa5ca47b6abfb0ed3e486351d87d65decbaef8ebfc5
Opcode Fuzzy Hash: 8ed0b4f8c3e954e1fc1dc6971364bbe040f0f26000e4905d9b82ffd922f5bdfa
Instruction Fuzzy Hash: DD81C679481214EFEB026F60FE19AA43FA3F70B345715712AE90689670E77648A8EF40

Function 004151E4 Relevance: 48.1, APIs: 2, Strings: 25, Instructions: 830
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 00411C63: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,Version: ,00425200), ref: 00411C70
Part of subcall function 00411C63: HeapAlloc.KERNEL32(00000000), ref: 00411C77
Part of subcall function 00411C63: GetLocalTime.KERNEL32(?), ref: 00411C84
Part of subcall function 00411C63: wsprintfA.USER32 ref: 00411CB1

Part of subcall function 004125CA: memset.MSVCRT ref: 004125F2
Part of subcall function 004125CA: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 00412612
Part of subcall function 004125CA: RegQueryValueExA.KERNELBASE(?,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00412639
Part of subcall function 004125CA: RegCloseKey.ADVAPI32(?), ref: 00412645
Part of subcall function 004125CA: CharToOemA.USER32(00000000,?), ref: 00412659

Part of subcall function 00412667: GetCurrentHwProfileA.ADVAPI32(?), ref: 00412674

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 00411948: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00411964
Part of subcall function 00411948: GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004119A1
Part of subcall function 00411948: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411A18
Part of subcall function 00411948: HeapAlloc.KERNEL32(00000000), ref: 00411A1F

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,00428FE4,00000000,?,00000000,00000000,?,HWID: ,00000000,?,00428E48,00000000), ref: 00415497

Part of subcall function 00413563: OpenProcess.KERNEL32(00000410,00000000,004154AA), ref: 00413576
Part of subcall function 00413563: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00413596
Part of subcall function 00413563: CloseHandle.KERNEL32(00000000), ref: 0041359F

Part of subcall function 00411ADD: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411AF1
Part of subcall function 00411ADD: HeapAlloc.KERNEL32(00000000), ref: 00411AF8

Part of subcall function 004127AF: CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4), ref: 004127D9
Part of subcall function 004127AF: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00428E48,00000000,?), ref: 004127F1
Part of subcall function 004127AF: CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ), ref: 0041280D
Part of subcall function 004127AF: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000), ref: 00412855

Part of subcall function 004129BF: CoInitializeEx.OLE32(00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory,00000000,?,00428E48,00000000), ref: 004129E9
Part of subcall function 004129BF: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4), ref: 00412A01
Part of subcall function 004129BF: CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?), ref: 00412A1D
Part of subcall function 004129BF: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000), ref: 00412A65

Part of subcall function 00411C21: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00415711,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000), ref: 00411C2D
Part of subcall function 00411C21: HeapAlloc.KERNEL32(00000000,?,?,?,00415711,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000,?), ref: 00411C34
Part of subcall function 00411C21: GetComputerNameA.KERNEL32(00000000,00000104), ref: 00411C4B

Part of subcall function 00411BEC: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0041A955), ref: 00411BF8
Part of subcall function 00411BEC: HeapAlloc.KERNEL32(00000000,?,?,?,0041A955), ref: 00411BFF
Part of subcall function 00411BEC: GetUserNameA.ADVAPI32(?,00000104), ref: 00411C16

Part of subcall function 0041254A: CreateDCA.GDI32(00000000,00000000,00000000,?), ref: 0041255C
Part of subcall function 0041254A: GetDeviceCaps.GDI32(?,00000008), ref: 0041256A
Part of subcall function 0041254A: GetDeviceCaps.GDI32(?,0000000A), ref: 00412578
Part of subcall function 0041254A: ReleaseDC.USER32(00000000,?), ref: 00412586
Part of subcall function 0041254A: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00412593
Part of subcall function 0041254A: HeapAlloc.KERNEL32(00000000), ref: 0041259A
Part of subcall function 0041254A: wsprintfA.USER32 ref: 004125B1

Part of subcall function 00411D31: GetKeyboardLayoutList.USER32(00000000,00000000,00425200), ref: 00411D59
Part of subcall function 00411D31: LocalAlloc.KERNEL32(00000040,?), ref: 00411D71
Part of subcall function 00411D31: GetKeyboardLayoutList.USER32(?,00000000), ref: 00411D83
Part of subcall function 00411D31: GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200), ref: 00411DD3
Part of subcall function 00411D31: LocalFree.KERNEL32(00000000), ref: 00411E90

Part of subcall function 00411CBF: GetProcessHeap.KERNEL32(00000000,00000104,00428E48,00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000), ref: 00411CCF
Part of subcall function 00411CBF: HeapAlloc.KERNEL32(00000000), ref: 00411CD6
Part of subcall function 00411CBF: GetTimeZoneInformation.KERNELBASE(?), ref: 00411CE9

Part of subcall function 00411EB5: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00411EC9
Part of subcall function 00411EB5: HeapAlloc.KERNEL32(00000000), ref: 00411ED0
Part of subcall function 00411EB5: RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000), ref: 00411EEF
Part of subcall function 00411EB5: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,000000FF,000000FF), ref: 00411F0D
Part of subcall function 00411EB5: RegCloseKey.ADVAPI32(00000000), ref: 00411F16

Part of subcall function 00411F54: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00411F87
Part of subcall function 00411F54: GetLastError.KERNEL32 ref: 00411F96

Part of subcall function 00411F21: GetSystemInfo.KERNELBASE(00000000), ref: 00411F2E
Part of subcall function 00411F21: wsprintfA.USER32 ref: 00411F43

Part of subcall function 00412081: GetProcessHeap.KERNEL32(00000000,00000104,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory), ref: 0041208E
Part of subcall function 00412081: HeapAlloc.KERNEL32(00000000), ref: 00412095
Part of subcall function 00412081: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004120B6
Part of subcall function 00412081: __aulldiv.LIBCMT ref: 004120CE
Part of subcall function 00412081: __aulldiv.LIBCMT ref: 004120DC
Part of subcall function 00412081: wsprintfA.USER32 ref: 004120FF

Part of subcall function 0041210D: EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000001), ref: 00412148

Part of subcall function 0041246A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412491
Part of subcall function 0041246A: Process32First.KERNEL32(00000000,00000128), ref: 004124A4
Part of subcall function 0041246A: Process32Next.KERNEL32(00000000,00000128), ref: 004124B8
Part of subcall function 0041246A: CloseHandle.KERNEL32(00000000), ref: 00412525

Part of subcall function 0041218B: RegOpenKeyExA.KERNELBASE(00000000,00000000,00020019,00000000,00425200), ref: 004121DE

Part of subcall function 0041218B: RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00412259
Part of subcall function 0041218B: wsprintfA.USER32 ref: 0041228B
Part of subcall function 0041218B: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 004122AC
Part of subcall function 0041218B: RegCloseKey.ADVAPI32(00000000), ref: 004122BC
Part of subcall function 0041218B: RegCloseKey.ADVAPI32(00000000), ref: 004122C8

lstrlenA.KERNEL32(00000000,00000000,?,00428FE4,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,00428FE4), ref: 00415DE1

Part of subcall function 00418DB9: _MSFOpenExW.MSPDB140-MSVCRT ref: 00418E6C
Part of subcall function 00418DB9: CreateThread.KERNELBASE(00000000,00000000,00418C65,?,00000000,00000000), ref: 00418E85
Part of subcall function 00418DB9: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00418E96

Strings

Keyboard Languages: , xrefs: 00415862
Work Dir: In memory, xrefs: 00415503
User Name: , xrefs: 0041575D
[Processes], xrefs: 00415C78
HWID: , xrefs: 004153E3
Date: , xrefs: 00415283
TimeZone: , xrefs: 00415967
Local Time: , xrefs: 004158EE
Path: , xrefs: 0041546F
Cores: , xrefs: 00415A81
Install Date: , xrefs: 004155CC
AV: , xrefs: 00415658
[Hardware], xrefs: 004159E0
Display Resolution: , xrefs: 004157D6
RAM: , xrefs: 00415B73
information.txt, xrefs: 00415DF6
Processor: , xrefs: 00415A08
Computer Name: , xrefs: 004156E4
[Software], xrefs: 00415D04
VideoCard: , xrefs: 00415BEC
MachineID: , xrefs: 004152EA
Version: , xrefs: 004151FA
Threads: , xrefs: 00415AFA
Windows: , xrefs: 00415553
GUID: , xrefs: 00415357

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$Createwsprintf$Initializelstrcpy$InformationLocalName$BlanketCapsCurrentDeviceEnumHandleInfoInstanceKeyboardLayoutListProcess32ProxyQuerySecurityTimeValue__aulldivlstrcatlstrlen$CharComputerDevicesDirectoryDisplayErrorFileFirstFreeGlobalLastLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 3808842183-1014693891
Opcode ID: ec29a3163d9d18987f0e179795c7a0416d16bd3ffa26116ace8d5c82db2c5aaf
Instruction ID: 98b063b3ea0cf676e7d3c9db5d6b4e855844e07ef84fbbd767ca72325addcb2a
Opcode Fuzzy Hash: ec29a3163d9d18987f0e179795c7a0416d16bd3ffa26116ace8d5c82db2c5aaf
Instruction Fuzzy Hash: BC629172900118AACB15F7A1DD96DDE7379AF14305F5042AFF226B21B1EF346B88CE58

Function 004083A6 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 265
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00412D64: GetSystemTime.KERNEL32(00000000,00425200), ref: 00412D8A

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00408450
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004084C9
RtlAllocateHeap.NTDLL(00000000), ref: 004084D0
lstrlenA.KERNEL32(00000000,00000000), ref: 0040856A
lstrcatA.KERNEL32(?), ref: 0040858F
lstrcatA.KERNEL32(?,00000000), ref: 004085A1
lstrcatA.KERNEL32(?,00428E50), ref: 004085AF
lstrcatA.KERNEL32(?,00000000), ref: 004085C1
lstrcatA.KERNEL32(?,00428E4C), ref: 004085CF
lstrcatA.KERNEL32(?), ref: 004085DE
lstrcatA.KERNEL32(?,00000000), ref: 004085F0
lstrcatA.KERNEL32(?,00428E48), ref: 004085FE
lstrcatA.KERNEL32(?), ref: 0040860D
lstrcatA.KERNEL32(?,00000000), ref: 0040861F
lstrcatA.KERNEL32(?,00428E48), ref: 0040862D
lstrcatA.KERNEL32(?), ref: 0040863C
lstrcatA.KERNEL32(?,00000000), ref: 0040864E
lstrcatA.KERNEL32(?,00428E48), ref: 0040865C
lstrcatA.KERNEL32(?,00428E48), ref: 0040866A
lstrlenA.KERNEL32(?), ref: 00408688
memset.MSVCRT ref: 004086D4
DeleteFileA.KERNELBASE(00000000), ref: 00408701

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 004135B9: memset.MSVCRT ref: 004135D4
Part of subcall function 004135B9: OpenProcess.KERNEL32(00001001,00000000,?), ref: 0041368A
Part of subcall function 004135B9: TerminateProcess.KERNEL32(00000000,00000000), ref: 004136A7
Part of subcall function 004135B9: CloseHandle.KERNEL32(00000000), ref: 004136B3

Strings

passwords.txt, xrefs: 00408697

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyDeleteHandleOpenSystemTerminateTime
String ID: passwords.txt
API String ID: 1737540870-347816968
Opcode ID: e7516f4a65ce10130fd093f07ba65f7fdb76d7e0e32bba32449652ac384407af
Instruction ID: 4868cb4a0c5d8df9b0255056c1bbdf5f8baa826a61240bfbc382e0845978a72e
Opcode Fuzzy Hash: e7516f4a65ce10130fd093f07ba65f7fdb76d7e0e32bba32449652ac384407af
Instruction Fuzzy Hash: 00A11972900108AFDF05EBA1ED5AAED7B79FF15305F60502AF112B10B1EF3A5A44CB69

Function 00418FD9 Relevance: 34.5, APIs: 4, Strings: 15, Instructions: 1237
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004138BA: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004138F5
Part of subcall function 004138BA: Process32First.KERNEL32(00429888,00000128), ref: 00413908
Part of subcall function 004138BA: Process32Next.KERNEL32(00429888,00000128), ref: 0041391C
Part of subcall function 004138BA: StrCmpCA.SHLWAPI(?,0042988C), ref: 00413930
Part of subcall function 004138BA: FindCloseChangeNotification.KERNELBASE(00429888), ref: 00413943

CreateDirectoryA.KERNELBASE(00000000,00000000,00000000,?,?,?,00425200,00000000), ref: 00419657
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041972D
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419747

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00411948: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00411964
Part of subcall function 00411948: GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004119A1
Part of subcall function 00411948: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411A18
Part of subcall function 00411948: HeapAlloc.KERNEL32(00000000), ref: 00411A1F

Part of subcall function 004043FA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404492
Part of subcall function 004043FA: StrCmpCA.SHLWAPI(?), ref: 004044B2

Part of subcall function 00414F8C: StrCmpCA.SHLWAPI(00000000,block), ref: 00414FB1
Part of subcall function 00414F8C: ExitProcess.KERNEL32 ref: 00414FBD

Part of subcall function 0040F99F: StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040F9EF
Part of subcall function 0040F99F: StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FA75

Part of subcall function 004058C4: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040595F
Part of subcall function 004058C4: StrCmpCA.SHLWAPI(?), ref: 00405975

Part of subcall function 0041497B: strtok_s.MSVCRT ref: 004149A3
Part of subcall function 0041497B: strtok_s.MSVCRT ref: 00414A94

Part of subcall function 00417B07: lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00417B40
Part of subcall function 00417B07: lstrcatA.KERNEL32(?), ref: 00417B5E

Sleep.KERNEL32(000003E8), ref: 00419AFA

Part of subcall function 00417C93: memset.MSVCRT ref: 00417CAA
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,00000000), ref: 00417CD1
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,\.azure\), ref: 00417CEE
Part of subcall function 00417C93: memset.MSVCRT ref: 00417D2E
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,00000000), ref: 00417D55
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,\.aws\), ref: 00417D72
Part of subcall function 00417C93: memset.MSVCRT ref: 00417DB2
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,00000000), ref: 00417DD9
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00417DF6

Part of subcall function 00404E03: lstrlenA.KERNEL32(00000000), ref: 00404E8B
Part of subcall function 00404E03: StrCmpCA.SHLWAPI(?,00425200,00425200,00425200,00425200), ref: 00404EEF
Part of subcall function 00404E03: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F17

Strings

d, xrefs: 0041A217
tea, xrefs: 00419F9C
d, xrefs: 00419106
org, xrefs: 0041A082
d, xrefs: 00419147
.exe, xrefs: 00419557, 00419EF7
d, xrefs: 0041A26E
arp, xrefs: 00419FF8
d, xrefs: 0041A1C0
2, xrefs: 0041A169
d, xrefs: 00419188
_DEBUG.zip, xrefs: 0041A0C1
2, xrefs: 004191C9
http://, xrefs: 00419F6E
dabl, xrefs: 0041A026

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$InternetOpenlstrcpy$lstrlenmemset$CreateDirectoryHeapProcessProcess32strtok_s$AllocChangeCloseExitFindFirstInformationNextNotificationSleepSnapshotToolhelp32VolumeWindows
String ID: .exe$2$2$_DEBUG.zip$arp$d$d$d$d$d$d$dabl$http://$org$tea
API String ID: 4021577771-4025179836
Opcode ID: d8ddd20c65dbe4accbe59cdc2a04e807221df0d548ce8610666dd4a4d36cae5e
Instruction ID: 114828df09490f9f1d13115ca2c7a84a7d1e175cc6150afb538a57f6698be508
Opcode Fuzzy Hash: d8ddd20c65dbe4accbe59cdc2a04e807221df0d548ce8610666dd4a4d36cae5e
Instruction Fuzzy Hash: 93B22F71D041289ADB14FB61DC96ADDB778AB11304F5440EAE50EA21A1DF3C6FC8CF69

Function 00408741 Relevance: 32.0, APIs: 21, Instructions: 471
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004118F6: StrCmpCA.SHLWAPI(?,?), ref: 00411913

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408A97
RtlAllocateHeap.NTDLL(00000000), ref: 00408A9E
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00408885

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

lstrcatA.KERNEL32(?,00000000,00000000,00428E58,00428E58,00000000), ref: 00408BCD
lstrcatA.KERNEL32(?,00428E54), ref: 00408BDB
lstrcatA.KERNEL32(?,00000000), ref: 00408BED
lstrcatA.KERNEL32(?,00428E54), ref: 00408BFB
lstrcatA.KERNEL32(?,00000000), ref: 00408C0D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C1B
lstrcatA.KERNEL32(?,00000000), ref: 00408C2D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C3B
lstrcatA.KERNEL32(?,00000000), ref: 00408C4D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C5B
lstrcatA.KERNEL32(?,00000000), ref: 00408C6D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C7B
lstrcatA.KERNEL32(?,00000000), ref: 00408CBD
lstrcatA.KERNEL32(?,00428E48), ref: 00408CD6
lstrlenA.KERNEL32(?), ref: 00408D14
lstrlenA.KERNEL32(?), ref: 00408D22
memset.MSVCRT ref: 00408D6D

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

DeleteFileA.KERNELBASE(00000000), ref: 00408D92

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessmemset
String ID:
API String ID: 1498849721-0
Opcode ID: 9e96b593e49dfbaf82baf5f3f7b14edd2bd44551348f714d62c2555fbf218532
Instruction ID: 75b67620860664da6d1f04eed94d7d10b36c4f27a8908ca0f5e9c5d632b00ffa
Opcode Fuzzy Hash: 9e96b593e49dfbaf82baf5f3f7b14edd2bd44551348f714d62c2555fbf218532
Instruction Fuzzy Hash: 02021D71900109AADB05FBA1ED56EEE7779EF11309F50406AF216B10F1EF395A88CB68

Function 0042095B Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 617
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

T, xrefs: 00420CE3
U, xrefs: 00420CDC

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: T$U
API String ID: 0-2115836835
Opcode ID: 10f69da23589928bea78b6bdb87915afbf723c228a04615c940d6145975852ec
Instruction ID: 4e7ab3bbaac243ee1ce136935939dafd3e3fd9ddb02e4ea4b8407d5d40478ec4
Opcode Fuzzy Hash: 10f69da23589928bea78b6bdb87915afbf723c228a04615c940d6145975852ec
Instruction Fuzzy Hash: 626218B4A042A9CFDB20CF54D884BE9B7B4AF14305F5440DBEA09A7252D7389E89CF59

Function 004043FA Relevance: 28.5, APIs: 12, Strings: 4, Instructions: 451
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404492
StrCmpCA.SHLWAPI(?), ref: 004044B2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040462C
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 00404682
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004046BA

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00425200,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 0040497C
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404998
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004049AB
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004049D5
InternetCloseHandle.WININET(00000000), ref: 00404A38
InternetCloseHandle.WININET(00000000), ref: 00404A4F
InternetCloseHandle.WININET(00000000), ref: 00404A58

Strings

", xrefs: 00404788, 004048C7
hwid, xrefs: 00404760
build_id, xrefs: 0040489F
------, xrefs: 00404534, 004046C0, 004047FF

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$------$build_id$hwid
API String ID: 3006978581-50533134
Opcode ID: cceb3a196459d883b403675918582489495ab2fed22875715751cb834377af79
Instruction ID: 067cb1f7702ceabbac9578a1173a021fc80b9e748851ef74f8b32e742b117f95
Opcode Fuzzy Hash: cceb3a196459d883b403675918582489495ab2fed22875715751cb834377af79
Instruction Fuzzy Hash: 22124E71900218AADB15EBA1DD92FDEB379BF15305F5000AAF216B21E1DF386B88CF54

Function 004127AF Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 172
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4), ref: 004127D9
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00428E48,00000000,?), ref: 004127F1
CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ), ref: 0041280D
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000), ref: 00412855
VariantInit.OLEAUT32(?), ref: 004128C1
FileTimeToSystemTime.KERNEL32(?,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000), ref: 004128FA
GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000), ref: 00412907
HeapAlloc.KERNEL32(00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000), ref: 0041290E
wsprintfA.USER32 ref: 0041293D
VariantClear.OLEAUT32(?), ref: 00412955

Strings

Select * From Win32_OperatingSystem, xrefs: 0041285F
%d/%d/%d %d:%d:%d, xrefs: 00412935
ROOT\CIMV2, xrefs: 00412817
WQL, xrefs: 00412871
Unknown, xrefs: 0041296A, 0041297E, 004129A0
InstallDate, xrefs: 004128D1

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: HeapInitializeTimeVariant$AllocBlanketClearCreateFileInitInstanceProcessProxySecuritySystemwsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$WQL
API String ID: 1977436990-271508173
Opcode ID: ba33cfd2da918b761e9130eb7da6f96fb9872cbbfcfe80a5cabb4ca5af105773
Instruction ID: b87b7ae96d8d1a7714e06012ec36ed585f0f60198b44980e8310200412a3d949
Opcode Fuzzy Hash: ba33cfd2da918b761e9130eb7da6f96fb9872cbbfcfe80a5cabb4ca5af105773
Instruction Fuzzy Hash: B561F671A40218BFDB10DB94DD46FEDBBB8BB08B11F604116F611FA1D0C7B8A991CB69

Function 00404239 Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000040,?,?,?,?,?,0040234D,004257D0,AVAI4Z1EK55HX1Z,0000000F,?,0041A87E), ref: 00404246
wcslen.MSVCRT ref: 00404272
wcslen.MSVCRT ref: 0040427D
wcslen.MSVCRT ref: 00404288
wcslen.MSVCRT ref: 00404293
strlen.MSVCRT ref: 004042A5
wcslen.MSVCRT ref: 004042CA
wcslen.MSVCRT ref: 004042D5
wcslen.MSVCRT ref: 004042E2
wcslen.MSVCRT ref: 004042ED
wcslen.MSVCRT ref: 004042F8
wcslen.MSVCRT ref: 00404303

Strings

GAS5 noncoding RNA, which accumulates in growth arrested cells, acts as a decoy hormone response element for the glucocorticoid re, xrefs: 004042D0
Organ perforation is a complete penetration of the wall of a hollow organ in the body, such as the gastrointestinal tract in the c, xrefs: 00404278, 004042E8
Niedert is an Ortsgemeinde , xrefs: 00404283, 004042F3
The KLW SE10B is a low-emissions diesel switcher locomotive built by Knoxville Locomotive Works. It is powered by a single MTU Ser, xrefs: 004042C5
Chrysorabdia bivitta is a moth of the subfamily Arctiinae first described by Francis Walker in 1856., xrefs: 0040426D, 004042DD
Ici Radio-Canada Tl (stylized as ICI Radio-Canada Tl, and sometimes abbreviated as Ici Tl) is a Canadian French-language fre, xrefs: 0040428E, 004042FE

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: wcslen$AllocLocalstrlen
String ID: Chrysorabdia bivitta is a moth of the subfamily Arctiinae first described by Francis Walker in 1856.$GAS5 noncoding RNA, which accumulates in growth arrested cells, acts as a decoy hormone response element for the glucocorticoid re$Ici Radio-Canada Tl (stylized as ICI Radio-Canada Tl, and sometimes abbreviated as Ici Tl) is a Canadian French-language fre$Niedert is an Ortsgemeinde $Organ perforation is a complete penetration of the wall of a hollow organ in the body, such as the gastrointestinal tract in the c$The KLW SE10B is a low-emissions diesel switcher locomotive built by Knoxville Locomotive Works. It is powered by a single MTU Ser
API String ID: 224765317-2971033767
Opcode ID: b2908c616810051979d5b7c1935cb1d71aeefb77bac9279ab48edbe17b9693c0
Instruction ID: 15c8a1cfb45bc9c132fd9fd4faededd5fc4f4c62c30039555f1f88a1b54c1e58
Opcode Fuzzy Hash: b2908c616810051979d5b7c1935cb1d71aeefb77bac9279ab48edbe17b9693c0
Instruction Fuzzy Hash: 9A213071785268AFDB04EBE9F8C7B5CBBE4EFD4714FA0006FF40496191DEB869408619

Function 00404AD5 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 197networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404B22
RtlAllocateHeap.NTDLL(00000000), ref: 00404B29
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404B54
StrCmpCA.SHLWAPI(?), ref: 00404B6D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404BA1
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 00404C00
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00404C38
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404C49
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00404C74
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404D05
InternetCloseHandle.WININET(00000000), ref: 00404D9B
InternetCloseHandle.WININET(00000000), ref: 00404DA7
InternetCloseHandle.WININET(00000000), ref: 00404DC5

Strings

GET, xrefs: 00404BF5

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 442264750-1805413626
Opcode ID: f16c31e6c77223db1b221cad6f523a7c8a9ce9fa98b564ab69779ee6bb960051
Instruction ID: d037288fe89579f4ab5843d1a5928f681561e61fb867290b5a494df79b11f7d7
Opcode Fuzzy Hash: f16c31e6c77223db1b221cad6f523a7c8a9ce9fa98b564ab69779ee6bb960051
Instruction Fuzzy Hash: 769115B4900228AFDF20DF50DC45BEEB7B5BB45306F1040EAE609B6291DB796AC4DF49

Function 0041218B Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 164registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

RegOpenKeyExA.KERNELBASE(00000000,00000000,00020019,00000000,00425200), ref: 004121DE
RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00412259
wsprintfA.USER32 ref: 0041228B
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 004122AC
RegCloseKey.ADVAPI32(00000000), ref: 004122BC
RegCloseKey.ADVAPI32(00000000), ref: 004122C8

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Strings

- , xrefs: 004123D0
%s\%s, xrefs: 0041227F
?, xrefs: 004121B9

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: db84e063afdd8ab9a369cff0a91b897787bc4edace59e265c4489125e3bbefbc
Instruction ID: 317e1264205bd673c815d3a78023c7176152d2c53d3ea0851a7731e254f809d5
Opcode Fuzzy Hash: db84e063afdd8ab9a369cff0a91b897787bc4edace59e265c4489125e3bbefbc
Instruction Fuzzy Hash: 1C71F47290012CABEB64EB50DD45FD973B9BF04305F5086EAE209A20A1DF746BC9CF94

Function 00406312 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406373
StrCmpCA.SHLWAPI(?), ref: 00406390
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004063BE
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 0040640A
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406442
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406453
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040647E
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064F3
InternetCloseHandle.WININET(00000000), ref: 0040657C
InternetCloseHandle.WININET(00000000), ref: 00406585
InternetCloseHandle.WININET(00000000), ref: 0040658E

Strings

GET, xrefs: 00406402
ERROR, xrefs: 00406488, 0040654F

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$GET
API String ID: 3749127164-3591763792
Opcode ID: 963ac1e056751af433d780a8216807e69140fad55e256c3b4c315ddae2ff65c2
Instruction ID: 51cd531d8c454c4eabdc451ce72ca3cccbe2bef7883915b0542a7032e80e54d3
Opcode Fuzzy Hash: 963ac1e056751af433d780a8216807e69140fad55e256c3b4c315ddae2ff65c2
Instruction Fuzzy Hash: 9E710871900218EFDF21EFA0DC45BDD7B75AB05305F6040AAF606BA1E0DBB96A94CF49

Function 00418167 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 749COMMON

Download Yara Rule

APIs

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004182BD
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418321

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00417E48: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00417E8B

Part of subcall function 00417F35: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00417F96
Part of subcall function 00417F35: lstrlenA.KERNEL32(00000000), ref: 00417FAD
Part of subcall function 00417F35: StrStrA.SHLWAPI(00000000,00000000), ref: 00417FDD
Part of subcall function 00417F35: lstrlenA.KERNEL32(00000000), ref: 00417FF9
Part of subcall function 00417F35: lstrlenA.KERNEL32(00000000), ref: 0041801F

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041840E
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418519
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00418606
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418711
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004187FE
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418909
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418B01

Strings

ERROR, xrefs: 004182AF, 00418313, 00418400, 0041850B, 004185F8, 00418703, 004187F0, 004188FB, 004189E8, 00418AF3

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID: ERROR
API String ID: 2001356338-2861137601
Opcode ID: 601a58bd0b0876066a53ea39e9bf7ef070bc13c226733b0f19d5a4e6bce83ed6
Instruction ID: 2f695ca300a8a73312befe9c8800e9116e76318d555d5372ca32ba18f7f60556
Opcode Fuzzy Hash: 601a58bd0b0876066a53ea39e9bf7ef070bc13c226733b0f19d5a4e6bce83ed6
Instruction Fuzzy Hash: 2D4232719001085ACB14FBF1ED5B9EE7378AF10305F90416FF516A61E2EF7C9A88CA99

Function 00411948 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 116memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00411964
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004119A1
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411A18
HeapAlloc.KERNEL32(00000000), ref: 00411A1F
wsprintfA.USER32 ref: 00411A54
lstrcatA.KERNEL32(00000000,00429270), ref: 00411A65

Part of subcall function 00412667: GetCurrentHwProfileA.ADVAPI32(?), ref: 00412674

lstrlenA.KERNEL32(00000000), ref: 00411A7E

Part of subcall function 004136CE: malloc.MSVCRT ref: 004136D5
Part of subcall function 004136CE: strncpy.MSVCRT ref: 004136EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00411AAC

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Strings

:, xrefs: 0041197E
\, xrefs: 00411982
C, xrefs: 0041196E

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :$C$\
API String ID: 2389002695-3809124531
Opcode ID: 23f1d57f010f06b3a3b0b73a3a18805c0e588e37821cf8b5f81c9e51efc94560
Instruction ID: b4310f208fa9535f9906633d23b413fd942b8933ce9b069d1c57af1ba558f1c2
Opcode Fuzzy Hash: 23f1d57f010f06b3a3b0b73a3a18805c0e588e37821cf8b5f81c9e51efc94560
Instruction Fuzzy Hash: EC417E71D0024CAFDF10EBA0DD59BED7BB8AF05305F10009AF219A61A1DB799BC4CB68

Function 0040613F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 130networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004061A8
StrCmpCA.SHLWAPI(?,?,?,?,?,?,?,?), ref: 004061E6
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00406229
CreateFileA.KERNELBASE(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?), ref: 0040624D
InternetReadFile.WININET(8cA,?,00000400,?), ref: 00406271
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 0040629D
CloseHandle.KERNEL32(?,?,00000400,?,?,?,?,?,?,?), ref: 004062DB
InternetCloseHandle.WININET(8cA), ref: 004062E4
InternetCloseHandle.WININET(?), ref: 004062F0

Strings

8cA, xrefs: 004062E1, 0040626E

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: 8cA
API String ID: 2507841554-2586977368
Opcode ID: 23bbd80859a5ae626456c0e29d0c535548952ba2e1dd46435b22cc47d41a132e
Instruction ID: 322e9e665ac9740ae3a6c79426317fb00e7d6d1b0345a24b3972b26df0cd3c85
Opcode Fuzzy Hash: 23bbd80859a5ae626456c0e29d0c535548952ba2e1dd46435b22cc47d41a132e
Instruction Fuzzy Hash: BC515CB190021CABDF20EF60DC45BED7779FB01305F1050AAE616BA1E1DB786A99CF58

Function 0040F99F Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 360COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040F9EF
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FA75
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FB84

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

StrCmpCA.SHLWAPI(00000000), ref: 0040FC57
StrCmpCA.SHLWAPI(00000000), ref: 0040FCDD

Strings

Stable\, xrefs: 0040FA90, 0040FCF8
firefox, xrefs: 0040FDE2

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$firefox
API String ID: 3722407311-3160656979
Opcode ID: 4574c3fe41a2655a61f88f0eef0b3d3de2eb2ac0277edcd828de38c39bfa1635
Instruction ID: 87d147e04e3a24980a39275aa9b0abb6dd5f2e96552c08bd51d602dc9e077d04
Opcode Fuzzy Hash: 4574c3fe41a2655a61f88f0eef0b3d3de2eb2ac0277edcd828de38c39bfa1635
Instruction Fuzzy Hash: 18D16772A001099BCF24FBB5DD96FDD77B9BB50304F10402AE906EB1A1EE35DA48C795

Function 00412081 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory), ref: 0041208E
HeapAlloc.KERNEL32(00000000), ref: 00412095
GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004120B6
__aulldiv.LIBCMT ref: 004120CE
__aulldiv.LIBCMT ref: 004120DC
wsprintfA.USER32 ref: 004120FF

Strings

@, xrefs: 004120AB
%d MB, xrefs: 004120F7

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: e44640eb945edcdb330fccb508c3ea3b329ff7572ab2c3ac08101b3669067511
Instruction ID: da943534dc948d73dd967abc6d37c718adf03b454bdf056c0f5a7879574b1967
Opcode Fuzzy Hash: e44640eb945edcdb330fccb508c3ea3b329ff7572ab2c3ac08101b3669067511
Instruction Fuzzy Hash: 71015EB0E40218BFEF00AFE0DC0ABADBBB9FB05749F104409F314B9090C7B866519B58

Function 0040430F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00404373
??_U@YAPAXI@Z.MSVCRT ref: 00404387
??_U@YAPAXI@Z.MSVCRT ref: 0040439B
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Strings

<, xrefs: 0040431A
<, xrefs: 0040435B

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <$<
API String ID: 1274457161-213342407
Opcode ID: 94d81e5e955a971915de60a229a9877af64f0f003ab4a34939c35b93bd59b886
Instruction ID: 01f5d62e614e23a6b162f059a70a9e0953d43a02f97c16b9683ed6508c4b1ff7
Opcode Fuzzy Hash: 94d81e5e955a971915de60a229a9877af64f0f003ab4a34939c35b93bd59b886
Instruction Fuzzy Hash: 48214771D00218AFDB10DFA9E881BCDBBB4BB04324F10815AE669F72A0DB345A85CF10

Function 004125CA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004125F2
RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 00412612
RegQueryValueExA.KERNELBASE(?,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00412639
RegCloseKey.ADVAPI32(?), ref: 00412645
CharToOemA.USER32(00000000,?), ref: 00412659

Strings

MachineGuid, xrefs: 0041262E
SOFTWARE\Microsoft\Cryptography, xrefs: 00412608

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValuememset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2391366103-1211650757
Opcode ID: 195b74b0a96cc35dac2f772ac61cfb819d8275be74710b7e5bc2e41235a95a6e
Instruction ID: 19f088c07c09de6674c761c0d1b751acc79a05fefe0ca058460f00b60f9401a7
Opcode Fuzzy Hash: 195b74b0a96cc35dac2f772ac61cfb819d8275be74710b7e5bc2e41235a95a6e
Instruction Fuzzy Hash: 1B016275A4022DBBDB209B50DD4AFDA777CEB14704F5001E1B688F6091DBF46AC48F54

Function 00417F35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00406312: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406373
Part of subcall function 00406312: StrCmpCA.SHLWAPI(?), ref: 00406390
Part of subcall function 00406312: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004063BE
Part of subcall function 00406312: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 0040640A
Part of subcall function 00406312: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406442
Part of subcall function 00406312: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406453

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00417F96
lstrlenA.KERNEL32(00000000), ref: 00417FAD

Part of subcall function 00412FD6: LocalAlloc.KERNEL32(00000040,00000001), ref: 00412FF2

StrStrA.SHLWAPI(00000000,00000000), ref: 00417FDD
lstrlenA.KERNEL32(00000000), ref: 00417FF9
lstrlenA.KERNEL32(00000000), ref: 0041801F

Strings

ERROR, xrefs: 00417F88, 0041802A, 0041809C, 004180D6, 0041810D

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
String ID: ERROR
API String ID: 3240024479-2861137601
Opcode ID: e56dbd6892063ce075c71f30584f65b6369d35785078b77fb4a32cfd08f74c49
Instruction ID: 82a00ccf74cc6928f093117e63f16261f372f6c033bbdc91f1bb176def9d3ff2
Opcode Fuzzy Hash: e56dbd6892063ce075c71f30584f65b6369d35785078b77fb4a32cfd08f74c49
Instruction Fuzzy Hash: 24511A71910108ABCB04FFA1D956AED7774BF11309F60402EF916A61F2DF39AA89CA48

Function 00412213 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00412259
wsprintfA.USER32 ref: 0041228B
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 004122AC
RegCloseKey.ADVAPI32(00000000), ref: 004122BC
RegCloseKey.ADVAPI32(00000000), ref: 004122C8

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

RegQueryValueExA.KERNELBASE(00000000,00000000,000F003F,?,00000400), ref: 0041231A
lstrlenA.KERNEL32(?), ref: 0041232F
RegQueryValueExA.KERNELBASE(00000000,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00428E48), ref: 004123C6
RegCloseKey.ADVAPI32(00000000), ref: 00412434
RegCloseKey.ADVAPI32(00000000), ref: 00412445

Strings

%s\%s, xrefs: 0041227F

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: c05b9aeffa2524c3aa9bcda23acaed7832a6b4e564aa8b15d5e8c89861718145
Instruction ID: d7cee1983acf12d4360d724bf4cc3a4c29cf8c0d886bd7a19f0679c37ebee969
Opcode Fuzzy Hash: c05b9aeffa2524c3aa9bcda23acaed7832a6b4e564aa8b15d5e8c89861718145
Instruction Fuzzy Hash: 1721F27590012CAFEB609B50DD45BD9B7B9FF08304F4094E5E649A60A0CF749AD98F94

Function 00411ADD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411AF1
HeapAlloc.KERNEL32(00000000), ref: 00411AF8
RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000), ref: 00411B29
RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,?,000000FF), ref: 00411B47
RegCloseKey.ADVAPI32(00000000), ref: 00411B50

Strings

Windows 11, xrefs: 00411B0A

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 346f3f4664875a4ea084d75b8818ec132410f9d5b334d0546c756ba2ab9ffa29
Instruction ID: 3f27d459ef3b4295677ace20887899c1ffae7c715c4ca525cf07eb428eb26eef
Opcode Fuzzy Hash: 346f3f4664875a4ea084d75b8818ec132410f9d5b334d0546c756ba2ab9ffa29
Instruction Fuzzy Hash: 84013C34A44208FBEB10ABE0EC0AB9D7B7AFB06744F1050A5F701AA1A1E7749A94DB14

Function 00411B5B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411B6F
HeapAlloc.KERNEL32(00000000), ref: 00411B76
RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00411B06), ref: 00411B95
RegQueryValueExA.KERNELBASE(00411B06,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00411BB2
RegCloseKey.ADVAPI32(00411B06), ref: 00411BBB

Strings

CurrentBuildNumber, xrefs: 00411BAA

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 6763c454cfa2fbe29bba7aff6e2c919a48f957ef8388f20bd06a009583ecdfc3
Instruction ID: 29d7a5e80dbd030fd5711505aedc04f660bf528dc6b38352957baa02463c1007
Opcode Fuzzy Hash: 6763c454cfa2fbe29bba7aff6e2c919a48f957ef8388f20bd06a009583ecdfc3
Instruction Fuzzy Hash: 42F04F75A40209FFEB00AFE0EC0AFEDBBB9FB05704F101095F200A90A1D7B05690DB54

Function 00407CDF Relevance: 9.1, APIs: 6, Instructions: 74filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407D05
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00407D29
LocalAlloc.KERNEL32(00000040,?), ref: 00407D48
ReadFile.KERNELBASE(000000FF,00000000,?,0040F582,00000000), ref: 00407D6E
LocalFree.KERNEL32(00000000), ref: 00407DA0
CloseHandle.KERNEL32(000000FF), ref: 00407DA9

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: b0c26b6f574b650b3bbe433578a167a4ae74d057130e38fdececdba59a5ca05d
Instruction ID: 20c10e672a0f3402bfbef9d3d1be989891e350540804f4a5b6ad44830b3c41ef
Opcode Fuzzy Hash: b0c26b6f574b650b3bbe433578a167a4ae74d057130e38fdececdba59a5ca05d
Instruction Fuzzy Hash: 6C31F174E00209EFDF11DFA4D849BEE7BB5BF0A301F104065E911AB2A0D778AA91CF55

Function 0041FD2C Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 0041FD9F

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 28e4449246bdff4538dfa03a6f885fd424cd5e53fb953e1d424f3e4a8a48cfb0
Instruction ID: 5f3c8af357893ed153ccb181933e0c92fd25f58187f5847643f7a6c701f82d74
Opcode Fuzzy Hash: 28e4449246bdff4538dfa03a6f885fd424cd5e53fb953e1d424f3e4a8a48cfb0
Instruction Fuzzy Hash: D561CE70A00209DFDB10CF54D948BAEB7F1BB04725F258166E515AB391C3B4DE86CB6A

Function 00407F8E Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00407CDF: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407D05
Part of subcall function 00407CDF: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00407D29
Part of subcall function 00407CDF: LocalAlloc.KERNEL32(00000040,?), ref: 00407D48
Part of subcall function 00407CDF: ReadFile.KERNELBASE(000000FF,00000000,?,0040F582,00000000), ref: 00407D6E
Part of subcall function 00407CDF: LocalFree.KERNEL32(00000000), ref: 00407DA0
Part of subcall function 00407CDF: CloseHandle.KERNEL32(000000FF), ref: 00407DA9

Part of subcall function 00412FD6: LocalAlloc.KERNEL32(00000040,00000001), ref: 00412FF2

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00407FDF

Part of subcall function 00407DC2: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00406095,00000000,00000000), ref: 00407DE6
Part of subcall function 00407DC2: LocalAlloc.KERNEL32(00000040,00406095,?,?,00406095,00000000,?), ref: 00407DF7
Part of subcall function 00407DC2: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00406095,00000000,00000000), ref: 00407E1D
Part of subcall function 00407DC2: LocalFree.KERNEL32(00000000,?,?,00406095,00000000,?), ref: 00407E31

memcmp.MSVCRT ref: 00408034

Part of subcall function 00407E41: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00407E65
Part of subcall function 00407E41: LocalAlloc.KERNEL32(00000040,00000000), ref: 00407E83
Part of subcall function 00407E41: LocalFree.KERNEL32(?), ref: 00407EAB

Strings

"encrypted_key":", xrefs: 00407FD7
, xrefs: 00408062
DPAPI, xrefs: 0040802C

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 1204593910-738592651
Opcode ID: cb5a7b3697549c6f230e63b8f069386ffd445f3a9418a1f9903da71664ec03a3
Instruction ID: 8d589a117900b415cc4759a7c5c28772ff61d9ce457947e60a2fc3858aeb04fe
Opcode Fuzzy Hash: cb5a7b3697549c6f230e63b8f069386ffd445f3a9418a1f9903da71664ec03a3
Instruction Fuzzy Hash: 74310E71D0010DABDF11DBA5DD45BEEBBB8AF04304F14012AE840B2291EB799A58DB99

Function 004126A3 Relevance: 7.6, APIs: 5, Instructions: 84commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0042AC28,00000000,00000001,004292EC,00000000,?,?,?,?,004128EF), ref: 004126EA
SysAllocString.OLEAUT32(?), ref: 00412700
_wtoi64.MSVCRT ref: 0041274D
SysFreeString.OLEAUT32(?), ref: 00412771
SysFreeString.OLEAUT32(00000000), ref: 0041277A

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateInstance_wtoi64
String ID:
API String ID: 1817501562-0
Opcode ID: f48b06c7123509e446c0da83949f76becdf3deb21f21affda6d357694f029a8c
Instruction ID: 58adf380e0662d1b76d21edb75c8d821cdd3313fccb4f2387b68fcf25dfbec8a
Opcode Fuzzy Hash: f48b06c7123509e446c0da83949f76becdf3deb21f21affda6d357694f029a8c
Instruction Fuzzy Hash: 2E310575E04219EFCB05DFA9D849BEEBBB4FB08315F00416AE911E32A0C7795951CFA4

Function 00411EB5 Relevance: 7.5, APIs: 5, Instructions: 32registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00411EC9
HeapAlloc.KERNEL32(00000000), ref: 00411ED0
RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000), ref: 00411EEF
RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,000000FF,000000FF), ref: 00411F0D
RegCloseKey.ADVAPI32(00000000), ref: 00411F16

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: dd008c8d00355dc8994383d20b0c3b1a5372c3a3245a183f1dace59f39d50ce9
Instruction ID: 2ba135963ef3e1c949db86b07d2e2a79437377d0b90cfecc595d9e25d7200812
Opcode Fuzzy Hash: dd008c8d00355dc8994383d20b0c3b1a5372c3a3245a183f1dace59f39d50ce9
Instruction Fuzzy Hash: C2F03A79A40208FFEB10AFE0EC0AF9DBBBAFB06745F105064F701A91A0D77156949F40

Function 0040F9BD Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040F9EF
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FA75
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FB84

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

StrCmpCA.SHLWAPI(00000000), ref: 0040FC57
StrCmpCA.SHLWAPI(00000000), ref: 0040FCDD

Strings

Stable\, xrefs: 0040FA90

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\
API String ID: 3722407311-272486606
Opcode ID: b1a1266439bdf2a0e8ec9dc9193cdc2636f5054d60504534493cfb04d58e2737
Instruction ID: 7cd2c182165b9fee31fd49b72ff1b8ad9c7a36b01791bf89c52de0b726780448
Opcode Fuzzy Hash: b1a1266439bdf2a0e8ec9dc9193cdc2636f5054d60504534493cfb04d58e2737
Instruction Fuzzy Hash: CD511271A00109ABCF14FBB5DD96BDD77B9BB60304F10402AE906EB1A1EE35DB49CB85

Function 2209FD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,?), ref: 2209FE03

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 2209FE78
winRead, xrefs: 2209FE3D

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: eb2063094fbca5571e240f8c24d7457c3aa4631b485e649789b4520524a0f264
Instruction ID: 89b86d8119de7190bc5a8d989f82954dfad3ccd0f2931ab103f82fb3449b45a4
Opcode Fuzzy Hash: eb2063094fbca5571e240f8c24d7457c3aa4631b485e649789b4520524a0f264
Instruction Fuzzy Hash: 244117726053056BC300DF68CD84A6BB7E9FF84B14F84093DF945C3641DB75E918A7A2

Function 00408203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNELBASE(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF), ref: 00408220
LoadLibraryA.KERNELBASE ref: 004082A8

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,00428E34,?,?,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00425200), ref: 00408294

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00408215, 00408229, 0040823F

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: 33191907c34fe30b91932b9d02352948c94fa74ece7802ec8efd6249ff31ed7f
Instruction ID: 84292c169819be5b53b0aa043c90a357ac7ef937680942749e622d56a9f64c6e
Opcode Fuzzy Hash: 33191907c34fe30b91932b9d02352948c94fa74ece7802ec8efd6249ff31ed7f
Instruction Fuzzy Hash: 91413931905245DFEB05EBA1FD66AE937B6FB04305F20612EE901A12F1DF395988CF98

Function 004073D6 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(;q@,;q@,00003000,00000040), ref: 00407474
VirtualAlloc.KERNELBASE(00000000,;q@,00003000,00000040), ref: 004074BF

Strings

;q@, xrefs: 004073DC
;q@, xrefs: 00407466, 00407470, 004074B9, 004074D7, 0040742C, 00407469, 00407473, 004074BC

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ;q@$;q@
API String ID: 4275171209-3893597124
Opcode ID: ce50d067a10a9d200ba21eaef60b552f8d4fc485bf38c75f1e0756368e75d6fe
Instruction ID: d3bad8f71399132065eca503ffa06903ce5ef1b7e5e995e1b9bcc650a41b767e
Opcode Fuzzy Hash: ce50d067a10a9d200ba21eaef60b552f8d4fc485bf38c75f1e0756368e75d6fe
Instruction Fuzzy Hash: D941B535A04209EFCB50CF98C485FADBBF0EB08364F1484A5E959EB391D734EA81CB45

Function 00418DB9 Relevance: 6.1, APIs: 4, Instructions: 85synchronizationthreadCOMMON

Download Yara Rule

APIs

_MSFOpenExW.MSPDB140-MSVCRT ref: 00418E6C
CreateThread.KERNELBASE(00000000,00000000,00418C65,?,00000000,00000000), ref: 00418E85
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00418E96

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateObjectOpenSingleThreadWait
String ID:
API String ID: 4234577939-0
Opcode ID: f43b621d675ccc337efc39be0cc282dc91ce5b12264d272aea3fd1cbd3d3afdf
Instruction ID: 4c5e3d0133d6e9f2eae60e2625ec9d3b543f1cf41f80d31bea27500df29b833e
Opcode Fuzzy Hash: f43b621d675ccc337efc39be0cc282dc91ce5b12264d272aea3fd1cbd3d3afdf
Instruction Fuzzy Hash: 4F315C75900208AFDB10EF61DC45BED3BB5BF15305F54412AF9159A1A1EF349A86CF88

Function 004070D4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

ez@, xrefs: 004072B1

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: ez@
API String ID: 0-307298357
Opcode ID: 3bbf64017ccec70b43ef0a4a85a6baf18d8732ef2f27285e686f093308f930eb
Instruction ID: a860d7bb49b00275ae4f9f6a4a51eaec01057512aeaaa0d5d6857e8719e4b74b
Opcode Fuzzy Hash: 3bbf64017ccec70b43ef0a4a85a6baf18d8732ef2f27285e686f093308f930eb
Instruction Fuzzy Hash: FA61D270C08209EFCF14DF94D948BEEB7B0AB04315F2044AAE405B7291D779AE94DF6A

Function 00418C65 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000), ref: 00418C99
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00418D4B

Strings

ERROR, xrefs: 00418D3D

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: ERROR
API String ID: 1659193697-2861137601
Opcode ID: 63e6eed9abdabe16e44a68f7f9864da067214aca1ca454f7c695c55e2f80d023
Instruction ID: 4cb9426ee5e73f282c12afd8d592c338adc4812851f741afb7acd22160182d69
Opcode Fuzzy Hash: 63e6eed9abdabe16e44a68f7f9864da067214aca1ca454f7c695c55e2f80d023
Instruction Fuzzy Hash: 6B3184B1E10204ABCF00EBA5DD46AEE7778FB15318F10051AF502E73A1DB389940CBA9

Function 00418E9E Relevance: 4.5, APIs: 3, Instructions: 45sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

_MSFOpenExW.MSPDB140-MSVCRT ref: 00418E6C
CreateThread.KERNELBASE(00000000,00000000,00418C65,?,00000000,00000000), ref: 00418E85
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00418E96
Sleep.KERNEL32(000003E8,?,00000000,?,?), ref: 00418EA5

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateObjectOpenSingleSleepThreadWait
String ID:
API String ID: 1990444757-0
Opcode ID: db982492dfe86fd64df0525366e688e2b4b5a29edeeaa01de3fa1648289cf0de
Instruction ID: 5657c23587d86dbe871ff5d5566c82c5f00d4f8eb17df63da99cc315ca23b86c
Opcode Fuzzy Hash: db982492dfe86fd64df0525366e688e2b4b5a29edeeaa01de3fa1648289cf0de
Instruction Fuzzy Hash: 52011774640204EBDB21EF21DC46BEC3B65BB11709F54412AF9169A1B1DB399A82CF89

Function 00413563 Relevance: 4.5, APIs: 3, Instructions: 25COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,004154AA), ref: 00413576
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00413596
CloseHandle.KERNEL32(00000000), ref: 0041359F

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 424327ca4c3cbaa72694fe0256f2ae6f23efaf6e2f470c7a486978a51854163c
Instruction ID: 648301d2c24216510959a40647cebe15a857575c5a4660e0673f59272e1cdbeb
Opcode Fuzzy Hash: 424327ca4c3cbaa72694fe0256f2ae6f23efaf6e2f470c7a486978a51854163c
Instruction Fuzzy Hash: 68F0F27890120CFFDB11EFA0DC0AFDC7BB9AB09709F1444A5B615AA1A0D7B1ABD4DB44

Function 0040D1C6 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

StrCmpCA.SHLWAPI(00000000,Opera GX,00425200,00425200,?,?), ref: 0040D201

Part of subcall function 00412F92: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00412FBC

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00412F4C: GetFileAttributesA.KERNELBASE(00000000,?,0040E526,?,00425200,?,?), ref: 00412F5B

Part of subcall function 00407F8E: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00407FDF
Part of subcall function 00407F8E: memcmp.MSVCRT ref: 00408034

Strings

Opera GX, xrefs: 0040D1F3

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID: Opera GX
API String ID: 1439182418-3280151751
Opcode ID: 0fb77b7b81ea3809c0307192b11be850f65fcb2790e200c338288ed7b6fd4c59
Instruction ID: fb3989cb2523bfc062273a9d11041c6471dda5227b0977fe00502919fff50608
Opcode Fuzzy Hash: 0fb77b7b81ea3809c0307192b11be850f65fcb2790e200c338288ed7b6fd4c59
Instruction Fuzzy Hash: 4BD113729001089ADF14FBF1DD56EEE737CAF14305F50412BF616A21E1EE39AB88CA59

Function 00407902 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00EBE9FC,458B0874,00000002,00000002), ref: 004079D0

Strings

@, xrefs: 004079AC

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 287ad8346a7fe6e5c9c93bd88e2f49757a3d10b5b68bd008e028ca123d1bf971
Instruction ID: 108c03afaf6488205a77675aa431fcd5872e35c29fe2ccaab908e516a6f44892
Opcode Fuzzy Hash: 287ad8346a7fe6e5c9c93bd88e2f49757a3d10b5b68bd008e028ca123d1bf971
Instruction Fuzzy Hash: 2D31CBB5D08209EFEB10CF98C545BADBBF1FB04304F1485A6D455AB391D378AA81DF46

Function 00417E48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00406312: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406373
Part of subcall function 00406312: StrCmpCA.SHLWAPI(?), ref: 00406390
Part of subcall function 00406312: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004063BE
Part of subcall function 00406312: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 0040640A
Part of subcall function 00406312: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406442
Part of subcall function 00406312: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406453

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00417E8B

Strings

ERROR, xrefs: 00417E7D, 00417EDB

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR
API String ID: 3287882509-2861137601
Opcode ID: bb33d87117d8667f9c5c7158566ed321b33361f7c494144e9eddfb2cb9a39704
Instruction ID: b6725acd924a18acdeaf76a85a33531c260c99ef83c6fe063ac976ef0ea738d9
Opcode Fuzzy Hash: bb33d87117d8667f9c5c7158566ed321b33361f7c494144e9eddfb2cb9a39704
Instruction Fuzzy Hash: 4B11D0319101089BCB14FFA2E8569DD7378AF50309F50412EF916971F2EF39AB48C788

Function 00412F4C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000000,?,0040E526,?,00425200,?,?), ref: 00412F5B

Strings

&@, xrefs: 00412F52

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: &@
API String ID: 3188754299-4010431647
Opcode ID: c554d616c374e849fdf741f0e5d4d7b9930fb9937f03e0365571ee75c380a818
Instruction ID: 5a9ed636e313f6a7dd176774e2c6308ea72efcd30315a16af32adb4bfda7ee87
Opcode Fuzzy Hash: c554d616c374e849fdf741f0e5d4d7b9930fb9937f03e0365571ee75c380a818
Instruction Fuzzy Hash: 4CF0C074C1020CEBCB00DFA5D5456DDB774AB11359F108156E522E72A0E7789B96DF44

Function 00412667 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00412674

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Strings

Unknown, xrefs: 00412691

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CurrentProfilelstrcpy
String ID: Unknown
API String ID: 2831436455-1654365787
Opcode ID: 6f65f47d843f5c38b1e0a66190c485fb9fc1308ec2868120a4b7116f04a99c60
Instruction ID: 79ae12f52d30196ee2c5170817a78a3de43ea3cd72a751e4cea9930dc4e20eb0
Opcode Fuzzy Hash: 6f65f47d843f5c38b1e0a66190c485fb9fc1308ec2868120a4b7116f04a99c60
Instruction Fuzzy Hash: 0CE04F30600108EFCF10EF65D881EDD37ACBB04788F50402AF905D7190DB74E995CB98

Function 220C04D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 220C04E7

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: d1796329f17750646fbb563617dc09536e8667142422ffcc7900dfd8aae45b89
Instruction ID: f264e15e2a031f41a3c54b39c68b0b2dc21ce2837ecefbcd25dc4e69002da9e1
Opcode Fuzzy Hash: d1796329f17750646fbb563617dc09536e8667142422ffcc7900dfd8aae45b89
Instruction Fuzzy Hash: C6C01272F8832263D61215D0AC41B8EBA914BB0B91F054434FD4969234D5669D91B7C2

Function 004090FB Relevance: 2.7, APIs: 2, Instructions: 196stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

lstrlenA.KERNEL32(00000000), ref: 004092EF
lstrlenA.KERNEL32(00000000), ref: 00409303

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00418DB9: _MSFOpenExW.MSPDB140-MSVCRT ref: 00418E6C
Part of subcall function 00418DB9: CreateThread.KERNELBASE(00000000,00000000,00418C65,?,00000000,00000000), ref: 00418E85
Part of subcall function 00418DB9: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00418E96

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$CreateObjectOpenSingleThreadWait
String ID:
API String ID: 3799617333-0
Opcode ID: defa912096274b33364ccc9781972fdf005cb23e8a4ea8b6f4c2c678f65133d7
Instruction ID: e682058c765c3eed9424c7c912d02b9114c1685d086e83408ab55d0a98466556
Opcode Fuzzy Hash: defa912096274b33364ccc9781972fdf005cb23e8a4ea8b6f4c2c678f65133d7
Instruction Fuzzy Hash: 1E71EC729101189ADF04FBA1DCA6DEE7379BF14305F50412EF616A21F1EE399A88CB94

Function 00412F92 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00412FBC

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 47392e84d6d6294a81bee49d13ce944e3ea666f2a03f2c076f629e9461e68349
Instruction ID: aa325d3f94b7a9653be548765aa3873853a6de89a1716966dfff1a03a5bef2b1
Opcode Fuzzy Hash: 47392e84d6d6294a81bee49d13ce944e3ea666f2a03f2c076f629e9461e68349
Instruction Fuzzy Hash: 7DE04F3094034DBBDB51EF50CC92FCD376C9B04B05F404191B60CAA0D0DA70EB858B54

Function 00412B6B Relevance: 1.3, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00412B72

Memory Dump Source

Source File: 00000001.00000002.2893345551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2893345551.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2893345551.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e9ef69333db613a216edd2c8bf2b23955e04f01125ce089b17a326d4bede4d29
Instruction ID: 52e30e3b9de2c83f9cf9caa13978d237713c2858ae44fde087075dd4632ce1ce
Opcode Fuzzy Hash: e9ef69333db613a216edd2c8bf2b23955e04f01125ce089b17a326d4bede4d29
Instruction Fuzzy Hash: ABC04C70A1411DBB8B04EB59E94284DBBE89A04298B504069F40896151D671AE419658

Non-executed Functions

Function 221D0480 Relevance: 30.2, APIs: 8, Strings: 9, Instructions: 476COMMON

Download Yara Rule

Strings

no such %s mode: %s, xrefs: 221D0922
%s mode not allowed: %s, xrefs: 221D09EC
cach, xrefs: 221D082B
mode, xrefs: 221D0867
loca, xrefs: 221D0598
no such vfs: %s, xrefs: 221D099A
lhos, xrefs: 221D05A1
file, xrefs: 221D04DA
invalid uri authority: %.*s, xrefs: 221D05C2

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s mode not allowed: %s$cach$file$invalid uri authority: %.*s$lhos$loca$mode$no such %s mode: %s$no such vfs: %s
API String ID: 0-1127695371
Opcode ID: 2144886243cec99bf5b05f951d05e98e19dcc2edfbceb82e39d8a38965212d1b
Instruction ID: 99d4f7d7471ba74a3ed287686e445c73653476ed009fb020552ed3c54f1ac164
Opcode Fuzzy Hash: 2144886243cec99bf5b05f951d05e98e19dcc2edfbceb82e39d8a38965212d1b
Instruction Fuzzy Hash: D9F12676588341CFE7158F18C690F9A7BE2AF86318F44465CE8D94B283D7369746CB82

Function 220B8680 Relevance: 28.6, APIs: 9, Strings: 7, Instructions: 550COMMON

Download Yara Rule

Strings

recursively defined fts5 content table, xrefs: 220B86C5
parse error in rank function: %s, xrefs: 220B97FF
DESC, xrefs: 220B98C2, 220B98D6
%s: table does not support scanning, xrefs: 220B9979
SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %s, xrefs: 220B98F1
, xrefs: 220B9848
ASC, xrefs: 220B98BA

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: $%s: table does not support scanning$ASC$DESC$SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %s$parse error in rank function: %s$recursively defined fts5 content table
API String ID: 0-2381147695
Opcode ID: 8c1c495f83956ea25cd54f5fcce42a841773697bc5e960c6b7ff6f6ddce1dfe8
Instruction ID: 791033c9472ef4d06bb052c7767ab23b4b9cd3b35cf2016f769f616c739f9f95
Opcode Fuzzy Hash: 8c1c495f83956ea25cd54f5fcce42a841773697bc5e960c6b7ff6f6ddce1dfe8
Instruction Fuzzy Hash: F122DEB1D003099FCB21CF25C980B6ABBF5BF49304F444A29F9859B251E736EA51EF91

Function 221BD9E0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

misuse, xrefs: 221BDAD6, 221BDE39
API called with finalized prepared statement, xrefs: 221BDAB0, 221BDE13
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221BDACC, 221BDE2F
%s at line %d of [%.10s], xrefs: 221BDADB, 221BDE3E
API called with NULL prepared statement, xrefs: 221BDA9B, 221BDDFE

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: c163a29b3e9d9c619c94d5e37b0fe345ae98f8d1c260a540f466870ba0f1fec1
Instruction ID: 8955121218e7d13432be9da486ecc785d6faec6d1897a8e1f5e9e957e505267d
Opcode Fuzzy Hash: c163a29b3e9d9c619c94d5e37b0fe345ae98f8d1c260a540f466870ba0f1fec1
Instruction Fuzzy Hash: 9112C1B09847019BE3248F34CD48F97B7F4AF55319F040A2CF99996282E776E705CB92

Function 220A66C0 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

_shape does not contain a valid polygon, xrefs: 220A6816

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: _shape does not contain a valid polygon
API String ID: 0-1814939628
Opcode ID: 075f1f3f64c8295a2b7918a0791c587d73b73de66d6a9f20b496c14e530d60d2
Instruction ID: 3fa59e308f1d438de254b9af275176e2dc7efaa1b2c01d1bc4fcd202531f1642
Opcode Fuzzy Hash: 075f1f3f64c8295a2b7918a0791c587d73b73de66d6a9f20b496c14e530d60d2
Instruction Fuzzy Hash: 97E1BFB18043009FCB11DF94C950A1FB7F8AF94714F844A2DFA9997312E736DA85EB92

Function 220BB400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s, xrefs: 220BB696
DESC, xrefs: 220BB656, 220BB65E, 220BB67D, 220BB685
SELECT %s ORDER BY rowid %s, xrefs: 220BB665
ASC, xrefs: 220BB651, 220BB678

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: ASC$DESC$SELECT %s ORDER BY rowid %s$SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s
API String ID: 0-3496276579
Opcode ID: 925a209042bb13422ad6de2fba52c46a38d3b9924ffa96fde897f7f4ea77f80d
Instruction ID: e2410e5403780e12417258464b1adaa2b6e73def1cf66ff6d3094c5b70b1b8b5
Opcode Fuzzy Hash: 925a209042bb13422ad6de2fba52c46a38d3b9924ffa96fde897f7f4ea77f80d
Instruction Fuzzy Hash: CEC136B15007049FC7228F24DD40B6BB7E5FF84314F04093EED9A8A651E73AEA55EB52

Function 2210DB10 Relevance: 18.3, APIs: 12, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983b589dbb5e09f6fc08b566a1fdcf98cebccfa861580db616c5d8a8c60aa1db
Instruction ID: 9bba7aff8b45ea90e2116f10cbdb2116c1aad7f65f5b90cdd623faf1c488ac67
Opcode Fuzzy Hash: 983b589dbb5e09f6fc08b566a1fdcf98cebccfa861580db616c5d8a8c60aa1db
Instruction Fuzzy Hash: 8B81DF71644305AFD3109F68CD80F6BB3E9EF99714F44082CFD8697251EAB6EB019B92

Function 220C0FB0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

e, xrefs: 220C115A

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 36bf8875baaf085edaede92fcfbfd96a80b42455c8294c9340591cc07f665f1e
Instruction ID: fa13b50861ffb4ebb35c211cd6c8067cb29899c103e0280d7970fa4ecf11ccd1
Opcode Fuzzy Hash: 36bf8875baaf085edaede92fcfbfd96a80b42455c8294c9340591cc07f665f1e
Instruction Fuzzy Hash: A05124B26043419FD705CF28CC80E6BB7E1EFA5321F10057AF88296661E771ED54EBA1

Function 2210DFC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%lld %lld, xrefs: 2210E055

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %lld %lld
API String ID: 0-3794783949
Opcode ID: 85aec0ad0875a207d52e4d2e57dd03e367c2e3ba515ab1f82e14dd4bac7362f3
Instruction ID: 7726d95071b1fa9805552689cf3bc46f32297b8c9a15b7fcab388dfd284b71c2
Opcode Fuzzy Hash: 85aec0ad0875a207d52e4d2e57dd03e367c2e3ba515ab1f82e14dd4bac7362f3
Instruction Fuzzy Hash: EB3115B17413007FE7115B288D05F9BB7AEDF94B10F004818FE51932A2E776CB11ABA2

Function 221B14D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 360COMMON

Download Yara Rule

Strings

misuse, xrefs: 221B15AC
API called with finalized prepared statement, xrefs: 221B1586
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221B15A2
%s at line %d of [%.10s], xrefs: 221B15B1
API called with NULL prepared statement, xrefs: 221B1571

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 137e12cfcfa5cb73ed2c38ebd5998d5f960bd82f26cb7271658f4bef3cc0c1fb
Instruction ID: ea0b00f733746c5be9e87401ddbf823e2b7337b92469d7c48b1c140abc65328f
Opcode Fuzzy Hash: 137e12cfcfa5cb73ed2c38ebd5998d5f960bd82f26cb7271658f4bef3cc0c1fb
Instruction Fuzzy Hash: 78C1F0B1A807009BE7208F34D945F9777F5BF54358F06062CE89A8B262E776E748C792

Function 221BD4F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

misuse, xrefs: 221BD5E7
API called with finalized prepared statement, xrefs: 221BD5C1
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221BD5DD
%s at line %d of [%.10s], xrefs: 221BD5EC
API called with NULL prepared statement, xrefs: 221BD5AC

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 7a07445ee9150284c7a8ade5de790f3bb32c1e9b07f920a7c99d6e221dae77f6
Instruction ID: cbd5d7fee0302d535aebe8f0441fb7b33061b975d17fb7555ee73fd74d234c76
Opcode Fuzzy Hash: 7a07445ee9150284c7a8ade5de790f3bb32c1e9b07f920a7c99d6e221dae77f6
Instruction Fuzzy Hash: E9B1CFB09807019FE7148F24D984F9777F4BF54718F044A2CF99A8B242E776E649CBA2

Function 22174D40 Relevance: 14.0, APIs: 9, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50dbd7f006c88d150cdbfbc0c62b8c58e5f4e0be3267729676ebb04608605a62
Instruction ID: e26790610fdc1060c8fff6895e0e112ed84c05df6b73141b0e854ee1872aff25
Opcode Fuzzy Hash: 50dbd7f006c88d150cdbfbc0c62b8c58e5f4e0be3267729676ebb04608605a62
Instruction Fuzzy Hash: 22F1F3B0A80301AFD7109F64C948E6BB7B8EFD5715F040A2DED55C2242EBB5DB45CBA2

Function 22108200 Relevance: 14.0, APIs: 9, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8178e483f995560b8d6ed66ce412e5aaff85833ba003402ad43d882b5eb59e64
Instruction ID: 13735b648104e541d8397f6b4d713252aa58ee5abcecfca57f833bb1d7ccccad
Opcode Fuzzy Hash: 8178e483f995560b8d6ed66ce412e5aaff85833ba003402ad43d882b5eb59e64
Instruction Fuzzy Hash: 3402C072988300AFC7108F64C944F9BB7E9BB88354F850A29FE89D7251D376DB54CB92

Function 22145940 Relevance: 12.4, APIs: 8, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3594cca73ff39e6f162efd658c0921b381344f12960d793199527ece91460a2b
Instruction ID: af84847a875f260144bd860992cec5adaae80442b8e2f21a49f36302afbb4a31
Opcode Fuzzy Hash: 3594cca73ff39e6f162efd658c0921b381344f12960d793199527ece91460a2b
Instruction Fuzzy Hash: 75C14BB2E943056FE7009A18CC81FDB7795EFB2310F98062EE49D87392E925D749C792

Function 221351D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

, xrefs: 22135334
REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 22135264

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: $REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-69911113
Opcode ID: 1f8adb659d17cb0557c6a335caeee9e6a1b900becc030d8dd5d61f9146c34209
Instruction ID: 1f9273e9b159796e67d80433858f782b3d67f554c37a2fce49676ecb0c173370
Opcode Fuzzy Hash: 1f8adb659d17cb0557c6a335caeee9e6a1b900becc030d8dd5d61f9146c34209
Instruction Fuzzy Hash: 31418EB1A40301AFD701DF28CD80F5AB7E6FF98758F454528F988A7212D776EA50CB92

Function 2216D610 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction ID: af63b91e694ba304d82e9b0d14729e2b1d065e92b837a399d2eba4316803632e
Opcode Fuzzy Hash: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction Fuzzy Hash: 8C41C3B1640701AFCB009F26DD80EABB7E8FF55714F00462CF95986261E771EB25DBA2

Function 220F4760 Relevance: 9.4, APIs: 6, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f0489cda23e0f795e10cc68668c297be550a00bb102b1b172dacadd408b6e6
Instruction ID: 2bf8fc459a67934f3e36dbb63848197d1ac487bccc82bd4874fbc1f419e3fad2
Opcode Fuzzy Hash: 91f0489cda23e0f795e10cc68668c297be550a00bb102b1b172dacadd408b6e6
Instruction Fuzzy Hash: 77F1BF71A443419FC301CF28C948A1ABBE4BF84709F445A2DFE85D7212EB75EA45DBA2

Function 220A4820 Relevance: 9.3, APIs: 6, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0981ea89e8cfce3d16af7f123dfb2b9fdfd9cf10ab44208f1aae003f7c2b37
Instruction ID: e71918d295282dcc345a88a11e6dff99953ccc01ea7d71d696911785ae9304ba
Opcode Fuzzy Hash: 5b0981ea89e8cfce3d16af7f123dfb2b9fdfd9cf10ab44208f1aae003f7c2b37
Instruction Fuzzy Hash: 53B1DEB4914701AFD301CF25C884B1BB7F8BF99308F408B29FA5996241E7B5E594DF92

Function 220A5C70 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction ID: d919490afc8890bae09c2fdb52a5d5eee7ef037af6f3e8c5289c70a00d4ba6e2
Opcode Fuzzy Hash: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction Fuzzy Hash: 2D4143B16043009FDB15DF58C884F6ABBE0FF98310F504539EA828B691E772F940EB20

Function 22129090 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47f1b51d67c7baf67822cb08691799272a86443dd1880ff2dbee36df851c8ba
Instruction ID: 703402b87ca8ce3a1a03d95ae6d5d2e25388e98580d9dd64c3109e9bdb07dacc
Opcode Fuzzy Hash: d47f1b51d67c7baf67822cb08691799272a86443dd1880ff2dbee36df851c8ba
Instruction Fuzzy Hash: 7131F1713007208FE320CF29D984EA6B3E5FF84325B1446B9E9428F666D722EE50EF50

Function 220FE200 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b191997983bb54f0584a30bb98bb6929d571bab28f3c70da9436d0f2c94ad67a
Instruction ID: 68a4c95e4fa6854848482c39775ddc4e5b8161239fdde9f0e490c8dae6e0f724
Opcode Fuzzy Hash: b191997983bb54f0584a30bb98bb6929d571bab28f3c70da9436d0f2c94ad67a
Instruction Fuzzy Hash: 751106B22453086FD3045BA4EC81FABF3DCEF58325F100439FA0692191EBB69A11B7A1

Function 220E06E0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

VUUU, xrefs: 220E083A

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: VUUU
API String ID: 0-2040033107
Opcode ID: 5022aa99b6cc931ec135024bc801fabb9239555204140af11e9ac1c94a743bb4
Instruction ID: e9f6e30f22bcd8fd5f93b8422040a4b076a31090c6daef3fa41d8f9fb08a4c71
Opcode Fuzzy Hash: 5022aa99b6cc931ec135024bc801fabb9239555204140af11e9ac1c94a743bb4
Instruction Fuzzy Hash: 3881D2B19043058FC715DF29C881A2BFBE5FF98300F044A6DE88E97242E771E984DBA1

Function 22111FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 22112001

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-914542581
Opcode ID: c61b2c6d57d6e6b2e1b38b74b40f21848fb4f13828f89e9d1effdcf98bd48cf5
Instruction ID: df45282dcb2745209d8c58e6118212760e3d48024b2470a9079337f28a8a3eda
Opcode Fuzzy Hash: c61b2c6d57d6e6b2e1b38b74b40f21848fb4f13828f89e9d1effdcf98bd48cf5
Instruction Fuzzy Hash: D92101B1540314AFDB10AF68DD40F96B7EAEF24354F004528F8449712AE7B2EA60DFA1

Function 22283300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,22283688,?,00000000), ref: 22283399
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,22283688,?,00000000), ref: 222833C2
GetACP.KERNEL32(?,?,22283688,?,00000000), ref: 222833D7

Strings

OCP, xrefs: 22283354
ACP, xrefs: 2228331E

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d7148b913ce144fcc2d374d62ad609bf4e03d8cfc557f14f10789f9b49337cfb
Instruction ID: 1fd56ee5f83d38aff22a9d7261c715c5ad035c115a0ffedbbc9016fec7fa3879
Opcode Fuzzy Hash: d7148b913ce144fcc2d374d62ad609bf4e03d8cfc557f14f10789f9b49337cfb
Instruction Fuzzy Hash: 23218E32B01302A6D7118F14CF04F8A73A6AF90A64B528564E909DF28DEF73DA40C3E2

Function 22093AA3 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32 ref: 2228365A
IsValidCodePage.KERNEL32(00000000), ref: 22283698
IsValidLocale.KERNEL32(?,00000001), ref: 222836AB
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 222836F3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 2228370E

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: e3858a1144473319aac1f439d2e18ad35dfd9b063b51a638077729936f9a184f
Instruction ID: 3d5df9dd838ca678cfc0a6e4d04c700f9302d31d0ecabbb7028dbb5b841beccf
Opcode Fuzzy Hash: e3858a1144473319aac1f439d2e18ad35dfd9b063b51a638077729936f9a184f
Instruction Fuzzy Hash: E2516171A003169BDB00DBA8CE84AAE77B8BF18704F544569AA15EF188E776D900CB72

Function 2210A6F0 Relevance: 7.6, APIs: 5, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4097a793fdae26b00938a6c0c2bfb7253caf78efd2de68a0c5aaa1c185935d74
Instruction ID: 1f0bff5d05dae26777d15166d14a39663be0fcd72e2b7841c273861fa262cef7
Opcode Fuzzy Hash: 4097a793fdae26b00938a6c0c2bfb7253caf78efd2de68a0c5aaa1c185935d74
Instruction Fuzzy Hash: 4A6139B05083919FC728CF15CA80B8BBBF1BF85380F514A9CE6985B368D7369605DF92

Function 220E8550 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3966a2d936edd45f59b6e0deb058351046a11c26772725d757917f5ea545eae4
Instruction ID: 81486afadf5138792e30d055c887bcb3af70d32d6185df1b66f325d30143551f
Opcode Fuzzy Hash: 3966a2d936edd45f59b6e0deb058351046a11c26772725d757917f5ea545eae4
Instruction Fuzzy Hash: F901D1B1A00301AFCB11AF14ED00F9BB7A5AFD5B15F14046CF90666260D772EC28F7A6

Function 220FE090 Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c88074b8a1ac63c4f5cfa05193e39510b50041e7647d1b6323bd3c83ef23ff
Instruction ID: aba262e218c8fd7174f99660113797ddc19620566201d6dcd16cc3bc5eabc5a8
Opcode Fuzzy Hash: 70c88074b8a1ac63c4f5cfa05193e39510b50041e7647d1b6323bd3c83ef23ff
Instruction Fuzzy Hash: 8831FDB15003009FD715CF09D940A77B7E4FB89714F0084AAF8558F252EB36E996EB91

Function 22092C8E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 222348A7
IsDebuggerPresent.KERNEL32 ref: 22234973
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 22234993
UnhandledExceptionFilter.KERNEL32(?), ref: 2223499D

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a59c5f27c7bc45c46734fadecb9f729190e44fbd1e12c0c96661e02c19444037
Instruction ID: 30ea3ae9711415dba219802a50417632de195db0209d9e556e732a151474b1a3
Opcode Fuzzy Hash: a59c5f27c7bc45c46734fadecb9f729190e44fbd1e12c0c96661e02c19444037
Instruction Fuzzy Hash: D53127B5D413199BDB11DFA4C989BCCBBF8BF08700F1041EAE409AB254EB759A85DF05

Function 220EEF30 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf41f3b5669224c1154e9b2a92fe1b82126ef762f8275621b626f57154db146f
Instruction ID: ce13019faa56c6aea719e6c277fc098004aa16f88c4bb618d5327d3d25a19e1c
Opcode Fuzzy Hash: bf41f3b5669224c1154e9b2a92fe1b82126ef762f8275621b626f57154db146f
Instruction Fuzzy Hash: 3A110431904B15AFD7128B28D940B46F7E0BF58734F054678F84E9BA61D361F8A0EBD2

Function 22153770 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction ID: db5c79d051318b02bcada64e8a3497910f2b7d3fc7df852193394e8f60800c66
Opcode Fuzzy Hash: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction Fuzzy Hash: A2E09272104700ABCA226B50DE46E8BBBA6BF58B10F040C18F5D621670C6629864FB41

Function 221737E0 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction ID: 2cd91a9a39db669b6c77862c6e33154d6973debcf3f06e3454e97ee06760efe0
Opcode Fuzzy Hash: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction Fuzzy Hash: 38E0B672104780ABCB226F51DC45E8BFFA6AF58714F040C18F59661470C7B29CA5FB41

Function 22135910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?), xrefs: 2213597E

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?)
API String ID: 0-143322027
Opcode ID: 34b5371c651364ac4e7255eec541ce13dd23ea040280a5224521eeb4a8077f27
Instruction ID: 09dad15944ca9b50b8567c366e7ca8a070d1a27fb8639f63588171d99185df1a
Opcode Fuzzy Hash: 34b5371c651364ac4e7255eec541ce13dd23ea040280a5224521eeb4a8077f27
Instruction Fuzzy Hash: 66117CB2500305BFE7109F54CC84F86BBADFF59714F004154F9089B252C7B2A6A4DBA0

Function 2214D3B0 Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8743b1976aeacf839f7cace3b018848992c791ff5f34309028d6f306d8b79f79
Instruction ID: acbd4df9d76c6fd9b188fb96b1760f3b93cf71ec1aca81ae798c11a9fd3738ec
Opcode Fuzzy Hash: 8743b1976aeacf839f7cace3b018848992c791ff5f34309028d6f306d8b79f79
Instruction Fuzzy Hash: E1313DB0A50301ABEB04DF69DD84F96B3E9FF58314F448528FA49C3641EB75FA11CAA1

Function 221355B0 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62a8c73af4e2e59d3115c4a3974e7d1e41273db8f6ab7c4482d9bf97485c702
Instruction ID: e8ebff3a8e03ad6a284f82a940572aaedfaaeccb26d8a36888cce50abecaf80c
Opcode Fuzzy Hash: f62a8c73af4e2e59d3115c4a3974e7d1e41273db8f6ab7c4482d9bf97485c702
Instruction Fuzzy Hash: 5431CDB1640300AFEB119F29DC84F57B7FAEF98718F104828F9458B252E771EA40CBA1

Function 2210E170 Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41423e91d3ab8149865cec2a95da88f0e3ebfa3ddc330748143f49c6d82a98b8
Instruction ID: 7db3d55798ea58b6ec2c3b87f7f9c155fcc5296c49832931fd9580bf6093899e
Opcode Fuzzy Hash: 41423e91d3ab8149865cec2a95da88f0e3ebfa3ddc330748143f49c6d82a98b8
Instruction Fuzzy Hash: 5111E4B56503007BE600AB398D04F9B77AEEF94B54F140818FA45D3252EA76DB11D7A2

Function 22282D38 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(22282EA6,00000001,00000000,?,?,?,2228362E,00000000), ref: 22282DAA

Strings

.6(", xrefs: 22282D7F

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: EnumLocalesSystem
String ID: .6("
API String ID: 2099609381-3379720573
Opcode ID: 7f01524d9790b0926e97dd688e003822a8afd7d30cb1ce78e7d6336357a62c61
Instruction ID: 6474b3c14d6d127d3a9c57d2457741f139f1c7f9ac321a6172c885ed6e68cbb6
Opcode Fuzzy Hash: 7f01524d9790b0926e97dd688e003822a8afd7d30cb1ce78e7d6336357a62c61
Instruction Fuzzy Hash: 8811E9372007019FDB189F39C99076ABB91FF80358B14452DE94787785E7B6F942DB50

Function 22092112 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

GetEnabledXStateFeatures, xrefs: 22270C61

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: GetEnabledXStateFeatures
API String ID: 0-1068256093
Opcode ID: 6c5e0afcc71a7a58630b66ea4841203fec33d922bd52b56d2fbbe21809f3d7c8
Instruction ID: 73ed8355d7a2d015af15dfbbaa32a7b5c0d12842191e42210c11338f09c2724c
Opcode Fuzzy Hash: 6c5e0afcc71a7a58630b66ea4841203fec33d922bd52b56d2fbbe21809f3d7c8
Instruction Fuzzy Hash: 83F0F6319053287BDF122F60DC08F9E3E26EF80B64F110410FD196A21CDB778A25EAC0

Function 22282DF9 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(2228318D,00000001,?,?,?,?,222835F6,?), ref: 22282E43

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 05359a78d7c2cdcc60a31113f2ffdc1204f081e3001d903d7884f6a1c9f2a93b
Instruction ID: 5d50b30be7c2426988f86702f38d709186ace26a3e2d486f80a78f26260b6b49
Opcode Fuzzy Hash: 05359a78d7c2cdcc60a31113f2ffdc1204f081e3001d903d7884f6a1c9f2a93b
Instruction Fuzzy Hash: 58F040372003052FDB144F388C80B6ABB90FF80768B04852CEA068B6C4C6B2FC02CAA4

Function 2226FF17 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(2226FF01,00000001,222CD298,0000000C,22270A92,?), ref: 2226FF4F

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 0770a07d57579eae3a5f202a05c141ae08a06c5bba17a473d33ef9f5570f0b2f
Instruction ID: dec2839b4a7e6e68e8211f5a557a23518a66a54c08545a4996762fd73b229c8a
Opcode Fuzzy Hash: 0770a07d57579eae3a5f202a05c141ae08a06c5bba17a473d33ef9f5570f0b2f
Instruction Fuzzy Hash: 62F01472A443009FEB00DFA8D844BADB7B0EB19B25F10456AE812DB294CB7A9941DF41

Function 22282CB6 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(22282BE6,00000001,?,?,?,22283650,?), ref: 22282CED

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: e57d324eb25aa2f026a3e8ac61d5fcfd421f58e39c0f85c2ae803ba74aa50d31
Instruction ID: 27691ba5dda88a3170b1a19ebf4436c34484904a3ce57476e9d03476742077d8
Opcode Fuzzy Hash: e57d324eb25aa2f026a3e8ac61d5fcfd421f58e39c0f85c2ae803ba74aa50d31
Instruction Fuzzy Hash: 7AF0E53A30038657D7049F39CD44B6ABF94FFC1750B074058EE06CB695C6B6DA42DBA0

Function 220942AF Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00004214), ref: 22234A98

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 191e06a0622863aca95782b8bf7ea751ec015522c471d991df89c82bdc0e2ff0
Instruction ID: 8a5ca280f3dcb84a8288581ca8eeb19c28552653168345a278956dbc0fbe87f2
Opcode Fuzzy Hash: 191e06a0622863aca95782b8bf7ea751ec015522c471d991df89c82bdc0e2ff0
Instruction Fuzzy Hash: ED9002F0A943165A5D119651DA5DC046630654AA0134005A0A40E9441C451E4201F636

Function 22175660 Relevance: 56.5, APIs: 26, Strings: 6, Instructions: 452COMMON

Download Yara Rule

Strings

Auxiliary rtree columns must be last, xrefs: 221756B3, 221758B3
p$+", xrefs: 221756AB
,%.*s, xrefs: 22175804, 22175835
CREATE TABLE x(%.*s INT, xrefs: 221757CA
_node, xrefs: 2217579E
D$+", xrefs: 221756A3

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: ,%.*s$Auxiliary rtree columns must be last$CREATE TABLE x(%.*s INT$D$+"$_node$p$+"
API String ID: 0-188029629
Opcode ID: 7b3bf230c09845aff248272fb9f807779d886ad8a30dad141a8ddc701741f96f
Instruction ID: 373c0c3c40a0b57027cd6b552b491d5476eba4bba0509b9459c136eb9d3c4d39
Opcode Fuzzy Hash: 7b3bf230c09845aff248272fb9f807779d886ad8a30dad141a8ddc701741f96f
Instruction Fuzzy Hash: F2F10170940300AFD7108F24C984F5BB7F5BF94704F400A29ED8A97256DB7AEA59DBA2

Function 220BCC80 Relevance: 47.7, APIs: 15, Strings: 12, Instructions: 470COMMON

Download Yara Rule

Strings

%.16g, xrefs: 220BCFB3
%03d, xrefs: 220BCF81, 220BCF8B
%lld, xrefs: 220BD0EE
%02d:%02d:%02d, xrefs: 220BD12E
u, xrefs: 220BD16D
%2d, xrefs: 220BCE27
%04d, xrefs: 220BD1CE
%04d-%02d-%02d, xrefs: 220BCE82
%02d, xrefs: 220BCE2C, 220BCE34, 220BCF27, 220BCF6F, 220BCFCE, 220BCFE9, 220BD10A
%.3f, xrefs: 220BD0BF
%06.3f, xrefs: 220BCE5F
%02d:%02d, xrefs: 220BD080

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %.16g$%.3f$%02d$%02d:%02d$%02d:%02d:%02d$%03d$%04d$%04d-%02d-%02d$%06.3f$%2d$%lld$u
API String ID: 0-1613945299
Opcode ID: 98be0b96ce570bfc8a090ba6af366d6f2c42051cf6c41a7b2ff99298c4a4f10a
Instruction ID: 968b69281ac6128d201b21747966ce7d4000c72328e325d827e9b8e59e2484bd
Opcode Fuzzy Hash: 98be0b96ce570bfc8a090ba6af366d6f2c42051cf6c41a7b2ff99298c4a4f10a
Instruction Fuzzy Hash: 35F100B1A08340AFE3258B64CC40F6FF7EAEFA9304F044A2DF98596251E639D944A752

Function 22139120 Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

,%s, xrefs: 22139297
CREATE TABLE x(_shape, xrefs: 22139268
_node, xrefs: 22139202

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: ,%s$CREATE TABLE x(_shape$_node
API String ID: 0-1242591684
Opcode ID: 7b2fe8990948ea183a8cd811bd7bd45938abd3a5696e839892eda92916d46ad2
Instruction ID: cddf8429dc8c23666f14cf0f1fa72a737e90bb7ff87125de703eaeb731b1d5bd
Opcode Fuzzy Hash: 7b2fe8990948ea183a8cd811bd7bd45938abd3a5696e839892eda92916d46ad2
Instruction Fuzzy Hash: 4FC125B19803009FD7218F24CD88F5777B9FF50709F040A28ED4A8725AD77AEA55DBA2

Function 221EB050 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 251COMMON

Download Yara Rule

Strings

%.16g, xrefs: 221EB217
(blob), xrefs: 221EB26C
%lld, xrefs: 221EB1DA, 221EB24C
NULL, xrefs: 221EB267, 221EB324, 221EB325
program, xrefs: 221EB2FB
,%s%s%s, xrefs: 221EB137
BINARY, xrefs: 221EB0D3
k(%d, xrefs: 221EB0A5
vtab:%p, xrefs: 221EB283
%c%u, xrefs: 221EB2C3
%s(%d), xrefs: 221EB1B3
%.18s-%s, xrefs: 221EB192

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %.16g$%.18s-%s$%c%u$%lld$%s(%d)$(blob)$,%s%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 0-900822179
Opcode ID: 82ee3f134e03a624b7242c17203d47d5a3d93018e74d62d9899541ed937c890d
Instruction ID: 27760513dd9f757baefd5d42924a56a6995a3a07bbe60cc094575fa2d27fbf91
Opcode Fuzzy Hash: 82ee3f134e03a624b7242c17203d47d5a3d93018e74d62d9899541ed937c890d
Instruction Fuzzy Hash: 7E91E3706087059BDB04CF14CCA1FABB7E6BF55704F044989F99A8B256D336DB06C7A2

Function 220AD820 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 223COMMON

Download Yara Rule

Strings

matchinfo, xrefs: 220AD970, 220AD98A
fts4, xrefs: 220AD9F0
porter, xrefs: 220AD8EE
offsets, xrefs: 220AD956
fts3tokenize, xrefs: 220ADA27
simple, xrefs: 220AD8A9
fts3_tokenizer, xrefs: 220AD921
unicode61, xrefs: 220AD90B
fts3, xrefs: 220AD9CA
fts4aux, xrefs: 220AD840
optimize, xrefs: 220AD9A4
snippet, xrefs: 220AD93C

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 0-449611708
Opcode ID: b17068cd9cc55e1f8636e96533018a439564b1b912f1dd417e2be1e0c549eb5c
Instruction ID: 6e384e81f33ea15a4dca022fbcf4ae50f0f05517321df5f8a61a6c3cd24c995c
Opcode Fuzzy Hash: b17068cd9cc55e1f8636e96533018a439564b1b912f1dd417e2be1e0c549eb5c
Instruction Fuzzy Hash: DF514A70B443016BF7125AA45DD4F1B37D4AF20B59F440134FE1AA624FEBAAE705E292

Function 22227FB0 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 342COMMON

Download Yara Rule

Strings

winGetTempname5, xrefs: 22228233
winGetTempname2, xrefs: 22228094
etilqs_, xrefs: 2222824C
winGetTempname4, xrefs: 22228355
winGetTempname1, xrefs: 2222817B

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: fccbf4b172bd82f37aa5dc2d57956b24591111cf6915372ba5b38d4440ddbfef
Instruction ID: 7508bf1ecdc88a420f579115122e936dbb16b455ac58f20113c833da8741f16c
Opcode Fuzzy Hash: fccbf4b172bd82f37aa5dc2d57956b24591111cf6915372ba5b38d4440ddbfef
Instruction Fuzzy Hash: 6AA19971A403025FE3008B24AD40BBA7B959F51316F840765ED85DB18BE6ABD60FE3B3

Function 220B2BE0 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 346COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 220B2E5A
misuse, xrefs: 220B2E73
SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0), xrefs: 220B2DA4
invalid, xrefs: 220B2E4E
NULL, xrefs: 220B2E38
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220B2E69
%s at line %d of [%.10s], xrefs: 220B2E78
ORDER BY name, xrefs: 220B2DCC
unopened, xrefs: 220B2E55
WHERE name=%Q, xrefs: 220B2DB7

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: ORDER BY name$%s at line %d of [%.10s]$API call with %s database connection pointer$NULL$SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0)$WHERE name=%Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-1179878930
Opcode ID: 0b4f63445940537b34ada44b43b435d450cf6c25057651d8956cfc7f293b5135
Instruction ID: 3ed579950f3137440a7c177efff234239cec816b17f20be87343679f7d143b0a
Opcode Fuzzy Hash: 0b4f63445940537b34ada44b43b435d450cf6c25057651d8956cfc7f293b5135
Instruction Fuzzy Hash: FAC157705043009FD7228F14CD48B5B37E5AF58349F044A39ED59AB247E3FAE64AE7A2

Function 2212EF60 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 192COMMON

Download Yara Rule

Strings

U+", xrefs: 2212EFA8
\W+", xrefs: 2212EFE8
dV+", xrefs: 2212F0F3
(W+", xrefs: 2212EFE0
,origin, xrefs: 2212F0D6, 2212F0DE
<V+", xrefs: 2212EFB0

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: (W+"$,origin$<V+"$\W+"$dV+"$U+"
API String ID: 0-2317320057
Opcode ID: b046fda13853bc641f65500769f3391e3ba28b7ab339e13e5dcb0232e11df4cd
Instruction ID: b5cfbd3d63c81803b2a1307b0e216811325478f6569b62eba62148c224ca8681
Opcode Fuzzy Hash: b046fda13853bc641f65500769f3391e3ba28b7ab339e13e5dcb0232e11df4cd
Instruction Fuzzy Hash: DE71AB71904700DFC7119F68CD84A5AB7B6FF98700F404A2CF9968B224DB33E960EB42

Function 220A5E20 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

misuse, xrefs: 220A5F35, 220A625D, 220A638F
API called with finalized prepared statement, xrefs: 220A5F1F, 220A6247, 220A6379
recursive definition for %s.%s, xrefs: 220A5E4C
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220A5F2B, 220A6253, 220A6385
%s at line %d of [%.10s], xrefs: 220A5F3A, 220A6262, 220A6394
no such fts5 table: %s.%s, xrefs: 220A62EA
SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id', xrefs: 220A5E6F

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id'$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such fts5 table: %s.%s$recursive definition for %s.%s
API String ID: 0-1070437968
Opcode ID: f9b7e04e565a41bf06b51c20b9abd747b2070e39b5252fd986a211d81c3ce460
Instruction ID: b468cd062d98dede6300e8e0d2d21004681cf4660a79559af8c4f5579294b824
Opcode Fuzzy Hash: f9b7e04e565a41bf06b51c20b9abd747b2070e39b5252fd986a211d81c3ce460
Instruction Fuzzy Hash: CD02EEB1A007009FEB028FA4CD94B5B7BF4BF54309F844938EA5987342E776E645DB92

Function 22119980 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 429COMMON

Download Yara Rule

Strings

misuse, xrefs: 22119A3F, 22119D9A
API called with finalized prepared statement, xrefs: 22119A19, 22119D84
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22119A35, 22119D90
no such function: %s, xrefs: 22119E8C
%s at line %d of [%.10s], xrefs: 22119A44, 22119D9F
SELECT %s, xrefs: 221199B1
API called with NULL prepared statement, xrefs: 22119A04

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$SELECT %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such function: %s
API String ID: 0-3900766660
Opcode ID: 6ce72f11481dea517fad1dcfd1d3708b7cc025f4f8777ac00f7ef070627ef06b
Instruction ID: fe61826a0dc7f82d8cd8a21cdae2f921ec2f69b3a40b50083b6b61252a86f51a
Opcode Fuzzy Hash: 6ce72f11481dea517fad1dcfd1d3708b7cc025f4f8777ac00f7ef070627ef06b
Instruction Fuzzy Hash: 6AE105B0A847059FD7208F24C940F9B77E4BF94718F04053CE9A99B24AE776EB45C792

Function 220D3800 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

misuse, xrefs: 220D393A
cannot open value of type %s, xrefs: 220D38ED
real, xrefs: 220D3895, 220D38EC
API called with finalized prepared statement, xrefs: 220D3924
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220D3930
no such rowid: %lld, xrefs: 220D39F8
%s at line %d of [%.10s], xrefs: 220D393F
integer, xrefs: 220D389A
null, xrefs: 220D38E7

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$cannot open value of type %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$integer$misuse$no such rowid: %lld$null$real
API String ID: 0-1477268580
Opcode ID: 1e435ad2ba73baf36dd112d28de0c40cce890e12baeea40fc0d12dcd7beccd14
Instruction ID: 422e15f4bb1d6b0cb6649c77a5cc8ee34b1f4e17f88584213c9c951fcf395ecd
Opcode Fuzzy Hash: 1e435ad2ba73baf36dd112d28de0c40cce890e12baeea40fc0d12dcd7beccd14
Instruction Fuzzy Hash: C951FEB26003019FD7119F28DC80B1AB3E5FF94315F044A6DE9569BB42E772E914EBA2

Function 221BA150 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 226COMMON

Download Yara Rule

Strings

%s_data, xrefs: 221BA1BC
data, xrefs: 221BA1E4
segid, term, pgno, PRIMARY KEY(segid, term), xrefs: 221BA1FB
id INTEGER PRIMARY KEY, block BLOB, xrefs: 221BA1DF
idx, xrefs: 221BA200

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s_data$data$id INTEGER PRIMARY KEY, block BLOB$idx$segid, term, pgno, PRIMARY KEY(segid, term)
API String ID: 0-1009905541
Opcode ID: 08aaf06ce45162015fc2d6ae6b9adadea7b0f8d25d798fecf4d15d32d0b5c06f
Instruction ID: a65995f4bfe15a2e1335ba2e2859eefbded16956797ee2deec7b9d37af98af4f
Opcode Fuzzy Hash: 08aaf06ce45162015fc2d6ae6b9adadea7b0f8d25d798fecf4d15d32d0b5c06f
Instruction Fuzzy Hash: F7718D71D803009BD7109B65DE4CF4737B8AF1074AF400924ED46D629ADBBEEA15CBA2

Function 221BF370 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

, c%d, xrefs: 221BF469
k PRIMARY KEY, v, xrefs: 221BF544
id INTEGER PRIMARY KEY, xrefs: 221BF43E
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 221BF524, 221BF52C
content, xrefs: 221BF49D
id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER, xrefs: 221BF51C
config, xrefs: 221BF549
version, xrefs: 221BF560
docsize, xrefs: 221BF52D

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: , c%d$config$content$docsize$id INTEGER PRIMARY KEY$id INTEGER PRIMARY KEY, sz BLOB$id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER$k PRIMARY KEY, v$version
API String ID: 0-3918257174
Opcode ID: e9804ba3140d41adbcefb1c2a73f49c09320e903b76bba90277a285937c5657e
Instruction ID: 9b839629857ba20b6f2c217a5fa37a37b012d8882aff7fbd5473bed1fe6b0b82
Opcode Fuzzy Hash: e9804ba3140d41adbcefb1c2a73f49c09320e903b76bba90277a285937c5657e
Instruction Fuzzy Hash: 9A51D1319803109BC7209F24DD44F9AB7B8EF94765F050628FC459B205DB3AEB1ACBA2

Function 2209A6C0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

%c%g,%g, xrefs: 2209A78E
></polyline>, xrefs: 2209A845
<polyline points=, xrefs: 2209A74B
%s, xrefs: 2209A82E
%g,%g', xrefs: 2209A7D1

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %g,%g'$ %s$%c%g,%g$<polyline points=$></polyline>
API String ID: 0-3443809342
Opcode ID: d075b37ecef55289b59369128b8f7c1e0f84b348114ca6a1d2fbe44042f75b1a
Instruction ID: 9e9904ca412bd98a6ce65d28678da8a7bcb9ecaaaa0c4a2720617be626179b80
Opcode Fuzzy Hash: d075b37ecef55289b59369128b8f7c1e0f84b348114ca6a1d2fbe44042f75b1a
Instruction Fuzzy Hash: E66145709007019BD7118F26CD44B2B73E5AF51B05F044638FC0A9B245E77EEA86E7D2

Function 221D8F40 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 177COMMON

Download Yara Rule

Strings

%!.20e, xrefs: 221D8FF1
%lld, xrefs: 221D900C
NULL, xrefs: 221D912E
%!.15g, xrefs: 221D8F83
NULL, xrefs: 221D9148

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %!.15g$%!.20e$%lld$NULL$NULL
API String ID: 0-2115304644
Opcode ID: 914cb9cc04cc23b5c70e4e8833986f1888d4f6dbe544325cdae156abb44625d1
Instruction ID: d48ce0fba8095b853ef32d1d07424b3f876d13a3de7b35ff121bdae29a0e95e8
Opcode Fuzzy Hash: 914cb9cc04cc23b5c70e4e8833986f1888d4f6dbe544325cdae156abb44625d1
Instruction Fuzzy Hash: 3D515772A047109FD720DF188C51EABB7E8EF91308F44495CF8996B61AE336EB45C792

Function 220A3420 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 392COMMON

Download Yara Rule

Strings

misuse, xrefs: 220A3552, 220A359E
API called with finalized prepared statement, xrefs: 220A352C, 220A3588
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220A3548, 220A3594
%s at line %d of [%.10s], xrefs: 220A3557, 220A35A3
ATTACH x AS %Q, xrefs: 220A346F
API called with NULL prepared statement, xrefs: 220A3517

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-2988319395
Opcode ID: 084dab4362a5dd1f040bb760c41ce3cbf7872d5080eb5e8cca291b17b5543a13
Instruction ID: 40a0c625beffd913295b7851ec6ddadb345cbb2fb94e67afac5d77c903423442
Opcode Fuzzy Hash: 084dab4362a5dd1f040bb760c41ce3cbf7872d5080eb5e8cca291b17b5543a13
Instruction Fuzzy Hash: 35D1E1B09003019BD7128F68CD58B1B77E4BF50709F804A38FA5ACF246E776E644DBA2

Function 22174B10 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 156COMMON

Download Yara Rule

Strings

rtree constraint failed: %s.(%s<=%s), xrefs: 22174BF9
SELECT * FROM %Q.%Q, xrefs: 22174B25
misuse, xrefs: 22174C34
UNIQUE constraint failed: %s.%s, xrefs: 22174BC9
API called with finalized prepared statement, xrefs: 22174C1E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22174C2A
%s at line %d of [%.10s], xrefs: 22174C39

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT * FROM %Q.%Q$UNIQUE constraint failed: %s.%s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$rtree constraint failed: %s.(%s<=%s)
API String ID: 0-2013246442
Opcode ID: e2e63a13ac14485cc3acd1bc0970f94bae21accb03dd2366c9fd0e510b829a92
Instruction ID: 323d414467747aa37e82828bf84d2d5eb6911745c44079ae0bfeb2c3171eb88d
Opcode Fuzzy Hash: e2e63a13ac14485cc3acd1bc0970f94bae21accb03dd2366c9fd0e510b829a92
Instruction Fuzzy Hash: A6412571E80308AFE7015F659D49F9B33BCEFA0759F000A28FD0596249E7669B04D6B2

Function 22227C10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

%s%c%s, xrefs: 22227C7A
winFullPathname2, xrefs: 22227D35
winFullPathname1, xrefs: 22227CC9

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s%c%s$winFullPathname1$winFullPathname2
API String ID: 0-2846052723
Opcode ID: c11d73df2091dbba13a9d06e21844fbd68d3a454304340be1625f7618b72712c
Instruction ID: b900a0d131dbc04e26fe4e127dde263729f57e088de6502849b3722ce567c7a3
Opcode Fuzzy Hash: c11d73df2091dbba13a9d06e21844fbd68d3a454304340be1625f7618b72712c
Instruction Fuzzy Hash: 9041CA72A087122FF3205730BD44FBB37E99F45B14F04067CF98A9508ADB6BD902D262

Function 2221AAD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130COMMON

Download Yara Rule

Strings

bind on a busy prepared statement: [%s], xrefs: 2221AB94
misuse, xrefs: 2221AB15, 2221AB56, 2221ABAA
API called with finalized prepared statement, xrefs: 2221AAEF
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2221AB0B, 2221AB4C, 2221ABA0
%s at line %d of [%.10s], xrefs: 2221AB1A, 2221AB5B, 2221ABAF
API called with NULL prepared statement, xrefs: 2221AAD9

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3679126755
Opcode ID: a14e7a4aa494259abd910d3243561033eab5821d36ea86645101ec06724a6983
Instruction ID: f28d23ec5892fb32b5e92415cd47a87267a92140f5948b34af488f05938731b3
Opcode Fuzzy Hash: a14e7a4aa494259abd910d3243561033eab5821d36ea86645101ec06724a6983
Instruction Fuzzy Hash: F441F170700705ABE7108F68DC81F8673E5BFA0705F040428FA59AF38EE76AD680D7A1

Function 221BECF0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

content, xrefs: 221BEFDF
docsize, xrefs: 221BF020

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: content$docsize
API String ID: 0-1024698521
Opcode ID: f29d26c0b5713dc9b9801e80b1d728dfdda9fbf1260ef9e04b99337ed50fa9d4
Instruction ID: 9f066585c447a982843973c289136299a32e3e643bd13415b3b9aeacd19129e4
Opcode Fuzzy Hash: f29d26c0b5713dc9b9801e80b1d728dfdda9fbf1260ef9e04b99337ed50fa9d4
Instruction Fuzzy Hash: 65C1DC71984311AFC310CF24C984F9BB3F5AFA4754F910A28FD54AB221D7B6EA45CB92

Function 22145470 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

%lld, xrefs: 2214550D
%!0.15g, xrefs: 221454D2
JSON cannot hold BLOB values, xrefs: 22145697

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %!0.15g$%lld$JSON cannot hold BLOB values
API String ID: 0-1047910854
Opcode ID: 107969ff1e57d023ccf630c586ac38caa974f913ebaad5a0b16c219806be09da
Instruction ID: a3754334fdcd129693cf683ba112ac471a6972f3f969fb108e9ef6c67a277594
Opcode Fuzzy Hash: 107969ff1e57d023ccf630c586ac38caa974f913ebaad5a0b16c219806be09da
Instruction Fuzzy Hash: A851AF729403007EE3105B18EC41FBA77A6DFA2724F24025DF95E5B282EF679751D2A1

Function 220C2B70 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

ABLE x, xrefs: 220C2BB6
("%s", xrefs: 220C2C4A
%c"%s", xrefs: 220C2C1B
,schema HIDDEN, xrefs: 220C2CD2
,arg HIDDEN, xrefs: 220C2C7A

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %c"%s"$("%s"$,arg HIDDEN$,schema HIDDEN$ABLE x
API String ID: 0-1763475469
Opcode ID: 1f134c5d6f2165ff449ca9d24ff8821ac9653f2b0695425a7eb0887e80ade687
Instruction ID: 35dec3246367aeffd60f7c61d7a78ef257a11553ed14465bb08b96327692d800
Opcode Fuzzy Hash: 1f134c5d6f2165ff449ca9d24ff8821ac9653f2b0695425a7eb0887e80ade687
Instruction Fuzzy Hash: 7E7193B09083419FD300CF64C954B5EBBE0FFA8708F004A6EF89997A51D7BAD645DB92

Function 22176380 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

K", xrefs: 22176381, 221764AB, 221764BE, 221764DC

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: K"
API String ID: 0-2015349305
Opcode ID: 158feb572ec1821b6f5d1d70375c925ab0f293d9fcdc730727b9dd3e0301eab2
Instruction ID: 393200bd9dbb1af86e0a8f660ff12da4367b8a3680a003d67750df17db2adb9c
Opcode Fuzzy Hash: 158feb572ec1821b6f5d1d70375c925ab0f293d9fcdc730727b9dd3e0301eab2
Instruction Fuzzy Hash: 5141BF308807409FC7105B25DD4CE0777B8BF60B1AF404A28ED46D262EDBBAE655EB62

Function 2213AA40 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 334COMMON

Download Yara Rule

Strings

misuse, xrefs: 2213AAC2, 2213AD8C
API called with finalized prepared statement, xrefs: 2213AA9C, 2213AD76
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2213AAB8, 2213AD82
%s at line %d of [%.10s], xrefs: 2213AAC7, 2213AD91
API called with NULL prepared statement, xrefs: 2213AA87

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 404a5c7a333c84823f5c7427672b5862dcd58a7c983033e7e67edd4f0d91bb8d
Instruction ID: f18c3664940765aef98cf960ec612a1a570bfb9318d3cc0e34b411b9d01120d8
Opcode Fuzzy Hash: 404a5c7a333c84823f5c7427672b5862dcd58a7c983033e7e67edd4f0d91bb8d
Instruction Fuzzy Hash: A1B13AB1A803059FE7128F249D44F9B77DAAF50319F04052CE996972C2EB7EE744C7A2

Function 220BA170 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 220BA3D7
malformed JSON, xrefs: 220BA283

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'$malformed JSON
API String ID: 0-560895927
Opcode ID: 1e454860ddaabbe6b2febd09a515ce9273a5618154dbe041ffd53172375bd508
Instruction ID: de3f3d739ecd7be8b5d56a0dfc61eb562145d978870990a16369b2d323976fb8
Opcode Fuzzy Hash: 1e454860ddaabbe6b2febd09a515ce9273a5618154dbe041ffd53172375bd508
Instruction Fuzzy Hash: B2A12AB1A003009FD731CF25D844B66B7E5EFD4308F24457DE9898B242E77AEA46E791

Function 220C3D20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

=%Q, xrefs: 220C3E7F
%Q., xrefs: 220C3E11
PRAGMA , xrefs: 220C3DC5

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %Q.$=%Q$PRAGMA
API String ID: 0-2099833060
Opcode ID: 9c5a2bbdc07ac5553ba9baca0536681910201314693e4e30a2b276dcfcd657d6
Instruction ID: 5becc60421f97e77594de4bd2b187d1615db372d996275ef631660ed3b69a1c8
Opcode Fuzzy Hash: 9c5a2bbdc07ac5553ba9baca0536681910201314693e4e30a2b276dcfcd657d6
Instruction Fuzzy Hash: 857111B1A043009BD701DF28DD44B5FB7E4AF54308F040A69FD45DB286E33AEA09DBA6

Function 220AB980 Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3f3daafd50ac8d65e6ce8017a52c6e60979d16f424c8ad43f1b315c1adca3a
Instruction ID: 6705252fac4661857333dd0369cac8b4a38f7a22a9576b27b94dcc3aab15c33d
Opcode Fuzzy Hash: ed3f3daafd50ac8d65e6ce8017a52c6e60979d16f424c8ad43f1b315c1adca3a
Instruction Fuzzy Hash: 5D8167718053419BD7028FA08970B2ABBF0AF75304FC40678EB951721AD7B5DA96E792

Function 220EF600 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction ID: b1a80d2735372c926341b50490c53274f341ba345e11c8d5ba6ee8e1f97e40c9
Opcode Fuzzy Hash: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction Fuzzy Hash: B151E0B1A043016FD701DF14DC80F6BB3E8EF94714F40053DF94A97251EB25AE99ABA2

Function 22111940 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 345COMMON

Download Yara Rule

Strings

misuse, xrefs: 22111B21
block, xrefs: 22111A90
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22111B17
%s at line %d of [%.10s], xrefs: 22111B26

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$block$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-4016964285
Opcode ID: 6889e82cad6887831c6c0d93ebe30bde3baeb92cb28c372dd74cdaa070e21b01
Instruction ID: 2540d6808763d18c0a6ca44f9587ebfe4985faec9ba5f8a0b2ab101b66a0a061
Opcode Fuzzy Hash: 6889e82cad6887831c6c0d93ebe30bde3baeb92cb28c372dd74cdaa070e21b01
Instruction Fuzzy Hash: 69C1F2B19403549FCB10CF28D948F9ABBA4BF04315F054679FD599B266E336DB04CBA2

Function 220BFED0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

abort due to ROLLBACK, xrefs: 220C0068
another row available, xrefs: 220C0076, 220C0081
%llu, xrefs: 220BFF3C
no more rows available, xrefs: 220C006F
%llu, xrefs: 220BFFF7
unknown error, xrefs: 220C003E

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %llu$%llu$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 0-1539118790
Opcode ID: 5766496194bcc9cc51baaafd5f3a38be36807b9dda74d4f98320992ce2abf6c4
Instruction ID: 3ed69b3d2b0614267906fdce57246def0b3bad835f5d7002d8fdf29543377aee
Opcode Fuzzy Hash: 5766496194bcc9cc51baaafd5f3a38be36807b9dda74d4f98320992ce2abf6c4
Instruction Fuzzy Hash: 319102B1A443009BC7058F18C988B9EB7E2BF84359F54063DFD499B391D73AE946DB42

Function 221C70B0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 227COMMON

Download Yara Rule

Strings

misuse, xrefs: 221C7217
API called with finalized prepared statement, xrefs: 221C7201
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221C720D
orphan index, xrefs: 221C72C2
%s at line %d of [%.10s], xrefs: 221C721C
invalid rootpage, xrefs: 221C715C, 221C730E

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid rootpage$misuse$orphan index
API String ID: 0-165706444
Opcode ID: bb435426ed7815811d80949a1b7f6c6839ac7bc085af49ab3b8d4bcadf58d1c8
Instruction ID: 5936321ed9e16be3e85a6a25e2ef30016b3dc7de17e4cef09e3047d0d8673a16
Opcode Fuzzy Hash: bb435426ed7815811d80949a1b7f6c6839ac7bc085af49ab3b8d4bcadf58d1c8
Instruction Fuzzy Hash: 40616AB9A803406BD7114A309D80FDB77ACEFB1319F140469FD549624BE7A6D316C3A3

Function 220B3A50 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

bad page number, xrefs: 220B3BE3
cannot delete, xrefs: 220B3A82
no such schema, xrefs: 220B3BEA
cannot insert, xrefs: 220B3BF1, 220B3C52
bad page value, xrefs: 220B3BDC
read-only, xrefs: 220B3A71

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: bad page number$bad page value$cannot delete$cannot insert$no such schema$read-only
API String ID: 0-1499782803
Opcode ID: 01d918da7f920a8f4bb904fe723781eee3f3a354d705b8e9156887c4d0366f75
Instruction ID: 73f0447e4f968dbbd3f3f8e028cc35ffb39231c89fa324d7f3393eefd50205db
Opcode Fuzzy Hash: 01d918da7f920a8f4bb904fe723781eee3f3a354d705b8e9156887c4d0366f75
Instruction Fuzzy Hash: 04512E72A043009BD7219F18CD85F1A77F4AF60359F244839EE098F21AE737E945E762

Function 221CB0E0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 221CB0F9
misuse, xrefs: 221CB112
invalid, xrefs: 221CB13E
NULL, xrefs: 221CB0F4
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221CB108
%s at line %d of [%.10s], xrefs: 221CB117
unopened, xrefs: 221CB145

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-538076154
Opcode ID: 1d046b3e76ee0f36c4e11fba47d93ecc66a47c387a490a8c29a63005a6a29881
Instruction ID: bc8cea2ceff946dab7c31192b31df1fcdbb6940430ce10bc1bc5f3464973cdb6
Opcode Fuzzy Hash: 1d046b3e76ee0f36c4e11fba47d93ecc66a47c387a490a8c29a63005a6a29881
Instruction Fuzzy Hash: 09318879684304ABE7111E646C40FCB77E5AFB5329F000A28F9A1E6306E776EB11C793

Function 220C6F30 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 83COMMON

Download Yara Rule

Strings

out of memory, xrefs: 220C6F39, 220C6FA0
API call with %s database connection pointer, xrefs: 220C6F54
misuse, xrefs: 220C6F6A
invalid, xrefs: 220C6F4F
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220C6F60
%s at line %d of [%.10s], xrefs: 220C6F6F
bad parameter or other API misuse, xrefs: 220C6F7E

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$bad parameter or other API misuse$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$out of memory
API String ID: 0-2911740470
Opcode ID: 38df3853612dfda0d77363794badcb776482e138fcf7289ca39fc337397c7bc8
Instruction ID: fd27c2e1e979a2cab669827af55c77e4f73ea1bae0dbd76fbad4eb3a69f728c6
Opcode Fuzzy Hash: 38df3853612dfda0d77363794badcb776482e138fcf7289ca39fc337397c7bc8
Instruction Fuzzy Hash: 242164F164431097E7334694AD80F9F23E26BC0329F288538F5565B64ED636E983B382

Function 220B06F0 Relevance: 15.2, APIs: 10, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5e1cbc8a1135ebe51b1f793266881d3b4fc269c0fb78dce9408b592904a7e1
Instruction ID: da24b0222fcec54dd4e441a599d0eab0283a96b6d8ef64e3154f0f7dc17d91a2
Opcode Fuzzy Hash: 2c5e1cbc8a1135ebe51b1f793266881d3b4fc269c0fb78dce9408b592904a7e1
Instruction Fuzzy Hash: 047102B19003059BEB25DF14C881F5AB3E6FF98304F04067DE9869B602E736EA55EBD1

Function 220EF4B0 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction ID: d5e42872d8d46bf8038e24a191ec4fe02508e6926f3393a4acd4095e24435872
Opcode Fuzzy Hash: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction Fuzzy Hash: A72191B39003012EE312AB205D09FAF72DC5F65715F454429FF2AA1191FB249789A2E3

Function 220AE170 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 445COMMON

Download Yara Rule

Strings

fts5vocab, xrefs: 22121340
unable to delete/modify user-function due to active statements, xrefs: 221213BF, 221214B8
fts5_source_id, xrefs: 2212148D, 221214E0
fts5, xrefs: 22121053, 22121395, 221213E7
+", xrefs: 22121281, 2212130F
snippet, xrefs: 22121200
+", xrefs: 221212BF

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: fts5$fts5_source_id$fts5vocab$snippet$unable to delete/modify user-function due to active statements$+"$+"
API String ID: 0-495564129
Opcode ID: ebbcf019356dee20c559d794ea8f8a5d8107654ab557e6f9cf1a2acaec5d09c4
Instruction ID: 0dbaef3f26b7ed101f6ab2aaea985274149284be35b17e7fe7e42af094378d33
Opcode Fuzzy Hash: ebbcf019356dee20c559d794ea8f8a5d8107654ab557e6f9cf1a2acaec5d09c4
Instruction Fuzzy Hash: 7BF1B0B0980B51AFE700CF249E88F477BA9BF50345F000B28F909D6256E7BAD755CB96

Function 221AFB30 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 324COMMON

Download Yara Rule

Strings

misuse, xrefs: 221AFBA0
API called with finalized prepared statement, xrefs: 221AFB7A
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221AFB96
%s at line %d of [%.10s], xrefs: 221AFBA5
API called with NULL prepared statement, xrefs: 221AFB65

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 25e7ea5bb7980cfb40d8dc4809f389e60e71a524d297114fd6a2bf1be1868a59
Instruction ID: 185234100dd799958436885d201b683080e1984542fc89b5b12a82c2a4d9dc39
Opcode Fuzzy Hash: 25e7ea5bb7980cfb40d8dc4809f389e60e71a524d297114fd6a2bf1be1868a59
Instruction Fuzzy Hash: F6B1F4BAA807049FE7208F35D964F5777E4BF54319F00092CE99A87242EB77E609C792

Function 22121710 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

CREATE TABLE x(, xrefs: 221217D9
%z, %Q HIDDEN, %s HIDDEN), xrefs: 22121831
rank, xrefs: 22121824
%z%s%Q, xrefs: 2212180D

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %z%s%Q$%z, %Q HIDDEN, %s HIDDEN)$CREATE TABLE x($rank
API String ID: 0-3324442540
Opcode ID: 1b7c533164c06429a1d4db517bca5aeaebff09763023955cd061e9fde9fa62be
Instruction ID: 6d8f81b93715b72368bcb887e6f0d2e406ba833665076acb688604e257be456b
Opcode Fuzzy Hash: 1b7c533164c06429a1d4db517bca5aeaebff09763023955cd061e9fde9fa62be
Instruction Fuzzy Hash: 4881AD71A80310AFDB018F64DD44F9AB7E4BF54359F040629FC84E7226E776DA51CB92

Function 220EE320 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

misuse, xrefs: 220EE380
API called with finalized prepared statement, xrefs: 220EE36A
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220EE376
%s at line %d of [%.10s], xrefs: 220EE385

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3620335220
Opcode ID: 5ed483718992746eac8ebb4933784fd50f464b669d81a8a0b5e9e2ee21d5212a
Instruction ID: 26aa4537ab83e7b30c966bc1bdb4ecbde3010572d03f70bfff80255d60b34276
Opcode Fuzzy Hash: 5ed483718992746eac8ebb4933784fd50f464b669d81a8a0b5e9e2ee21d5212a
Instruction Fuzzy Hash: 0651F671D403089FE7028F20CD4CB5A37A4AF1472AF048534FE0ED625AE77AD585EBA2

Function 221974A0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 175COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 221974C1
misuse, xrefs: 221974D7
invalid, xrefs: 221974BC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221974CD
%s at line %d of [%.10s], xrefs: 221974DC
unable to close due to unfinalized statements or unfinished backups, xrefs: 221975D1

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 0-3800776574
Opcode ID: ed2a69e73242f4c7297e38a5ddfa0643554f5ff98b907a409fe3170d1978dd16
Instruction ID: 0dba5cc1f87e0eb5ee863e9b89ab005bf2da2216778eb5b95ce4367349ffe6bb
Opcode Fuzzy Hash: ed2a69e73242f4c7297e38a5ddfa0643554f5ff98b907a409fe3170d1978dd16
Instruction Fuzzy Hash: 995135B1A80700ABF3119B38AD48FDB77E5AF50719F440C18E959D324AE735E747C6A2

Function 2213BCF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

PRAGMA %Q.page_size, xrefs: 2213BD03
SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 2213BD67
undersize RTree blobs in "%q_node", xrefs: 2213BDA1

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$undersize RTree blobs in "%q_node"
API String ID: 0-3485589083
Opcode ID: 220c0ffd80831db6ec1d5b2623f72040d4973c5f56f6152f5bf7db52753b5b78
Instruction ID: fd9d9a9d68961b86e3ed18a3c802d2baec9d70a446159aa17a971d284534244b
Opcode Fuzzy Hash: 220c0ffd80831db6ec1d5b2623f72040d4973c5f56f6152f5bf7db52753b5b78
Instruction Fuzzy Hash: D13101B1A40301AFD3029F64CD48F9AB3E9AF5435AF000625FD45D6205E77BEB54DBA2

Function 221932F0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

database corruption, xrefs: 221936C2, 22193707, 22193767, 22193818
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221936B8, 221936FD, 2219375D, 2219380E
%s at line %d of [%.10s], xrefs: 221936C7, 2219370C, 2219376C, 2219381D

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 826b48c7c904061b202cede59c2c5ac5898dcb419cc40ee3de694f64124f2206
Instruction ID: e4cb7f7975d75e3f4aed7d1962b3ac7c29db4596ba607eed4913d404bbb63272
Opcode Fuzzy Hash: 826b48c7c904061b202cede59c2c5ac5898dcb419cc40ee3de694f64124f2206
Instruction Fuzzy Hash: 95F14570A847419FD300DF28C984FA7BBE0FF45319F844698E954CB256E336EA56C7A2

Function 220BE420 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 380COMMON

Download Yara Rule

Strings

abort due to ROLLBACK, xrefs: 220BE795
another row available, xrefs: 220BE7A3, 220BE7AE
%c%04d-%02d-%02d %02d:%02d:%06.3f, xrefs: 220BE717
no more rows available, xrefs: 220BE79C
d, xrefs: 220BE71D
unknown error, xrefs: 220BE76B

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %c%04d-%02d-%02d %02d:%02d:%06.3f$abort due to ROLLBACK$another row available$d$no more rows available$unknown error
API String ID: 0-322231948
Opcode ID: b24afdd1461d62653093c842c88e6af5be5a8a16dba139692decd6b907d58fc4
Instruction ID: 292bee685c933b367d8a0a16bad9bbf1a11b791be677d58dabebbbdcf75d8a6a
Opcode Fuzzy Hash: b24afdd1461d62653093c842c88e6af5be5a8a16dba139692decd6b907d58fc4
Instruction Fuzzy Hash: BBE1CF71A083409FD721CF28C984B5BF7E5AF88348F90492DF98997241E776E909DB93

Function 220C28E5 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 346COMMON

Download Yara Rule

Strings

INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 220C29F1
unable to validate the inverted index for FTS5 table %s.%s: %s, xrefs: 220C2AA0
malformed inverted index for FTS5 table %s.%s, xrefs: 220C2A8A

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS5 table %s.%s$unable to validate the inverted index for FTS5 table %s.%s: %s
API String ID: 0-3572959941
Opcode ID: 752417923c1e688f11579aa499b6e5b7e787cc323363df17c219b68c2b8a1897
Instruction ID: c98f993cd8e23c1f0eb072b86eaf3c71708dbaaf5696be7f8fd9190fc96ad5af
Opcode Fuzzy Hash: 752417923c1e688f11579aa499b6e5b7e787cc323363df17c219b68c2b8a1897
Instruction Fuzzy Hash: 414101B2D01310AFE3118B68DC4CF9B77A8EF48756F000A29FD45C2119D77AD655DBA2

Function 220A9700 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

(FK), xrefs: 220A98D3

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: (FK)
API String ID: 0-1642768157
Opcode ID: 31c6e28490ae9ee1efd41e88c86c490d867ae76b581a95696da39fee446066fc
Instruction ID: c7be6ae548ed2ced5a7338e3df9db5ead6d026f55bcf9b7b5358a609ea905a6d
Opcode Fuzzy Hash: 31c6e28490ae9ee1efd41e88c86c490d867ae76b581a95696da39fee446066fc
Instruction Fuzzy Hash: C381E476B053049FE7109F68EC40B5AF3E1FB84335F204A7EE646866A1E732D911EB51

Function 22228D80 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 271COMMON

Download Yara Rule

Strings

%s-shm, xrefs: 22228DF2
readonly_shm, xrefs: 22228F52
winOpenShm, xrefs: 22228FB9

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 0-2815843928
Opcode ID: d3185d25d67ebab24a738bfd183390917478e6fd60a957702d774791d32cb8f7
Instruction ID: 7696f2f0d770f638c9c5d92b20b3c87c54ad283baf5d5d0d2f4036733f0d910c
Opcode Fuzzy Hash: d3185d25d67ebab24a738bfd183390917478e6fd60a957702d774791d32cb8f7
Instruction Fuzzy Hash: B591CE70940B069BD7109F64CD48B1677A8BF10705F840B29FD45D724AEBBBEA19CBA3

Function 220BEB00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

database corruption, xrefs: 220BECD5
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220BECCB
%.*s%s, xrefs: 220BEC88
%s at line %d of [%.10s], xrefs: 220BECDA

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %.*s%s$%s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-894757972
Opcode ID: f1ca4441ca3e5e2c6495a8cdd144128589e8a2bd9262e9882c48a8ea7fe81542
Instruction ID: 2aa7da315e04aecbbceb2f4bab58a0cdf2f5c9e222b463d37c3407d82ca905c0
Opcode Fuzzy Hash: f1ca4441ca3e5e2c6495a8cdd144128589e8a2bd9262e9882c48a8ea7fe81542
Instruction Fuzzy Hash: 8961DF716043018FD726CF24C980EABF7E1EF88755F444A6DE8499B341E736EA06DB82

Function 220B1120 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

rbu_memory, xrefs: 220B11F5
XD-", xrefs: 220B1253
main, xrefs: 220B11A6

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: XD-"$main$rbu_memory
API String ID: 0-1327882276
Opcode ID: 826308892d033cac23e39e126f5ab6d46a498d001efb11a72c09f6c6762f66ec
Instruction ID: 4aa1288f06365162cb1ef51bcc9862d7194f8dad62538724a27f11aab0c847cc
Opcode Fuzzy Hash: 826308892d033cac23e39e126f5ab6d46a498d001efb11a72c09f6c6762f66ec
Instruction Fuzzy Hash: 1451F071A003019FDB118F69D944B1AB3E8EF54319F00493AED45D7221DB76ED15DB91

Function 220BF330 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 220BF33F
malformed inverted index for FTS%d table %s.%s, xrefs: 220BF3F3
unable to validate the inverted index for FTS%d table %s.%s: %s, xrefs: 220BF418

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS%d table %s.%s$unable to validate the inverted index for FTS%d table %s.%s: %s
API String ID: 0-2809892521
Opcode ID: fbbbec2137a9f12c3fbe76fdd756cc3a4ec44eecc9be2c6a681738fb950a370c
Instruction ID: fc4a1dd033255c711d7b8dfa8fad2b71f4b0fcc2ea70c1998eefdf4e63c4e3b6
Opcode Fuzzy Hash: fbbbec2137a9f12c3fbe76fdd756cc3a4ec44eecc9be2c6a681738fb950a370c
Instruction Fuzzy Hash: 36412171D413019BE3219B24DC4CB5F37A8EF40656F444929FD02C314ADB7A9659EBA2

Function 220C6E30 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 30COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 220C6E4C
misuse, xrefs: 220C6E62
invalid, xrefs: 220C6E47
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220C6E58
%s at line %d of [%.10s], xrefs: 220C6E67

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse
API String ID: 0-3670841456
Opcode ID: c817333d116f3f8f259c03a53032f5f170384e057a542a3c57477f4c5c16af9f
Instruction ID: 4e3929cad0cc6fefd6d0e6d268cf5c3b61f301335dae25721d57e46c5d0d62bc
Opcode Fuzzy Hash: c817333d116f3f8f259c03a53032f5f170384e057a542a3c57477f4c5c16af9f
Instruction Fuzzy Hash: BAF0A7B47443446AFB265288CED1BAD37E62FC4B49F800069E2505E18EC21BC5437641

Function 220C6EB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 29COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 220C6ECF
misuse, xrefs: 220C6EE5
invalid, xrefs: 220C6ECA
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220C6EDB
%s at line %d of [%.10s], xrefs: 220C6EEA

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse
API String ID: 0-3670841456
Opcode ID: ac23508c87806c29eff32f1ec2486d9e9704963ed0b4abcca154b5d487e55f62
Instruction ID: e7a434a35f6f3975ed2df803b3f3cffef6856fb0e30bf12319ecff057c343a8a
Opcode Fuzzy Hash: ac23508c87806c29eff32f1ec2486d9e9704963ed0b4abcca154b5d487e55f62
Instruction Fuzzy Hash: 57F0E5B0704744AFFB2242D0CEA0FAA27D62FC0746F8000B5F3106E1EAE519C5507201

Function 220B30F0 Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788582b4bbf23438d7745559fd7caeae905308ba58094222e55357cd8307a0fe
Instruction ID: 65cd3eca8b3ec5ee686e332ee545aaed72803be41f643e3a095aadd2df8e1d24
Opcode Fuzzy Hash: 788582b4bbf23438d7745559fd7caeae905308ba58094222e55357cd8307a0fe
Instruction Fuzzy Hash: 05517371608300AFD741EB64FC44E9B7BE2EF95320F1945B8F558972B1E231D991AF42

Function 220AB6E0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938034b49532241e6c037b9278771cdc74da6f7a8697d57ff59a93762e276382
Instruction ID: 0cbdb359b11c84b29cd259ba79a0bbc7a54c33ae99f21c6844a65d96c573e241
Opcode Fuzzy Hash: 938034b49532241e6c037b9278771cdc74da6f7a8697d57ff59a93762e276382
Instruction Fuzzy Hash: 2411B9F5904300BFD7049B24EC50E6FB7A9EFA1B04F8404A8F94787221E776DE55B6A2

Function 221C73E0 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 369COMMON

Download Yara Rule

Strings

SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 221C776D
sqlite_master, xrefs: 221C73FD
0*", xrefs: 221C7464
ase, xrefs: 221C768D
sqlite_temp_master, xrefs: 221C73F2

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: 0*"$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master
API String ID: 0-4011352691
Opcode ID: d3a69bb5e83f2b2537f5a2657eb5774fdc19c6a1613fa42ab6e41665256712fe
Instruction ID: 6cd1e83662c6584daddb5aacdc37963e50a530076a92e5e31c1ca0132883b538
Opcode Fuzzy Hash: d3a69bb5e83f2b2537f5a2657eb5774fdc19c6a1613fa42ab6e41665256712fe
Instruction Fuzzy Hash: 0BE1E5B4A443419FE301CF24C980FEABBE8BF65708F04452CEA5497252E7B5EA45CB93

Function 22107920 Relevance: 10.8, APIs: 7, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction ID: 377bc4ca301cf9c7f9408ca9265fa6fba73359e8e9cea8f4901cb082b1a6e969
Opcode Fuzzy Hash: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction Fuzzy Hash: 87B1BCB1A04302AFD344DF29CD80A9AB7E9FF88354F444529F949D3711E735EB258BA2

Function 220AE260 Relevance: 10.8, APIs: 7, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53150fa54f5b9c02a35857361a97dd8367e9f8ca84992f88c8d5940ef4784759
Instruction ID: bf9c64628156ec2fe8d3092fbe00378e369933b1ee08b512f8e2572b3dfda1b5
Opcode Fuzzy Hash: 53150fa54f5b9c02a35857361a97dd8367e9f8ca84992f88c8d5940ef4784759
Instruction Fuzzy Hash: 2DA13771A043408FD701CF78C9A0B5ABBE5AF85318F840A7DFAD597292E331D945EB92

Function 220A5930 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

CREATE TABLE x(input, token, start, end, position), xrefs: 220A5933
simple, xrefs: 220A5A38, 220A5A84, 220A5A95, 220A5B27
unknown tokenizer: %s, xrefs: 220A5B28

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(input, token, start, end, position)$simple$unknown tokenizer: %s
API String ID: 0-2679805236
Opcode ID: 83bbc0fcf4d45c6f5257ed37f5147876605f1d65e9ad2f9615c879efb5b05c90
Instruction ID: fe4962d09006712688fd50e109a6e4b226cd35e55e5379d28ac5b1090ef0564d
Opcode Fuzzy Hash: 83bbc0fcf4d45c6f5257ed37f5147876605f1d65e9ad2f9615c879efb5b05c90
Instruction Fuzzy Hash: 2B71F2B1E043058FC701CF68C954A5EBBE8FF94254F840629EE49DB211EB75EA09DB92

Function 221AF0E0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

unable to delete/modify user-function due to active statements, xrefs: 221AF157, 221AF298
misuse, xrefs: 221AF1E6, 221AF327
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221AF1DC, 221AF31D
%s at line %d of [%.10s], xrefs: 221AF1EB, 221AF32C

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: ad35b66dde3c4a3d464110a4e6304076d11c3171782b72e3ac1bbcfe5c43506d
Instruction ID: e3f1feab511e7f454a45e3ea996550a802d4dec338269a9d87783e872f1357e2
Opcode Fuzzy Hash: ad35b66dde3c4a3d464110a4e6304076d11c3171782b72e3ac1bbcfe5c43506d
Instruction Fuzzy Hash: 876167BA680B016BE3018B20CD65FD777A5AF51305F004229E9199B2C2EBABE355C7E5

Function 221344F0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 208COMMON

Download Yara Rule

Strings

row, xrefs: 221346A1
instance, xrefs: 221346BF
col, xrefs: 22134679
fts5vocab: unknown table type: %Q, xrefs: 221346DE

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: col$fts5vocab: unknown table type: %Q$instance$row
API String ID: 0-195232091
Opcode ID: b4e2557e7aaf7ade0589eda2eb693bd1ee62f8242629953c5b07b527671f1bf3
Instruction ID: 4b4c67f6b37a5a33f077cb5735de550d29173358fd637c93b5439d4122607256
Opcode Fuzzy Hash: b4e2557e7aaf7ade0589eda2eb693bd1ee62f8242629953c5b07b527671f1bf3
Instruction Fuzzy Hash: 056127B1DC13118FC7028F249D4EF8A37A6AB11709B800938DD45D7209E77A9B5ACBE6

Function 220C09C2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

cannot UPDATE a subset of columns on fts5 contentless-delete table: %s, xrefs: 220C0B3B

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: cannot UPDATE a subset of columns on fts5 contentless-delete table: %s
API String ID: 0-2869280805
Opcode ID: e1ed7ac17284fdc94657e280ab4d8128a8c6c811653adaee56fa1bfdba8e541e
Instruction ID: 9a289b791baf9114c79e8fb8db8e1f84db098b115481596aa7d5c7c717c501ee
Opcode Fuzzy Hash: e1ed7ac17284fdc94657e280ab4d8128a8c6c811653adaee56fa1bfdba8e541e
Instruction Fuzzy Hash: 8B41CEB66013019FD7019F58EC80E6AF3E5FF94325B0046BAFA098B621E772E914E790

Function 220B3F30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

remove_diacritics=0, xrefs: 220B3FE1
tokenchars=, xrefs: 220B406A
remove_diacritics=2, xrefs: 220B4021
remove_diacritics=1, xrefs: 220B3FA2
separators=, xrefs: 220B40A3

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 0-131617836
Opcode ID: d131ce08edf6bbf0a429a47545c94d0cf14b235181862a7fb5d2a12ca4d11501
Instruction ID: a353f6c838b4d671d52ed290716d1f3b1deb897d3994df0a4903b9c238cd3ea9
Opcode Fuzzy Hash: d131ce08edf6bbf0a429a47545c94d0cf14b235181862a7fb5d2a12ca4d11501
Instruction Fuzzy Hash: 5C51F376A043428BD3218F14C590B6AB7B1FF62324F8545B8E8465F246D732EF8AEB51

Function 220A4CE0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

Strings

wrong number of vtable arguments, xrefs: 22133FA9
X[+", xrefs: 22133F69
,[+", xrefs: 22133F61
temp, xrefs: 22133F91

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: ,[+"$X[+"$temp$wrong number of vtable arguments
API String ID: 0-3489838158
Opcode ID: cd7794cd23a50dea2bd10610eef1436983f7372a60818b620df4d03d9b618a93
Instruction ID: 0346d5a14cba6e40e4994c8d57a9a3d0a42b561310f396f7dd7e5f13ee967845
Opcode Fuzzy Hash: cd7794cd23a50dea2bd10610eef1436983f7372a60818b620df4d03d9b618a93
Instruction Fuzzy Hash: F851D3B16443058FC715CF24D58099AFBF6BF89304F404A6DE5869B305D332EA4ACF96

Function 220A8C40 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

winAccess, xrefs: 220A8D60
delayed %dms for lock/sharing conflict at line %d, xrefs: 220A8D35

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winAccess
API String ID: 0-1873940834
Opcode ID: 10e5b6f715fe811da883550a02a992b0444a32c27e454aa61df00043257b8ffd
Instruction ID: c796480299599be93d6fe0c8e80c7b0352e21402f9a40f16f930d17bdd19e232
Opcode Fuzzy Hash: 10e5b6f715fe811da883550a02a992b0444a32c27e454aa61df00043257b8ffd
Instruction Fuzzy Hash: 55414AB29053019BD301EBA889A5A5EFBE0AFA4314FC10A39FB96922D1D771D440E6C6

Function 221B9350 Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8ff5a754e05ba968e0866b7b32fcd76d151089790f34cf0c159fa8a0b776a0
Instruction ID: 9cb6f8d7ae2aad0ae510bcf76077940bef053ac23c9274cd0fcb6bec37845e10
Opcode Fuzzy Hash: 4b8ff5a754e05ba968e0866b7b32fcd76d151089790f34cf0c159fa8a0b776a0
Instruction Fuzzy Hash: 76518270CC03009BD7105B74DE4CE5B37B8BF20A4AB804A24ED46C212EDB7EE656DA62

Function 221415C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

%!0.15g, xrefs: 2214160A
null, xrefs: 221415EE
JSON cannot hold BLOB values, xrefs: 221416D9

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %!0.15g$JSON cannot hold BLOB values$null
API String ID: 0-3074873597
Opcode ID: c2c7994ba1faab3039cbce975e26f6cae239f8d3f7cbc83b9fefeca837923e16
Instruction ID: ead33fbaff6a951c34d2293b16c3e369acb07206f9a91fc140eed4571af5ce34
Opcode Fuzzy Hash: c2c7994ba1faab3039cbce975e26f6cae239f8d3f7cbc83b9fefeca837923e16
Instruction Fuzzy Hash: 3C41AAB1E807006EE3104B10DC81FEB77E4DB11329F080629E569E61A3DBEAD798C7E1

Function 2211C650 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

PRAGMA %Q.data_version, xrefs: 2211C67C

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.data_version
API String ID: 0-2870853266
Opcode ID: 39a99e83893be30490bede44bf583cf9d7b5b1774273790898c75b29792f57b6
Instruction ID: cb71b68a2e576991d925f4f0c4dbdf12f7666d349beb886cfa613579d325a904
Opcode Fuzzy Hash: 39a99e83893be30490bede44bf583cf9d7b5b1774273790898c75b29792f57b6
Instruction Fuzzy Hash: A111D1B6B403044FD700EF29EC40A97F7D1EF98622F50453AE90582610EB32A91DEBA2

Function 222705B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,141843AE,?,222706F5,?,?), ref: 22270675

Strings

ext-ms-, xrefs: 2227061F
api-ms-, xrefs: 2227060B

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: bed1c2db989ab762676c57b712c92af8a482e8e83ab20fe39b03470a30af30a5
Instruction ID: b9e53f699a3fe0726742b0cb619cc0016b46f2815f23189884e02ca2f01b30e1
Opcode Fuzzy Hash: bed1c2db989ab762676c57b712c92af8a482e8e83ab20fe39b03470a30af30a5
Instruction Fuzzy Hash: B621A531A45332A7D7119B65CD98F8A7778AF81760F100510FE15E728DD636FF09CA94

Function 221431F0 Relevance: 9.5, APIs: 6, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c547a00dae57cf719133691e4c568380d4cc10f0268cb19b9812e2c6e778fce
Instruction ID: 3bdc78bc5a99af221f22b63861ec1048871343b82583dbea115c4b79f54f5f4d
Opcode Fuzzy Hash: 6c547a00dae57cf719133691e4c568380d4cc10f0268cb19b9812e2c6e778fce
Instruction Fuzzy Hash: A3F1D271E443419FD7008F14E580F9ABBE0AF84328F644669ED9D9F241DB36EB46CB91

Function 220C4E00 Relevance: 9.2, APIs: 6, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2d7b7eaab566b598335f8c3b0d6fca7c3a64243af96c93f3d7b384c982ad84
Instruction ID: 8e961abfc1ef0ff4a06f214ba5305be2175e4272caf4071b488733e6399ef386
Opcode Fuzzy Hash: eb2d7b7eaab566b598335f8c3b0d6fca7c3a64243af96c93f3d7b384c982ad84
Instruction Fuzzy Hash: 2A817CB1A043008BD7019F58D948B5E7BE4FF8071AF840929FE44D7255E77AE909EBA3

Function 220B6DA0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

recursively defined fts5 content table, xrefs: 220B6DE2

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: recursively defined fts5 content table
API String ID: 0-437020801
Opcode ID: baffff8bd266df625512aa54176222a1c058b65588b32c9cdea823a60ae17ebf
Instruction ID: 8db4e4fd958e4ce7f132ce0839eb1bbfcba7a0b077bd32c950a801af47b55417
Opcode Fuzzy Hash: baffff8bd266df625512aa54176222a1c058b65588b32c9cdea823a60ae17ebf
Instruction Fuzzy Hash: F6D11376904301CFD725CF19C480796BBE0FF89328F440A6EEC898B256D776E985DB92

Function 22136180 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

fts5 expression tree is too large (maximum depth %d), xrefs: 22136349
fts5: syntax error near "%.*s", xrefs: 22136436
expected integer, got "%.*s", xrefs: 2213648D
NEAR, xrefs: 2213642A

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: NEAR$expected integer, got "%.*s"$fts5 expression tree is too large (maximum depth %d)$fts5: syntax error near "%.*s"
API String ID: 0-2846580575
Opcode ID: 173334949a84889b09ec16344adcf6adc149c424a428f4ddb3329c51aaded459
Instruction ID: 552c76cc9885860cfe0a47b493622ade09a8fdba17dd5dd4147a05cc2be071b3
Opcode Fuzzy Hash: 173334949a84889b09ec16344adcf6adc149c424a428f4ddb3329c51aaded459
Instruction Fuzzy Hash: 0FC1D3B4984346EFD7128F60CE40F6AF7A5FF18324F054A18E9595B642E371E760CBA4

Function 220CC0F0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 276COMMON

Download Yara Rule

Strings

database corruption, xrefs: 220CC11F, 220CC16A
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220CC115, 220CC160
%s at line %d of [%.10s], xrefs: 220CC124, 220CC16F

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 6f808aac75a40d1380d98b0015bb71b5f12592d156684af1f9b983751b5d56d6
Instruction ID: 66ee60093f2d388c0936fa9c2219d24f770da9c1eb710467a026799948300799
Opcode Fuzzy Hash: 6f808aac75a40d1380d98b0015bb71b5f12592d156684af1f9b983751b5d56d6
Instruction Fuzzy Hash: 92A1ACB66043019BC704DF69D880A6EBBE1FF88714F44496DFD489B315E731EA05DB92

Function 2219ABF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

unable to delete/modify user-function due to active statements, xrefs: 2219AD61
misuse, xrefs: 2219AE18
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2219AE0E
%s at line %d of [%.10s], xrefs: 2219AE1D

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 709ba2de61cafb4b976a6f9b5284598b06be9a0a71b0bf7326a90f6f6c26f275
Instruction ID: d2de706b8405d9017deae7335104cbc91073182ca558b8812c8e136d62a34eab
Opcode Fuzzy Hash: 709ba2de61cafb4b976a6f9b5284598b06be9a0a71b0bf7326a90f6f6c26f275
Instruction Fuzzy Hash: 4951F372288300AFD7108E24DD80F6FB7F9FF89359F14092DF68696291D736DA098B52

Function 2209A230 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

misuse, xrefs: 2209A469, 2209A4A7
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2209A45F, 2209A49D
%s at line %d of [%.10s], xrefs: 2209A46E, 2209A4AC

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 3804bf5b045a261c45e78012cddd75ffbf5ed5819ffe698584a904a0bc838d6a
Instruction ID: f1ed09f2a047e3b3510f634bc8b85475f67ea8d3d82e5c7b2f2cc4cf346758da
Opcode Fuzzy Hash: 3804bf5b045a261c45e78012cddd75ffbf5ed5819ffe698584a904a0bc838d6a
Instruction Fuzzy Hash: A1714770604340AFE712CF25C984B9B77E4BF85708F00853CF95A8B242E77AE545E792

Function 220AA860 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

tables_used, xrefs: 220AA973, 220AA97B
stmt-pointer, xrefs: 220AA928
argument to %s() is not a valid SQL statement, xrefs: 220AA97C
bytecode, xrefs: 220AA96E

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: argument to %s() is not a valid SQL statement$bytecode$stmt-pointer$tables_used
API String ID: 0-361449301
Opcode ID: 7e1f17825216739c1695c19614f9e9ab8a41e1e3e3348aa661e9be591b472df4
Instruction ID: b41f03dc11b7cb1dd780414810edf00accf2c26eddba58103db41ff0939e2eea
Opcode Fuzzy Hash: 7e1f17825216739c1695c19614f9e9ab8a41e1e3e3348aa661e9be591b472df4
Instruction Fuzzy Hash: 0D61E2719003018FE7118F65DAA9B57B7F4FF04304F400A2DEA86C7682E77AE648DBA1

Function 221BBF00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

fts5 expression tree is too large (maximum depth %d), xrefs: 221BC070
fts5: %s queries are not supported (detail!=full), xrefs: 221BC043
phrase, xrefs: 221BC035, 221BC042
NEAR, xrefs: 221BC03A

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: NEAR$fts5 expression tree is too large (maximum depth %d)$fts5: %s queries are not supported (detail!=full)$phrase
API String ID: 0-593389478
Opcode ID: 5c20a9566e0638ec17d0a07618acfac8c2d90726bc506aa5a2d4ac11b12466cc
Instruction ID: fad604647b1de8ad09299214da0784df8abb908d2d5fff85fe1dd34730c47559
Opcode Fuzzy Hash: 5c20a9566e0638ec17d0a07618acfac8c2d90726bc506aa5a2d4ac11b12466cc
Instruction Fuzzy Hash: 8741FE35A803149FD7148E24CA80F9FB3B4EFA4354F10456EE94687612E7B6EB86CB81

Function 220C23D0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 150COMMON

Download Yara Rule

Strings

database %s is locked, xrefs: 220C2541
cannot detach database %s, xrefs: 220C24C3, 220C2547
no such database: %s, xrefs: 220C24B4
main, xrefs: 220C2491

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: cannot detach database %s$database %s is locked$main$no such database: %s
API String ID: 0-3838832555
Opcode ID: c5bcb36dcb514ef46d55e683b1fce327e5a3abfa0947e77b0717e28862075ee5
Instruction ID: 109706c0135832d07c17f7b493baa77449e96f2ba68d6af6ea9126b665f866f4
Opcode Fuzzy Hash: c5bcb36dcb514ef46d55e683b1fce327e5a3abfa0947e77b0717e28862075ee5
Instruction Fuzzy Hash: 3851E1F16003009FE714CF14C990F1AB7E5BF98B18F11856DE8598B792DBB1E941EBA2

Function 220C4C00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

CREATE TABLE x(term, col, documents, occurrences, languageid HIDDEN), xrefs: 220C4CCB
invalid arguments to fts4aux constructor, xrefs: 220C4C9E
temp, xrefs: 220C4C3E

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(term, col, documents, occurrences, languageid HIDDEN)$invalid arguments to fts4aux constructor$temp
API String ID: 0-537686372
Opcode ID: 13f48d2a96bdb41d8f83404c82fe8133644f0626a0aab01741a9c95c1c4db407
Instruction ID: 9a368fac6b995091f315ba2bfb0f067b95cfe431b899453e5a62fbf0512872ca
Opcode Fuzzy Hash: 13f48d2a96bdb41d8f83404c82fe8133644f0626a0aab01741a9c95c1c4db407
Instruction Fuzzy Hash: 074147B65003009FC7168F18D9C0BAA7BF4FF54324F0484B9EDA98B216D632DA12EB70

Function 220DF490 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

misuse, xrefs: 220DF4BA
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220DF4B0
%s at line %d of [%.10s], xrefs: 220DF4BF
unable to delete/modify collation sequence due to active statements, xrefs: 220DF533

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 0-3348720253
Opcode ID: 67c018288fa3e50e7ede612a02e7fca25891b28e133fef76d9e68bc377b01050
Instruction ID: 82968ae2eb721825104cdb0a245c757c6f886c0dfc26e0a757612a9e8b4aec2b
Opcode Fuzzy Hash: 67c018288fa3e50e7ede612a02e7fca25891b28e133fef76d9e68bc377b01050
Instruction Fuzzy Hash: A44149732053009FD7118F24EC84B6AB7E4EF81329F14857EF6549B286D732E615EB51

Function 220AC2B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

%!.*f, xrefs: 220AC3AE

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %!.*f
API String ID: 0-786758813
Opcode ID: e778b9c0a23dbb31f65849ce7fb89ad984a2873836cfb2478fc22f4dfca4f4a3
Instruction ID: cd254952758f550f9582247da18389c55ccadb1cacafa24a549e7d710055df02
Opcode Fuzzy Hash: e778b9c0a23dbb31f65849ce7fb89ad984a2873836cfb2478fc22f4dfca4f4a3
Instruction Fuzzy Hash: 38319C32C00F108BC3079B78896266B73E46F52785F864725ED862A002EB369896F2D6

Function 2216EBD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

database corruption, xrefs: 2216EC4C
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2216EC42
%s at line %d of [%.10s], xrefs: 2216EC51
CREATE , xrefs: 2216EBFF

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$CREATE $database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1360532505
Opcode ID: aafd999cd518fb18c1ba679df9e85383efd053186847eb336f8b11525c90ba9a
Instruction ID: 9f83df55d7fc5e272f0334d17cc56e4255d7caee8e94a1e59612f7289d4adc0e
Opcode Fuzzy Hash: aafd999cd518fb18c1ba679df9e85383efd053186847eb336f8b11525c90ba9a
Instruction Fuzzy Hash: 0D315AA25443C59EEB120A199D40FFB7FD6AF51369F1402BAF8844E147E726D3A0C731

Function 220C7050 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 220C7074
bad parameter or other API misuse, xrefs: 220C7083
invalid, xrefs: 220C706F
out of memory, xrefs: 220C7059, 220C70A2

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$bad parameter or other API misuse$invalid$out of memory
API String ID: 0-453588374
Opcode ID: 62dd71ec360e9eb529836ddedcbca10fd548d3181e6e5af4dce5ae10a497b422
Instruction ID: 25398402d7a6d61c11a4c14ab95a7b1228860589b00cd2036767ac06acf77d68
Opcode Fuzzy Hash: 62dd71ec360e9eb529836ddedcbca10fd548d3181e6e5af4dce5ae10a497b422
Instruction Fuzzy Hash: F13139F1A4070097E72646289D06FDF23DE5B90325F384439E9459B36FD22AFA47E392

Function 221493A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

database corruption, xrefs: 22149450, 22149494
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22149446, 2214948A
%s at line %d of [%.10s], xrefs: 22149455, 22149499

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: f6ab6553f06d2c2908f9079d50bd9c55a8d5eb1130da95373f8b40709ae659ff
Instruction ID: 6c186cafcb087cdb6975400eb475cbcacb165432e7e149fde0e544272856ed48
Opcode Fuzzy Hash: f6ab6553f06d2c2908f9079d50bd9c55a8d5eb1130da95373f8b40709ae659ff
Instruction Fuzzy Hash: 85314835B40B504AD324DF28C990BB3BBF2AF85705B94849CE6C64B78AE722EA51C750

Function 220D4F40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

database corruption, xrefs: 220D4F6C, 220D4FFD
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220D4F62, 220D4FF3
%s at line %d of [%.10s], xrefs: 220D4F71, 220D5002

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: b3c91b692e1dad13d45c2603e44ff0fd890145ef46a3dab9dad71b7c95c17bf9
Instruction ID: d81a0077a76ff51dd985e338a5fd59b62430f90fec76c18235a7b548d9b06cdd
Opcode Fuzzy Hash: b3c91b692e1dad13d45c2603e44ff0fd890145ef46a3dab9dad71b7c95c17bf9
Instruction Fuzzy Hash: D73139762007416BD3019F29DD80BA6BFF0FF55312F084266F458CB686D325E960EBA0

Function 220A1C60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

unknown database: %s, xrefs: 220A1CBD
misuse, xrefs: 220A1D46
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220A1D3C
%s at line %d of [%.10s], xrefs: 220A1D4B

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unknown database: %s
API String ID: 0-142545749
Opcode ID: e3c2ff968b27820e8b429974a264a6ae3b8666f7f196b306671116d74a2c0c18
Instruction ID: e624b9a200ed4b4fa3381f4a7097c1404096f736762abca68551b6e6b9adaceb
Opcode Fuzzy Hash: e3c2ff968b27820e8b429974a264a6ae3b8666f7f196b306671116d74a2c0c18
Instruction Fuzzy Hash: D821A8756003407BE3129A259C44F9BBBEDAFD2398F40053CFA5497292D7319E00E772

Function 220D3FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

database corruption, xrefs: 220D4087, 220D40B2
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220D407D, 220D40A8
%s at line %d of [%.10s], xrefs: 220D408C, 220D40B7

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 57dc915f2704a401ff19fadbfb678ed7dc4437bea63df6d0353de9e6f58f837d
Instruction ID: 5d9edd8871a5bb4cb986e9fda6d21c03fbad06103ac6d67e2e8a10a0a6636d20
Opcode Fuzzy Hash: 57dc915f2704a401ff19fadbfb678ed7dc4437bea63df6d0353de9e6f58f837d
Instruction Fuzzy Hash: 1E21F1B36013115BD700EE18DC81AAB7BE0EF94691F814026FD8497209E235D65997E2

Function 221CC6F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

a generated column, xrefs: 221CC722
non-deterministic use of %s() in %s, xrefs: 221CC732
an index, xrefs: 221CC71D
a CHECK constraint, xrefs: 221CC714, 221CC72B

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s
API String ID: 0-3705377941
Opcode ID: 222744121417eec2f86dac795106a90eff361e4233d4131d1fcce8fa2a12e28a
Instruction ID: dee3ff67ef0e089453e89bb49b9b296108797cbd78431baa440bbc3f83c8d618
Opcode Fuzzy Hash: 222744121417eec2f86dac795106a90eff361e4233d4131d1fcce8fa2a12e28a
Instruction Fuzzy Hash: 832102B4A403119FDB009F28DD48F9637A4EF21366F400724FE14D72A9D77AD991C7A2

Function 22149290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

database corruption, xrefs: 221492A6, 22149334
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2214929C, 2214932A
%s at line %d of [%.10s], xrefs: 221492AB, 22149339

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 14c863f35ea00910627c55a4c837ba0fbb571169f94e0505f160e67d45c905ff
Instruction ID: 08393c948020f089b800b0ccb87a28991c3d69927f0561a85311bc64a9078845
Opcode Fuzzy Hash: 14c863f35ea00910627c55a4c837ba0fbb571169f94e0505f160e67d45c905ff
Instruction Fuzzy Hash: FE216B25684B905AD3229F389DC0FA3BFF2AF15314B44449CE6D69779EE233E681C790

Function 220B33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN), xrefs: 220B33D6

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN)
API String ID: 0-1935849370
Opcode ID: c0f05624f99c25990f9ed4bba6b52fa220a1526d4e553eca46adfb8214ba14b4
Instruction ID: db0d1c54e7d9ad0cb54b0a9bde811b03e3c833c9b8ee8f6e352bf0c1229da543
Opcode Fuzzy Hash: c0f05624f99c25990f9ed4bba6b52fa220a1526d4e553eca46adfb8214ba14b4
Instruction Fuzzy Hash: B601D8357443165BD302DF29E840B8BB3D9EFD5311F158176F6049F284EBB0A587ABA1

Function 22245BC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,141843AE,?,?,00000000,2229D1CB,000000FF,?,22245B30,?,?,22245ADF,?), ref: 22245BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 22245C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,2229D1CB,000000FF,?,22245B30,?,?,22245ADF,?), ref: 22245C2A

Strings

CorExitProcess, xrefs: 22245C00
mscoree.dll, xrefs: 22245BEF

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e74b8d76932d0605a8283831fe4982bb29091a09c338c611d5c6f75b23883c13
Instruction ID: e26d88091660bc7c282196e59990f4c74d76134ed69e46386277ba5276c6f5e1
Opcode Fuzzy Hash: e74b8d76932d0605a8283831fe4982bb29091a09c338c611d5c6f75b23883c13
Instruction Fuzzy Hash: 78016232D54629AFDB018F90CD48FAEB7F8FB08755F404925F811E2298DB7E9900CA54

Function 221B6A20 Relevance: 8.0, APIs: 5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650227880f332991a61288f66a27776b598752dee617e9e9822d125727cda5d9
Instruction ID: 4cd4456868e6a8d5c4c3447817c51ccc3563602aaac80d0e080335b133fed4cf
Opcode Fuzzy Hash: 650227880f332991a61288f66a27776b598752dee617e9e9822d125727cda5d9
Instruction Fuzzy Hash: 1C029BB09843858FC700CF25CA88B5AB7F4BF64709F444A2DED45C7245E7B9EA49CB92

Function 2211AF80 Relevance: 7.8, APIs: 5, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23310461f50cb133791fbec313867b4752be17c1cd1a3b1feb0c38aeea22d54f
Instruction ID: 803c0d4dd9d855abed765a03a10fd2acec9c35b27ee7a67b936026889ca39b5c
Opcode Fuzzy Hash: 23310461f50cb133791fbec313867b4752be17c1cd1a3b1feb0c38aeea22d54f
Instruction Fuzzy Hash: 3DA1AC70D81711DBD7009F29DA4CF8A3378BF1074AF440A24ED05D225AD77AEB59CBA2

Function 221B73C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 221B751C

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: fts5: syntax error near "%.*s"
API String ID: 0-498961494
Opcode ID: f2228102d31f2785c90ad81c4165ba2e85c80328e19b61ebe91391060591eb5d
Instruction ID: ffac462c251b9eb18e4a89e6c799d736d3937a954c4731fbfab8a656fcb790df
Opcode Fuzzy Hash: f2228102d31f2785c90ad81c4165ba2e85c80328e19b61ebe91391060591eb5d
Instruction Fuzzy Hash: 8EB1CEB28843419FD310CF24C984F9ABBF8AF94348F44491DF89987241E775E786CBA6

Function 220AF7F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

integer overflow, xrefs: 220AF8ED

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: integer overflow
API String ID: 0-1678498654
Opcode ID: 23ed2a70e637a2be295fa19d9c618c0e06e3d60aad093efc4e87fc37c18ee2d0
Instruction ID: f848165c55c629cc5f6fe7d735d7559235fed1fec21ce50ead2e992a8135328a
Opcode Fuzzy Hash: 23ed2a70e637a2be295fa19d9c618c0e06e3d60aad093efc4e87fc37c18ee2d0
Instruction Fuzzy Hash: CA11E6768047106EDB02AF64AD08B8A37E16F2A324F154369E6541A1A2FB7281D9E3D3

Function 220B82E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

[%d], xrefs: 220B84C7

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: [%d]
API String ID: 0-394612830
Opcode ID: bd2e598b79903feea3b294cdf90f73aac7f8ac69f9f8dbc76a68101b4e6a502b
Instruction ID: 0f6a6895efcb68f8391e59fe808a44cb88ea3221e089546bbcec49d744bbfd34
Opcode Fuzzy Hash: bd2e598b79903feea3b294cdf90f73aac7f8ac69f9f8dbc76a68101b4e6a502b
Instruction Fuzzy Hash: FB7108B1904300AFEB31CF20DD80FAB77E9AF95704FC44A2DE98992191E775E609D762

Function 22196180 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 216COMMON

Download Yara Rule

Strings

database corruption, xrefs: 22196391
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22196387
%s at line %d of [%.10s], xrefs: 22196396

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 1a84243f9d4d646c8d79e5f45692851c57b1c1cd6da6e2406865e749d23b64fe
Instruction ID: dfb51cf8282e3a8bf6f31ce2668ce7fc8ed5264af72d79ea0df6c6f57cb6b349
Opcode Fuzzy Hash: 1a84243f9d4d646c8d79e5f45692851c57b1c1cd6da6e2406865e749d23b64fe
Instruction Fuzzy Hash: F571D371A883C08BD704DF14C9C1FAA7BE0FF54324F950999E8998B292E735DB45C761

Function 22240FC2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 22240FE7
CatchIt.LIBVCRUNTIME ref: 222410CD

Strings

MOC, xrefs: 22240FF9
RCC, xrefs: 22241001

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 87af51ced012b8679ec1b42b12f18217b56c7393a44ec5fb3f5b4544d200cc1e
Instruction ID: 13b04769aaf20459b151c65e32c339c54490c8f575f8759070a30766ade06a18
Opcode Fuzzy Hash: 87af51ced012b8679ec1b42b12f18217b56c7393a44ec5fb3f5b4544d200cc1e
Instruction Fuzzy Hash: DC415A71D0035AAFCF19CF94CE80AEE7BB5FF48304F149099EA0577225D636AA50EB50

Function 220D35E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

misuse, xrefs: 220D35F4
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220D35EA
%s at line %d of [%.10s], xrefs: 220D35F9

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: b9b40e76285c4c5f98eed8057175e965c32e3d4a6040e23c900ef341e18276b9
Instruction ID: e39d1cbf2cbdf88661ec80f80fee4f0e19cc91c19c82ca5cbfaf54ce46df8bb7
Opcode Fuzzy Hash: b9b40e76285c4c5f98eed8057175e965c32e3d4a6040e23c900ef341e18276b9
Instruction Fuzzy Hash: 4A51D4F6A02710AFDB158F14C884B16BBE5FF14768F088668F9589F252D331E910DF92

Function 221496B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

database corruption, xrefs: 221497EA
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221497E0
%s at line %d of [%.10s], xrefs: 221497EF

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 61b6e10e8aa82015f85c7304e3595375c9a43e0ba74335998bd88fb0ce5cb33e
Instruction ID: 77e3acbc9fa78f716f87e4dcb81a70aa3d2beb1acb97b4ed1e1a5ea04e895738
Opcode Fuzzy Hash: 61b6e10e8aa82015f85c7304e3595375c9a43e0ba74335998bd88fb0ce5cb33e
Instruction Fuzzy Hash: 1F4179766447908FD3318F789440ED3FFE0AF41266F080CAED2D98B656E622E681D791

Function 220A0300 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON

Download Yara Rule

Strings

winWrite1, xrefs: 220A045E
winWrite2, xrefs: 220A043B
delayed %dms for lock/sharing conflict at line %d, xrefs: 220A03FF

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winWrite1$winWrite2
API String ID: 0-1808655853
Opcode ID: 3acf744c70ab4d691df640ec937eff7b71263623bc7ea97bb9236c4d13724bee
Instruction ID: 37624acbdc78b556664d31019eb2f5157ac2b4f6ecb2a3d21c4baef12d20361d
Opcode Fuzzy Hash: 3acf744c70ab4d691df640ec937eff7b71263623bc7ea97bb9236c4d13724bee
Instruction Fuzzy Hash: 5A4146B2A043059BD3059F98CCA0E6FB7EAFB88354F900B3AFB11C6195D376D54497A2

Function 22215960 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

misuse, xrefs: 22215980
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22215976
%s at line %d of [%.10s], xrefs: 22215985

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: e737f15b07033465eed145e55a4b9093cfa07c6bae41e4809cf6948d87c14e36
Instruction ID: ba1c0877cd55937e276240b0cac09b75fd8f68b0b53975f24c5834d5c579be48
Opcode Fuzzy Hash: e737f15b07033465eed145e55a4b9093cfa07c6bae41e4809cf6948d87c14e36
Instruction Fuzzy Hash: 49410B719403115FD7108B54CD80F9AB7E8BF95364F8405A9F94457286E33EEAA8C7D2

Function 22228850 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

os_win.c:%d: (%lu) %s(%s) - %s, xrefs: 222288E2
delayed %dms for lock/sharing conflict at line %d, xrefs: 2222895F

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$os_win.c:%d: (%lu) %s(%s) - %s
API String ID: 0-1037342196
Opcode ID: ddb7eaa8ae86d9054714aaca2346b96a87109bae759388af30f62871f21f2159
Instruction ID: 626ced3788c5b8094cedc42e238c56c5f592350ff7c5963bc81bf5b8e8ad15ea
Opcode Fuzzy Hash: ddb7eaa8ae86d9054714aaca2346b96a87109bae759388af30f62871f21f2159
Instruction Fuzzy Hash: BA213870608747AFE7209B14CD84BEBBBE9AFD4304F944C2CE688D6196C637D8448763

Function 220D5390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

database corruption, xrefs: 220D5408
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220D53FE
%s at line %d of [%.10s], xrefs: 220D540D

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 9ebc7ac1d85c6ecf810326cac52b88d6000e1b32555f19ceb54ea0b68998ebf8
Instruction ID: e8ab0ce62c8acaa4053785cb8a686a3aa55b3cee89f45916caa66eef1161a354
Opcode Fuzzy Hash: 9ebc7ac1d85c6ecf810326cac52b88d6000e1b32555f19ceb54ea0b68998ebf8
Instruction Fuzzy Hash: B0316C266427504BD3228F3899407AB7FE0DF5171BF440479EDC9D7686E322F492E362

Function 221B7ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

no such tokenizer: %s, xrefs: 221B7F1B
error in tokenizer constructor, xrefs: 221B7F92

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: error in tokenizer constructor$no such tokenizer: %s
API String ID: 0-815501780
Opcode ID: 6f6872d9abc5c0590173a45b7ad58741a211254ab5f31b72886fe7641ac1f715
Instruction ID: 8f9568f7a5baaadea201282f929977637783b909442bd6a11ca6a2821a5fd6ae
Opcode Fuzzy Hash: 6f6872d9abc5c0590173a45b7ad58741a211254ab5f31b72886fe7641ac1f715
Instruction Fuzzy Hash: 98319C767413158FC721CF19D880BAAB3E4EF84769F1405ADE959AB300E332EA068B61

Function 2209F000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

second argument to nth_value must be a positive integer, xrefs: 2209F0C4

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: second argument to nth_value must be a positive integer
API String ID: 0-2620530100
Opcode ID: 39f868a7bf5eca1dcbed8ca9b51a363f8a0d0a4deb84cb00a8b7032d7a67e038
Instruction ID: 97cb8d5953d6c012fcbd62cb15636d64fc8230f2a791e0e2b8c67702c609f319
Opcode Fuzzy Hash: 39f868a7bf5eca1dcbed8ca9b51a363f8a0d0a4deb84cb00a8b7032d7a67e038
Instruction Fuzzy Hash: 5A316EB29003119FCB019F14DD45B1B73E4FF50B14F444624F86A66181FF32EE54B692

Function 220B05D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

rbu(%s)/%z, xrefs: 220B0697
rbu/zipvfs setup error, xrefs: 220B061A

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: rbu(%s)/%z$rbu/zipvfs setup error
API String ID: 0-199214844
Opcode ID: b398101b26fb218378328c2cdf695476db2f74e50fddb235120e060bb67791c7
Instruction ID: 945b121ccafbc0733eebebeee659e870b107451b2c9302a6c222a1f52f84fb7e
Opcode Fuzzy Hash: b398101b26fb218378328c2cdf695476db2f74e50fddb235120e060bb67791c7
Instruction Fuzzy Hash: 4621E1B2A003059FD7208F29DD80F5AB7E6FFC9720F11447AE95987202DB32E8149B91

Function 220D5280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

database corruption, xrefs: 220D52FC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220D52F2
%s at line %d of [%.10s], xrefs: 220D5301

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 3837f00ea1447ee05133d5661f460ad4b5248418cd5dea3f1c705aad159d3fce
Instruction ID: c4eca4fef98d25badcce400acce3b4c681231a5462aa7912d58611a8c882eedf
Opcode Fuzzy Hash: 3837f00ea1447ee05133d5661f460ad4b5248418cd5dea3f1c705aad159d3fce
Instruction Fuzzy Hash: 7F1135737013006BCB115A49BC40DDBBFE5EFD52B6F090575FA4856222D223DA21A3A2

Function 221F8490 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON

Download Yara Rule

Strings

database corruption, xrefs: 221F84CB
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221F84C1
%s at line %d of [%.10s], xrefs: 221F84D0

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 5337d63148b8717c6c64e383a30d8a1013ffa353bc17ae7c9eb6cabe964d870d
Instruction ID: b08bf39e128f69e9f75314137731eb53d6a54ab4b3585efe006818d6ed8ac0f4
Opcode Fuzzy Hash: 5337d63148b8717c6c64e383a30d8a1013ffa353bc17ae7c9eb6cabe964d870d
Instruction Fuzzy Hash: D32107763407015BD7208F58DC80F97B3E5EF94311F21492EF9569B352E332EA4587A1

Function 220ED6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

%s%s, xrefs: 220ED725

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: 71863c94481e7b8a48a4b716173fb106c43fb8d38ddef34920b8193941339994
Instruction ID: 048e5437b9cc8983720ddc79d66bc3d63b203425b8065df1314bafae5405f2b5
Opcode Fuzzy Hash: 71863c94481e7b8a48a4b716173fb106c43fb8d38ddef34920b8193941339994
Instruction Fuzzy Hash: 0411CD359003109FD7025B24D988B5A33E8EF8065AF000638FE89C6209E77A9945DBA2

Function 221B6140 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

Strings

fts5: error creating shadow table %q_%s: %s, xrefs: 221B6197
WITHOUT ROWID, xrefs: 221B6150, 221B6162
CREATE TABLE %Q.'%q_%q'(%s)%s, xrefs: 221B6175

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: WITHOUT ROWID$CREATE TABLE %Q.'%q_%q'(%s)%s$fts5: error creating shadow table %q_%s: %s
API String ID: 0-1971204597
Opcode ID: 1ad1796d6631d9aab891312247ab31c0eb5fe0caebac278ba701617eecc73b5f
Instruction ID: 11bae228a2372460bc6fa733c35d454b009197f96958f7292f5157f044e2a6ce
Opcode Fuzzy Hash: 1ad1796d6631d9aab891312247ab31c0eb5fe0caebac278ba701617eecc73b5f
Instruction Fuzzy Hash: 8811C071A40240AFDB014F58DD88E2A77B8FF8474AF404928FD45DA119D73BC925DBA2

Function 2213A6B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

Strings

database corruption, xrefs: 2213A6CD
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2213A6C3
%s at line %d of [%.10s], xrefs: 2213A6D2

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 28bdbade1d421a195791f6b8b6d923233e6049999eb56e3c59f4f403754dd17b
Instruction ID: e01dccbfe664eeb7f0313052d4d1255031d7e3720f9f12c0a04ae421cfbad0af
Opcode Fuzzy Hash: 28bdbade1d421a195791f6b8b6d923233e6049999eb56e3c59f4f403754dd17b
Instruction Fuzzy Hash: 511191B2204301AFD701DF59DC80F9BB7E9EFC1751F4408A9F6449B2A1D336A955CBA2

Function 220A2380 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON

Download Yara Rule

Strings

misuse, xrefs: 220A2406
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 220A23FC
%s at line %d of [%.10s], xrefs: 220A240B

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 4a456be74de6173013221b469be9c417fae24ddd70e877deb0fc1f1ca23bafb7
Instruction ID: 144c8847beaceca9fd05a5273968ef515c0fc35ca44efb7f63862d7e023f9f9f
Opcode Fuzzy Hash: 4a456be74de6173013221b469be9c417fae24ddd70e877deb0fc1f1ca23bafb7
Instruction Fuzzy Hash: F9119A712043029FE708CE08DCD0F5AB7E4BF98304F5244A8F6419B256D671E986EB90

Function 22141F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 22141F92

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'
API String ID: 0-481711382
Opcode ID: ff6eb7ab5eed0f67d702ae799711d8a6455fb394fbb971027db61bdcde1be0bd
Instruction ID: 6ea70f07247139086f520ab1eeae863f4da72f6fc90ade03d113b76f32a333f2
Opcode Fuzzy Hash: ff6eb7ab5eed0f67d702ae799711d8a6455fb394fbb971027db61bdcde1be0bd
Instruction Fuzzy Hash: 52010472A093106EDB249B548D00F9B7BC4DF41720F20076CF95AA62E1EB719902E3E2

Function 220BF0E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 220BF105

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: f084b1238841aa9f4ebd27498088664518e1bfe33a871ac54978badbdf980baf
Instruction ID: 9728617c8d24676f8c0294c53df7ff69cd1086b366f6fd467bb308cbc44ef21b
Opcode Fuzzy Hash: f084b1238841aa9f4ebd27498088664518e1bfe33a871ac54978badbdf980baf
Instruction Fuzzy Hash: 6E019E363043415ED322866EFC44F9BB7E8EBD4721F04087AF6ADC3201D761A885A261

Function 220C0D70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 220C0D87

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: bbbc33c4a474b46469e1d25cd8d73bd7deedf81cbeaa3491450341f8c6564329
Instruction ID: 6eb7d8231395f1bbaf5aeadc2323419bcee33026abed9fd59c3a4822d1977158
Opcode Fuzzy Hash: bbbc33c4a474b46469e1d25cd8d73bd7deedf81cbeaa3491450341f8c6564329
Instruction Fuzzy Hash: 35018C72204300AFE3119A5DED80F56B7EAEB88B24F044468F68DDB240D7B2FC46A761

Function 2209EF30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

Strings

misuse, xrefs: 2209EFB0
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2209EFA6
%s at line %d of [%.10s], xrefs: 2209EFB5

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: d82cc608025543411b53c5c7da678fecf5d58f8e647e340ed594f81be8aa183f
Instruction ID: 9fac3e002451774eecbb255724201f16fad04ba605639aae3a31032fb298814e
Opcode Fuzzy Hash: d82cc608025543411b53c5c7da678fecf5d58f8e647e340ed594f81be8aa183f
Instruction Fuzzy Hash: C601F5B1E027119FD3018F08D908B0B3BE1AF81B09F454469E909AB359D376E846DBC3

Function 22109180 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

%s_stat, xrefs: 22109192

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s_stat
API String ID: 0-920702477
Opcode ID: 2b4af3f992924daaaf9781955bf9f79cc8a9c239b58795a9a7c96d6a0107c287
Instruction ID: 58738608778b036aee9cf7ede0dbb5ef06bfcfd78114368b097d6f2a41088885
Opcode Fuzzy Hash: 2b4af3f992924daaaf9781955bf9f79cc8a9c239b58795a9a7c96d6a0107c287
Instruction Fuzzy Hash: FCF02732B053513BE7104679BD80F46EBD9BF64670F144625F90DA2108C326AD916391

Function 220B7F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN), xrefs: 220B7F76

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
API String ID: 0-3072645960
Opcode ID: 8dcf1c52d798667c189aa15f7fcea6a028189a687350fa9c440e065d0835605d
Instruction ID: b4b0cf47f81b150de43ff3acf5861cd77923990e9df724fdd966d480debe3799
Opcode Fuzzy Hash: 8dcf1c52d798667c189aa15f7fcea6a028189a687350fa9c440e065d0835605d
Instruction Fuzzy Hash: 0AF02437B483028AD7215F28FC05BC9B7D5AFE4321F150139F9449B2A0E760E986A7A2

Function 2224066B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,22240513,?,?,?,?,?,?,222407BD,00000003,FlsSetValue,222B7770,222B7778), ref: 22240678
GetLastError.KERNEL32(?,22240513,?,?,?,?,?,?,222407BD,00000003,FlsSetValue,222B7770,222B7778), ref: 22240682
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 222406AA

Strings

api-ms-, xrefs: 2224068F

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: a218a138c8a2d80280838de9f8dfd079c45a244ae3a717f8dece4c67d31bcd45
Instruction ID: 76bb3c28eb30528fafd71b70060124beb8ef0ee929c07220455e16334a0da016
Opcode Fuzzy Hash: a218a138c8a2d80280838de9f8dfd079c45a244ae3a717f8dece4c67d31bcd45
Instruction Fuzzy Hash: 69E04870A80316B7EB141E61DC09F493B649F40B50F504420FE0DE85DEDB77DA90D948

Function 221CC1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

misuse, xrefs: 221CC1F9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 221CC1F0
%s at line %d of [%.10s], xrefs: 221CC1FE

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: ac275ea0a2fdd197fc6bec6c61084f0f8b57ea4678588a002f3f7730df2747ab
Instruction ID: 4f692c26f7d426cd6d5e8913a8b57610908cc2ec1aa2ad4f6952695f99df83c7
Opcode Fuzzy Hash: ac275ea0a2fdd197fc6bec6c61084f0f8b57ea4678588a002f3f7730df2747ab
Instruction Fuzzy Hash: CEB09B7571074475FB0121448CC1FC65AA56FD07C7F81845471556D2ADD06741507551

Function 2219A570 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

database corruption, xrefs: 2219A579
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2219A570
%s at line %d of [%.10s], xrefs: 2219A57E

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 31e1db4621a75feabc286f83403fa2e8df8573a53df284650e96471feb6f8fc0
Instruction ID: 67d5f18268151d28e16d5b4daf79114a0c4744540f05e0992d0c4521af7e9397
Opcode Fuzzy Hash: 31e1db4621a75feabc286f83403fa2e8df8573a53df284650e96471feb6f8fc0
Instruction Fuzzy Hash: 9AB09B6570034031F60131544D81F473EA16F507C1F8184547105292DDD11745505551

Function 22196B50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

cannot open file, xrefs: 22196B59
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22196B50
%s at line %d of [%.10s], xrefs: 22196B5E

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$cannot open file$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1799306995
Opcode ID: fe63a82b49516c8552615c7fae5094281088e24b0442f4e26407824403aaab11
Instruction ID: 70ec598a8fc4eb27b91aa3d8fd48d3347221bfeadf8431f84d192d547ee23e1b
Opcode Fuzzy Hash: fe63a82b49516c8552615c7fae5094281088e24b0442f4e26407824403aaab11
Instruction Fuzzy Hash: 54B0926670038036FA023994CC81F872EA17FA0BC1F818894B15A392BEE097C2A0A652

Function 220F25E0 Relevance: 6.4, APIs: 4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a91fa7ce259720c5d99e7a1e56e6715db8e4794f6527d40731211d74bbb31dc
Instruction ID: 6f9959303c038eedf58295397b6e8843df2b69283aef460f8161489b7cc1b224
Opcode Fuzzy Hash: 1a91fa7ce259720c5d99e7a1e56e6715db8e4794f6527d40731211d74bbb31dc
Instruction Fuzzy Hash: 32D1C5709843019FD301DF65CA4CB1A77E8FB5870AF400A39ED05C2249DBBAD549DBE2

Function 222867F5 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(141843AE,00000000,00000000,?), ref: 22286858
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 22286AAA
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 22286AF0
GetLastError.KERNEL32 ref: 22286B93

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: b42d980f12776e49a816d4feda723e82f17cafc6646d19586fa6798c710e9aef
Instruction ID: ebad16fe77d436624438f840c72c8d52f5273af24a9d1341aa793accc4db614e
Opcode Fuzzy Hash: b42d980f12776e49a816d4feda723e82f17cafc6646d19586fa6798c710e9aef
Instruction Fuzzy Hash: CDD18AB5D003489FCB14CFE8C884AEDBBB5EF09304F14456AE916EB395D636E942CB61

Function 22138EB0 Relevance: 6.2, APIs: 4, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe124ebd31441484cae1da2458a2ce5b55feb55cdeaff36a76970697a4fb4df
Instruction ID: 3d8c7c7c853104f7b560224e30682d595c14cc2f57b14902330e7054ad71dcf5
Opcode Fuzzy Hash: dfe124ebd31441484cae1da2458a2ce5b55feb55cdeaff36a76970697a4fb4df
Instruction Fuzzy Hash: 435157716483814ED7228F749944FDAFBEE9F11314F0906A9EDC4CB242E279D788D361

Function 220BCAE0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4aad0f5f7b637bc8e9918ca4472a24d2d8ac5e4e6e13679657219a6b1508d0
Instruction ID: 8edefb06a4ef30978c693772b4f594b4e357d101def094a25caaa364877ef319
Opcode Fuzzy Hash: 9f4aad0f5f7b637bc8e9918ca4472a24d2d8ac5e4e6e13679657219a6b1508d0
Instruction Fuzzy Hash: A331BCB26043019FD7258F68D940F5AB3F4FF94322F00097AE909C7651E361E955E7A2

Function 220BB1F0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction ID: 07fff89b16d2464a02cb3285b777181bcc9c62e7e03d44df567a7a0779ecd18a
Opcode Fuzzy Hash: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction Fuzzy Hash: C6319E71904B419FD731DF25E940B9BB7E0FF95314F04892DD89A86A11D371F488E791

Function 2212CFE0 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f155ee4936aae19aec06cb809ffc92085dd37a0bce870209c165f40ac7d322
Instruction ID: 5243ce2a92b8a618d49307c795f36b94d9bad083d69c6e2a7a13855f87b41b46
Opcode Fuzzy Hash: 67f155ee4936aae19aec06cb809ffc92085dd37a0bce870209c165f40ac7d322
Instruction Fuzzy Hash: 3621F5715407059FC750EF68C880A9BBBF0EFA8700F50092DF585C3221E331E6589F82

Function 2228F4CA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 2228F4E0
GetLastError.KERNEL32(?,?,?,?), ref: 2228F4ED
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 2228F513
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 2228F539

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 0dd8761d648022215296957233803a914850e9bf7a92b2b52670577d29a5e0ca
Instruction ID: bb4b2eefacc9b3ad76800047ebca65e5480927c8af2ad5430ca52b64d7c592ed
Opcode Fuzzy Hash: 0dd8761d648022215296957233803a914850e9bf7a92b2b52670577d29a5e0ca
Instruction Fuzzy Hash: 2C11577180021ABBDF10DF65CC08EDE3FB9EF04760F608545F924A21A8DB7ADA50DBA1

Function 22092ABD Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 22291382
GetLastError.KERNEL32 ref: 2229138E
___initconout.LIBCMT ref: 2229139E

Part of subcall function 22291303: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,222913A3), ref: 22291316

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 222913B3

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: 14744a8c84fdfe4a24a60584f16772e15307112d2986cac107aba1b4e787a3fe
Instruction ID: 9c11103b6cd44cdc4e7bb2f7f3bf693317c098e28c8d5a945b1499e2e3ba8637
Opcode Fuzzy Hash: 14744a8c84fdfe4a24a60584f16772e15307112d2986cac107aba1b4e787a3fe
Instruction Fuzzy Hash: 06F0FE36940225BBCF122E96CC09E893F75EB486A1F214510FD19D9528DA3B8960DB94

Function 220AE6C0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

B*", xrefs: 220AE751
B*", xrefs: 220AE748

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: B*"$B*"
API String ID: 0-1245792860
Opcode ID: 4b28310fba52513dd16b3cd3110001877be0590a6772b38bef5989e84c945022
Instruction ID: fd4e8e6124eda0ed4423eeeffc356db5c19e66dc96be9e874a63527ad4242135
Opcode Fuzzy Hash: 4b28310fba52513dd16b3cd3110001877be0590a6772b38bef5989e84c945022
Instruction Fuzzy Hash: 35B15A319083418FD306CFA8C5A476ABBE2BF45318F94067CEBD58B292D332E946D791

Function 220ABE80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 220AC1B5

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: d1d95780d25580790d322c34fc003dce2abcf7c17a0a2d3176a155a6749d8c23
Instruction ID: c7e8f32890ca29e012f0a3732b74b39b22f7037c3178a65ae7ddf074b5cf1c4a
Opcode Fuzzy Hash: d1d95780d25580790d322c34fc003dce2abcf7c17a0a2d3176a155a6749d8c23
Instruction Fuzzy Hash: DDA17C716087458FD3058FA88971B1AB7D1AF96324F9A1B2DF7A0473D2E330C585AB81

Function 22217300 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

%!.15g, xrefs: 222175C3
-, xrefs: 22217538

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %!.15g$-
API String ID: 0-583212262
Opcode ID: d992801c6f0d00364e44196848d4e167e0340e328211c6c4bb2118b4929fdbd1
Instruction ID: 3f919a39a6fcb67881a3945824a90170d6ff334d5b68af07d4c1ef28fbce26f4
Opcode Fuzzy Hash: d992801c6f0d00364e44196848d4e167e0340e328211c6c4bb2118b4929fdbd1
Instruction Fuzzy Hash: 55918F71A083468FD304DF6CD89179AFBE0EBC8304F44492DE989CB356E7B9D9098B52

Function 220DCBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 220DCE39

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: ed65776737c26162c2688fe805d4bb6d40af025e7a777130f351ed9a91d35094
Instruction ID: 5806ad2894b6028fed5ecb8ba6f2c9b9655978bf34545ad57fd55db0b0b7fbb9
Opcode Fuzzy Hash: ed65776737c26162c2688fe805d4bb6d40af025e7a777130f351ed9a91d35094
Instruction Fuzzy Hash: 918124B2A053018FC705CF28CD81F5BB7E5EF94314F140A68FA45972A2E375EA45E792

Function 221B78F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

?, xrefs: 221B794A
*, xrefs: 221B7982

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: *$?
API String ID: 0-2367018687
Opcode ID: 17196ac3ce966c4c4630782c6a865f7f51b1046642555049745e4f6d4566a9c9
Instruction ID: 52e524de1928572c9fb25e94d540efec854c68a86502fa36ca3917761637761e
Opcode Fuzzy Hash: 17196ac3ce966c4c4630782c6a865f7f51b1046642555049745e4f6d4566a9c9
Instruction Fuzzy Hash: 01710472A483418FD3108F38CD84B9BBBF5AF8A614F48496DE98587306D375DB478B92

Function 220AC8E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

LIKE or GLOB pattern too complex, xrefs: 220AC94F
ESCAPE expression must be a single character, xrefs: 220ACA43

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 0-264706735
Opcode ID: 08f8cd6fab0e93aced914d513ec022e3fb799a0b4fb27f1a01342f11dfe03963
Instruction ID: 3e50ae856d41835b7164bc70d7c949792916bae03132de0b20b58a58c1eea74f
Opcode Fuzzy Hash: 08f8cd6fab0e93aced914d513ec022e3fb799a0b4fb27f1a01342f11dfe03963
Instruction Fuzzy Hash: 7261AA716043504FD706CF54C9A1B7977D1AB5132CFA642ACE6A25F2D3D636C681E390

Function 220928A6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(22279F34,00000001,222CD4A8,00000014), ref: 2227A544
GetLastError.KERNEL32 ref: 2227A557

Strings

~+", xrefs: 2227A496

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID: ConsoleCtrlErrorHandlerLast
String ID: ~+"
API String ID: 3113525192-3592485025
Opcode ID: 31fd8951a06ff0afbf18664849a82968e9400370f2b46d66211f3477a84465c8
Instruction ID: 3103c0e4a7a5da85fc5ae8a7eaa1416904ab31b4759e953a7447a3a75c7698a1
Opcode Fuzzy Hash: 31fd8951a06ff0afbf18664849a82968e9400370f2b46d66211f3477a84465c8
Instruction Fuzzy Hash: FE4122B2F493038FCB018F68CD956AE77F1AB55378F10052AEA06AB25CD73BC980D651

Function 220AD0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 220AD213

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 485060939105ea3170ba20b7b39d5dc9610fe53e06b835f4bd732630c9900376
Instruction ID: 96ea948a9dfc370fe140dec0dea015cebf56776f7f5b85fad57780894b897933
Opcode Fuzzy Hash: 485060939105ea3170ba20b7b39d5dc9610fe53e06b835f4bd732630c9900376
Instruction Fuzzy Hash: 1B417C728043415FE3118A78AC61B9B3BD5DF65320F840A38FEA5533D3DA26D608E392

Function 220A55D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 220A56D1
winDelete, xrefs: 220A569C

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 0-1405699761
Opcode ID: d52125ab572dc3dc721a2de21ce6dc2f87f1f80fc427bd9f4085937e2205e3f0
Instruction ID: 13fea112d46042e486d39f6c0db72946d9b4e8e64457c637f60df16dbb0f8de5
Opcode Fuzzy Hash: d52125ab572dc3dc721a2de21ce6dc2f87f1f80fc427bd9f4085937e2205e3f0
Instruction Fuzzy Hash: F1316072E803004BE7112BBC9E9C95E7BD8B740266FC10B31EF12D719BD66BC844E6A1

Function 220AD300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 220AD3D5

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: ceda393c1beb6c6a98f1a1bcb7381c7e20f9b0ff285cee21123fbfe5967bc95f
Instruction ID: fe8498c71d754c4192b0e496d095ad577cb5d1a0c5dc3549b77c83a8c98792b6
Opcode Fuzzy Hash: ceda393c1beb6c6a98f1a1bcb7381c7e20f9b0ff285cee21123fbfe5967bc95f
Instruction Fuzzy Hash: 5C31AEB39043205FD7010A64AD90F6637998B91328F5802B8FF616F2C2DA67D912F290

Function 2218DEE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

SELECT tbl,idx,stat FROM %Q.sqlite_stat1, xrefs: 2218DF4F
sqlite_stat1, xrefs: 2218DF30

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: SELECT tbl,idx,stat FROM %Q.sqlite_stat1$sqlite_stat1
API String ID: 0-3572622772
Opcode ID: 5b68de7b9b9430b72f4192bfe0c1654d7f224184d65bc887f83b313367c624af
Instruction ID: 801843e94309e43846dce8eca5f6ff19bb96fd087c112f08a8a6532421ed8f74
Opcode Fuzzy Hash: 5b68de7b9b9430b72f4192bfe0c1654d7f224184d65bc887f83b313367c624af
Instruction Fuzzy Hash: D821B471A813115FEB10DE35D8C0E6AB7A8AF95724B05416CFC449B252D721EE06DB92

Function 22227E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OsError 0x%lx (%lu), xrefs: 22227ED9

Memory Dump Source

Source File: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: OsError 0x%lx (%lu)
API String ID: 0-3720535092
Opcode ID: f5aa9e01b5831d2cc8c0cb38c33a4c095700e59c0ff9ee8a4936620418b03e9f
Instruction ID: c69ed0a2938f78d5beff142bef8ac0de816dfbeb3be7b010b423c9f65bad5118
Opcode Fuzzy Hash: f5aa9e01b5831d2cc8c0cb38c33a4c095700e59c0ff9ee8a4936620418b03e9f
Instruction Fuzzy Hash: 5C210471A44311ABE7005BA0CD0CF9B37A8EF0075AF000A28FE45D6158DB7BD911D7A3

Function 220BF740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';, xrefs: 220BF752

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
API String ID: 0-2071071404
Opcode ID: 83910f3638d29ecb3455b9e173515d7778c1d5705d6b5c9998c610a6a5f2ea1c
Instruction ID: 1404bfbbc3d286fded21db5badfe07208ac750126fb80c769900e30dbaf5ab68
Opcode Fuzzy Hash: 83910f3638d29ecb3455b9e173515d7778c1d5705d6b5c9998c610a6a5f2ea1c
Instruction Fuzzy Hash: C211C1B1A80300AFE3119B28DD8CF6B33ECEF50606F400679FD05C3559EBAAA905D672

Function 2209141F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

InitializeCriticalSectionEx, xrefs: 22270E84
GetXStateFeaturesMask, xrefs: 22270E34

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: f76bdbe99308f3814b8917fb33700ccc95bb0cc380b71b170cc391878bba91d8
Instruction ID: d2489f52abe6be7b415870ff2d9a83b3a0b9a6176adfb96b56cbebd6a25bdda0
Opcode Fuzzy Hash: f76bdbe99308f3814b8917fb33700ccc95bb0cc380b71b170cc391878bba91d8
Instruction Fuzzy Hash: 92018F32A4432877DB212A918C09E9E7FA6EF547B1F014411FE187A21CDA778964EAD0

Function 220C5350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 220C539B

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: e201505aaead6151f807663c07a77218c79da131c9f0eb58f930c0142c6c44a3
Instruction ID: 3b751b97a04761bd57c1053f32316e9f018e5a23a717d594a998e19034dcded9
Opcode Fuzzy Hash: e201505aaead6151f807663c07a77218c79da131c9f0eb58f930c0142c6c44a3
Instruction Fuzzy Hash: FD116AB56083408FD704DF29C851B5FBBE4AFD8318F84482EE98A97290E778D508DB93

Function 220EEFE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

SELECT %s WHERE rowid = ?, xrefs: 220EF017

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: SELECT %s WHERE rowid = ?
API String ID: 0-866778640
Opcode ID: e355f0e7842d7dd2419096976c62bf4e828cf6b2ad3abb6361f034000256f7bc
Instruction ID: e4cb7b94a799db6d3e1b6efc3113d33969106a66777945d9c4eb512c7c22735f
Opcode Fuzzy Hash: e355f0e7842d7dd2419096976c62bf4e828cf6b2ad3abb6361f034000256f7bc
Instruction Fuzzy Hash: 501102322013099FD7214B9AEC40F96F7D4EB50721F10852EF65A96640EB72B491ABA0

Function 220C7200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 220C7220
invalid, xrefs: 220C721B

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$invalid
API String ID: 0-3574585026
Opcode ID: 3ff1aec43ea3922b1e71fd7fec023a3ead529492263b1c223bc2082e804702d1
Instruction ID: 1c1f618ffb02dca8f1f5d7f72191a00ae98ad79ee09ff82a47961be7402a215c
Opcode Fuzzy Hash: 3ff1aec43ea3922b1e71fd7fec023a3ead529492263b1c223bc2082e804702d1
Instruction Fuzzy Hash: 44F046B0B007100BD6210628AD24BEB73EF5F50325F000A75F761D22BDC229F440D681

Function 220A85B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

CREATE TABLE x(sql,ncol,ro,busy,nscan,nsort,naidx,nstep,reprep,run,mem), xrefs: 220A85B6

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(sql,ncol,ro,busy,nscan,nsort,naidx,nstep,reprep,run,mem)
API String ID: 0-3640693396
Opcode ID: 52a32899cfafc90d6d40f6ac0a85771ce78cf64f00cebafa500a0f85b8ce2ee9
Instruction ID: 7f1a554cc31a7fc51649c598581301b47972ebc15a4b54ef8ca93a66e3ab0608
Opcode Fuzzy Hash: 52a32899cfafc90d6d40f6ac0a85771ce78cf64f00cebafa500a0f85b8ce2ee9
Instruction Fuzzy Hash: 3AF024316043104BC2018B6DFD00B8AB3D99FE1721F454176F904DB210E7B0ED829BD5

Function 2209B224 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON

Download Yara Rule

Strings

misuse, xrefs: 2209B233
%s at line %d of [%.10s], xrefs: 2209B238

Memory Dump Source

Source File: 00000001.00000002.2904202460.0000000022098000.00000020.00001000.00020000.00000000.sdmp, Offset: 22090000, based on PE: true

Associated: 00000001.00000002.2904173258.0000000022090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.0000000022091000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.00000000221F6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2904202460.000000002229D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.000000002229F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905552991.00000000222A8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905717837.00000000222D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2905756495.00000000222DF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22090000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$misuse
API String ID: 0-2530468415
Opcode ID: d30e4102e0faf6d5edc9b7a51aa8cab9642968fbc9e2c99b5757373f70e7be19
Instruction ID: 5373068703b962cd77834a678e3e5367f5fa1ed1a87db858e946707a20ee44a8
Opcode Fuzzy Hash: d30e4102e0faf6d5edc9b7a51aa8cab9642968fbc9e2c99b5757373f70e7be19
Instruction Fuzzy Hash: 15C01221640348E6DB059A94AC81ECA2770AFA4B94B4181A1BA292918E921182585245

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2E7ZdlxkOL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CGHCGIIDGDAK\DAEHJJ

C:\ProgramData\CGHCGIIDGDAK\DHCBAE

C:\ProgramData\CGHCGIIDGDAK\EHCAEG

C:\ProgramData\CGHCGIIDGDAK\FCBFBG

C:\ProgramData\CGHCGIIDGDAK\GIJECG

C:\ProgramData\CGHCGIIDGDAK\JKEHII

C:\ProgramData\CGHCGIIDGDAK\KFBGCA

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2E7ZdlxkOL.exe.log

Windows Analysis Report
2E7ZdlxkOL.exe

Function 059D8BF8 Relevance: 50.6, Strings: 40, Instructions: 646
COMMON

Function 059DC070 Relevance: 50.6, Strings: 40, Instructions: 582
COMMON

Function 05999CB8 Relevance: 6.0, Strings: 4, Instructions: 1043
COMMON

Function 01B0EFB8 Relevance: 1.8, Strings: 1, Instructions: 578
COMMON

Function 059D5318 Relevance: 6.6, Strings: 5, Instructions: 308
COMMON

Function 061BFA10 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Function 061BF5E0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 061BCEC0 Relevance: 1.6, APIs: 1, Instructions: 112
libraryCOMMON

Function 061BF488 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 061BF280 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 061BCBE8 Relevance: 1.6, APIs: 1, Instructions: 92
memoryCOMMON

Function 061BF158 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 059D75A2 Relevance: 1.5, Strings: 1, Instructions: 209
COMMON

Function 01B0AA90 Relevance: 1.4, Strings: 1, Instructions: 183
COMMON

Function 0599BA48 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre