Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1466008
MD5:	06333e350e25e29677256d9be86e4ee1
SHA1:	088fa1f912473c3dfb5ab118b0bc39ec016cf15a
SHA256:	137a7220fb3cbe605b6c74712ad96dcb1bdea1c489e9df159044500ccc23f3c8
Tags:	exe
Infos:

Detection

PureLog Stealer, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected Vidar stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 1804 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 06333E350E25E29677256D9BE86E4EE1)

MSBuild.exe (PID: 3604 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 6308 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 6312 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "4e7fbe36a69903b4dfa6c1b767f4bf81"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
file.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2112404610.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2113529276.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2113529276.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2113529276.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000000.2106139036.0000000000672000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: file.exe PID: 1804	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 1804	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 1804	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 6312	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 6312	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: MSBuild.exe PID: 6312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.3f3bed8.7.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3ed4a88.5.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3f6f908.8.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
4.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3ed4a88.5.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3f6f908.8.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3f3bed8.7.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
4.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.0.file.exe.670000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.file.exe.670000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 149.154.167.99, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6312, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49712

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://49.13.159.121:9000/vcruntime140.dlly	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dllg	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/sqlt.dllN	Avira URL Cloud: Label: malware
Source: https://49.13.159.121/vFh	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dllt	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dllge	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/mozglue.dll10.15;	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dllX	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/mozglue.dllft	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/.	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/0	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dllI	Avira URL Cloud: Label: malware
Source: https://49.13.159.121/	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dllE	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dllft	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/cal	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/B	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/nss3.dllB	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/F	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/D	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/nss3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/X	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dllessionKeyBackward	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/mozglue.dllposition:	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/soft	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/nss3.dllosoft	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dllF	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199707802586	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/i	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/sqlt.dlld	Avira URL Cloud: Label: malware
Source: https://t.me/g067n	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dllv	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dllt	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/3e98icrosoft	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "4e7fbe36a69903b4dfa6c1b767f4bf81"}

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 51%
Source: file.exe	Virustotal: Detection: 54%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Sleep
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: sscanf
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: NtQueryInformationProcess
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Process32First
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: FindClose
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetDC
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: PATH
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Soft:
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: profile:
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Host:
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Login:
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Password:
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Opera
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Network
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Cookies
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: .txt
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: TRUE
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: FALSE
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Autofill
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: History
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Name:
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Month:
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Year:
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Card:
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Cookies
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Login Data
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Web Data
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: History
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: logins.json
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: usernameField
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: guid
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Plugins
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Local State
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: chrome
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: opera
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: firefox
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Wallets
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: ProductName
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: ProcessorNameString
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: .exe
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: runas
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: open
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: /c start
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Files
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: \discord\
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: key_datas
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: map*
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Telegram
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: *.tox
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: *.ini
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Password
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: 00000001
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: 00000002
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: 00000003
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: 00000004
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: token:
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: \config\
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: browsers
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: done
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Soft
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: https
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: POST
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: hwid
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: build
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: token
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: file_name
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: file
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: message
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.3f3bed8.7.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00407E41 CryptUnprotectData,LocalAlloc,LocalFree,	4_2_00407E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041302D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	4_2_0041302D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00407DC2 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	4_2_00407DC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040AB80 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	4_2_0040AB80

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49729 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49712 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: PE.pdbH] source: file.exe, 00000000.00000002.2114727387.0000000005490000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2112404610.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\CcYLxMOT.pdb source: file.exe, 00000000.00000002.2114887893.0000000005790000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PE.pdb source: file.exe, 00000000.00000002.2114727387.0000000005490000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2112404610.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: newsoftgnu.pdb source: file.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	4_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	4_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_0041738D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,

4_2_004169EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h

0_2_05ACD0C8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199707802586
Source: Malware configuration extractor	URLs: https://t.me/g067n

Yara detected Generic Downloader

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.670000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49713 -> 49.13.159.121:9000

Source: global traffic

HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49729 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_004058C4 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

4_2_004058C4

Source: global traffic

HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: t.me

Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: MSBuild.exe, 00000004.00000002.3354509372.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121/
Source: MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121/vFh
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000
Source: MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/
Source: MSBuild.exe, 00000004.00000002.3355032773.00000000016B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/.
Source: MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/0
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/3e98icrosoft
Source: MSBuild.exe, 00000004.00000002.3355084181.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/B
Source: MSBuild.exe, 00000004.00000002.3355084181.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/D
Source: MSBuild.exe, 00000004.00000002.3355032773.00000000016B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/F
Source: MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/X
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/cal
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dll
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dllft
Source: MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dllv
Source: MSBuild.exe, 00000004.00000002.3354509372.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/i
Source: MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/mozglue.dll
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/mozglue.dll10.15;
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/mozglue.dllft
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/mozglue.dllposition:
Source: MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dllt
Source: MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/nss3.dll
Source: MSBuild.exe, 00000004.00000002.3355084181.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/nss3.dllB
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/nss3.dllosoft
Source: MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/soft
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dll
Source: MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dllF
Source: MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dllessionKeyBackward
Source: MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dllg
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dllt
Source: MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/sqlt.dllN
Source: MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/sqlt.dlld
Source: MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3355084181.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dll
Source: MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllE
Source: MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllI
Source: MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllX
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllge
Source: MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dlly
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000H--
Source: MSBuild.exe, 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000d3e98icrosoft
Source: MSBuild.exe, 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000d3e98oogle
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000el
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000oaming
Source: MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000ocal
Source: AFCBKF.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AFCBKF.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AFCBKF.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AFCBKF.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AFCBKF.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AFCBKF.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AFCBKF.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-15916
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-159168
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-18203
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-18203.
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-20454
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-20454G
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-20455
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-20455N
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-21228
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-7046
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-7046Q
Source: file.exe	String found in binary or memory: https://jira.adguard.com/browse/AG-7791
Source: file.exe	String found in binary or memory: https://jira.int.agrd.dev/browse/AG-32263
Source: file.exe	String found in binary or memory: https://jira.int.agrd.dev/browse/AG-32263-
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: file.exe, 00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112404610.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586
Source: file.exe, 00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112404610.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll
Source: MSBuild.exe, 00000004.00000002.3354509372.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, 00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112404610.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3354509372.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3354757613.000000000162A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067n
Source: MSBuild.exe, 00000004.00000002.3354509372.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067njT
Source: file.exe, 00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112404610.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067nry1neMozilla/5.0
Source: MSBuild.exe, 00000004.00000002.3354757613.000000000162A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: AFCBKF.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AFCBKF.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49712 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00413160 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

4_2_00413160

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C2F9C8	0_2_02C2F9C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C28B88	0_2_02C28B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C28F80	0_2_02C28F80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_053965BB	0_2_053965BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0539B008	0_2_0539B008
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05397360	0_2_05397360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_053943A8	0_2_053943A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05399AEB	0_2_05399AEB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05398D40	0_2_05398D40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0539A9A8	0_2_0539A9A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0539A99B	0_2_0539A99B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05397F20	0_2_05397F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0539734F	0_2_0539734F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0539439B	0_2_0539439B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0539AFF8	0_2_0539AFF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_053B8998	0_2_053B8998
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_053B8A58	0_2_053B8A58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_053B2A89	0_2_053B2A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05AC3036	0_2_05AC3036
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05AC1B10	0_2_05AC1B10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_053B2A98	0_2_053B2A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041ECEC	4_2_0041ECEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041E919	4_2_0041E919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041EEC1	4_2_0041EEC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041F6CF	4_2_0041F6CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227F4CF0	4_2_227F4CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E209F	4_2_227E209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2286A0B0	4_2_2286A0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227F66C0	4_2_227F66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E47AF	4_2_227E47AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228DA590	4_2_228DA590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2280A560	4_2_2280A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227EAA40	4_2_227EAA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227EEA80	4_2_227EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E481D	4_2_227E481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2291E800	4_2_2291E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E3E3B	4_2_227E3E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228C69C0	4_2_228C69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228FA900	4_2_228FA900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228DA940	4_2_228DA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22826E80	4_2_22826E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_229BAEBE	4_2_229BAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22842EE0	4_2_22842EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E19DD	4_2_227E19DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22813370	4_2_22813370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227EF160	4_2_227EF160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E174E	4_2_227E174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2280BAB0	4_2_2280BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22817810	4_2_22817810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E251D	4_2_227E251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E290A	4_2_227E290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E3AB2	4_2_227E3AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22860090	4_2_22860090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22908030	4_2_22908030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22868120	4_2_22868120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22808680	4_2_22808680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22808763	4_2_22808763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22844760	4_2_22844760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22878760	4_2_22878760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22920480	4_2_22920480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228E4A60	4_2_228E4A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227EC800	4_2_227EC800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E1EF1	4_2_227E1EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2281CE10	4_2_2281CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22808D2A	4_2_22808D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_229BD209	4_2_229BD209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E3580	4_2_227E3580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228753B0	4_2_228753B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227F9000	4_2_227F9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22905040	4_2_22905040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22889690	4_2_22889690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2289D6D0	4_2_2289D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22949430	4_2_22949430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227ED4C0	4_2_227ED4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22909A20	4_2_22909A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E2018	4_2_227E2018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E1C9E	4_2_227E1C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22895940	4_2_22895940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E12A8	4_2_227E12A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E2AA9	4_2_227E2AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22949CC0	4_2_22949CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22811C50	4_2_22811C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E292D	4_2_227E292D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 227E1C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 227E415B appears 173 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 229C06B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00404239 appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 227E395E appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 227E3AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 227E1F5A appears 36 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.2114887893.0000000005790000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCcYLxMOT.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2114727387.0000000005490000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePE.dll& vs file.exe
Source: file.exe, 00000000.00000002.2112404610.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePE.dll& vs file.exe
Source: file.exe, 00000000.00000002.2112404610.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs file.exe
Source: file.exe, 00000000.00000002.2112404610.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.2112404610.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
Source: file.exe, 00000000.00000000.2106749742.0000000000B26000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenewsoftgnu.exe$ vs file.exe
Source: file.exe, 00000000.00000002.2111827791.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamenewsoftgnu.exe$ vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.file.exe.2e46048.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.2e46048.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.5790000.11.raw.unpack, KGoGDyk.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.file.exe.5490000.10.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.5490000.10.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/12@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_0041246A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_0041246A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_004129BF CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

4_2_004129BF

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: GCBGII.4.dr, ECFCBK.4.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe	ReversingLabs: Detection: 51%
Source: file.exe	Virustotal: Detection: 54%

Source: file.exe	String found in binary or memory: /stopService
Source: file.exe	String found in binary or memory: /stopService
Source: file.exe	String found in binary or memory: /reinstall
Source: file.exe	String found in binary or memory: in-addr.arpa

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 4959240 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x49f000

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: PE.pdbH] source: file.exe, 00000000.00000002.2114727387.0000000005490000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2112404610.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\CcYLxMOT.pdb source: file.exe, 00000000.00000002.2114887893.0000000005790000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PE.pdb source: file.exe, 00000000.00000002.2114727387.0000000005490000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2112404610.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: newsoftgnu.pdb source: file.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.file.exe.2e46048.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.file.exe.5490000.10.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_0041B050 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_0041B050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00421EF5 push ecx; ret	4_2_00421F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E10C8 push ecx; ret	4_2_229E3552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E1BF9 push ecx; ret	4_2_22984C03

Source: 0.2.file.exe.2e46048.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 0.2.file.exe.2e46048.1.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'
Source: 0.2.file.exe.5490000.10.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 0.2.file.exe.5490000.10.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sqlt[1].dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_0041B050

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file.exe PID: 1804, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sqlt[1].dll

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe TID: 4992

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	4_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	4_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_0041738D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,

4_2_004169EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00411F21 GetSystemInfo,wsprintfA,

4_2_00411F21

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: AAEHDA.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: AAEHDA.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: AAEHDA.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: AAEHDA.4.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: AAEHDA.4.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: AAEHDA.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: MSBuild.exe, 00000004.00000002.3354509372.0000000001616000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AAEHDA.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: AAEHDA.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: AAEHDA.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: AAEHDA.4.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: AAEHDA.4.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: MSBuild.exe, 00000004.00000002.3354509372.0000000001616000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^
Source: AAEHDA.4.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: AAEHDA.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: AAEHDA.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: AAEHDA.4.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: AAEHDA.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: AAEHDA.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: file.exe	Binary or memory string: JUxvupfc339huwQeMul
Source: AAEHDA.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: AAEHDA.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: MSBuild.exe, 00000004.00000002.3354509372.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: file.exe	Binary or memory string: carmO8a0VBurhRuvmcIN
Source: AAEHDA.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: AAEHDA.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: AAEHDA.4.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: AAEHDA.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: MSBuild.exe, 00000004.00000002.3354509372.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: AAEHDA.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: AAEHDA.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: AAEHDA.4.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: AAEHDA.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: AAEHDA.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: AAEHDA.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: AAEHDA.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: AAEHDA.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

API call chain: ExitProcess graph end node

graph_4-90905

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00421C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00421C0B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_0041B050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_0041ACF3 mov eax, dword ptr fs:[00000030h]

4_2_0041ACF3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_004058C4

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00421C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00421C0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00423DCD SetUnhandledExceptionFilter,	4_2_00423DCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0042224F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E42AF SetUnhandledExceptionFilter,	4_2_227E42AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227E2C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_227E2C8E

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 1804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6312, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00410A14 memset,memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

4_2_00410A14

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004138BA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,		4_2_004138BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004137BD CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_004137BD

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 425000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 643000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 11CB008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00401000 cpuid

4_2_00401000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	4_2_00411D31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_227E298C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	4_2_229BFF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	4_2_227E2112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	4_2_227E2112

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00411C63 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

4_2_00411C63

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00411BEC GetProcessHeap,HeapAlloc,GetUserNameA,

4_2_00411BEC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00411CBF GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

4_2_00411CBF

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106139036.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.3f3bed8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ed4a88.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f6f908.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ed4a88.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f6f908.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f3bed8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2112404610.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113529276.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113529276.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113529276.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6312, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 6312, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106139036.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.3f3bed8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ed4a88.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f6f908.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ed4a88.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f6f908.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f3bed8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2112404610.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113529276.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113529276.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113529276.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6312, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2284E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	4_2_2284E200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2284E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	4_2_2284E090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2285E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_2285E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2285A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	4_2_2285A6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227F66C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	4_2_227F66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2283EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	4_2_2283EF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228C37E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_228C37E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228A3770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_228A3770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2280B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	4_2_2280B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22817810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	4_2_22817810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22858200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	4_2_22858200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228C4140 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_initialize,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	4_2_228C4140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22808680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	4_2_22808680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228306E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	4_2_228306E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22818430 sqlite3_bind_int64,	4_2_22818430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22838550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	4_2_22838550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227F4820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	4_2_227F4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22818970 sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	4_2_22818970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22810FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	4_2_22810FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22818CB0 sqlite3_bind_zeroblob,	4_2_22818CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228C4D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	4_2_228C4D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2289D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_2289D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22879090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	4_2_22879090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228851D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_228851D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228BD610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_228BD610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_229014D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	4_2_229014D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2290D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	4_2_2290D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_228855B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_228855B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2285DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	4_2_2285DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2290D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	4_2_2290D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22885910 sqlite3_mprintf,sqlite3_bind_int64,	4_2_22885910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_2285DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	4_2_2285DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_22861FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_22861FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_227F5C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	4_2_227F5C70

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	511 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	511 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	51%	ReversingLabs	Win32.Trojan.Leonem
file.exe	54%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sqlt[1].dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
t.me	0%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
windowsupdatebg.s.llnwi.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://www.sqlite.org/copyright.html.	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://49.13.159.121:9000/vcruntime140.dlly	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/softokn3.dllg	100%	Avira URL Cloud	malware
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://t.me/	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/sqlt.dllN	100%	Avira URL Cloud	malware
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://jira.adguard.com/browse/AG-20455N	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://49.13.159.121:9000oaming	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/sqlt.dllN	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://49.13.159.121:9000ocal	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://jira.adguard.com/browse/AG-7046	0%	Avira URL Cloud	safe
https://jira.int.agrd.dev/browse/AG-32263-	0%	Avira URL Cloud	safe
https://jira.adguard.com/browse/AG-20455N	0%	Virustotal		Browse
https://web.telegram.org	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll	0%	Avira URL Cloud	safe
https://49.13.159.121/vFh	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/softokn3.dllt	100%	Avira URL Cloud	malware
https://jira.int.agrd.dev/browse/AG-32263-	1%	Virustotal		Browse
https://jira.adguard.com/browse/AG-21228	0%	Avira URL Cloud	safe
https://jira.adguard.com/browse/AG-7046	0%	Virustotal		Browse
https://t.me/	0%	Virustotal		Browse
https://49.13.159.121:9000/vcruntime140.dllge	100%	Avira URL Cloud	malware
https://web.telegram.org	0%	Virustotal		Browse
https://49.13.159.121:9000/softokn3.dll	100%	Avira URL Cloud	malware
https://jira.adguard.com/browse/AG-7046Q	0%	Avira URL Cloud	safe
https://jira.adguard.com/browse/AG-21228	0%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll	0%	Virustotal		Browse
https://jira.int.agrd.dev/browse/AG-32263	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/mozglue.dll10.15;	100%	Avira URL Cloud	malware
https://jira.adguard.com/browse/AG-20455	0%	Avira URL Cloud	safe
https://jira.adguard.com/browse/AG-20454	0%	Avira URL Cloud	safe
https://jira.adguard.com/browse/AG-15916	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/softokn3.dll	0%	Virustotal		Browse
https://jira.adguard.com/browse/AG-7046Q	0%	Virustotal		Browse
https://49.13.159.121:9000/vcruntime140.dllX	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/mozglue.dllft	100%	Avira URL Cloud	malware
https://49.13.159.121:9000	100%	Avira URL Cloud	malware
https://jira.adguard.com/browse/AG-15916	0%	Virustotal		Browse
https://jira.int.agrd.dev/browse/AG-32263	1%	Virustotal		Browse
https://jira.adguard.com/browse/AG-20455	0%	Virustotal		Browse
https://49.13.159.121:9000/mozglue.dll10.15;	0%	Virustotal		Browse
https://jira.adguard.com/browse/AG-20454	0%	Virustotal		Browse
https://49.13.159.121:9000/.	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/0	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/freebl3.dll	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/vcruntime140.dllI	100%	Avira URL Cloud	malware
https://49.13.159.121/	100%	Avira URL Cloud	malware
https://49.13.159.121:9000	0%	Virustotal		Browse
https://49.13.159.121:9000/vcruntime140.dllE	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/.	0%	Virustotal		Browse
https://49.13.159.121:9000/freebl3.dllft	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/mozglue.dll	100%	Avira URL Cloud	malware
https://t.me/g067nry1neMozilla/5.0	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/cal	100%	Avira URL Cloud	malware
https://49.13.159.121/	0%	Virustotal		Browse
https://49.13.159.121:9000/B	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/nss3.dllB	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/F	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/D	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/nss3.dll	100%	Avira URL Cloud	malware
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://49.13.159.121:9000d3e98oogle	0%	Avira URL Cloud	safe
https://jira.adguard.com/browse/AG-18203.	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://49.13.159.121:9000H--	0%	Avira URL Cloud	safe
https://jira.adguard.com/browse/AG-159168	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/msvcp140.dll	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/X	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/softokn3.dllessionKeyBackward	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/mozglue.dllposition:	100%	Avira URL Cloud	malware
https://49.13.159.121:9000d3e98icrosoft	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/soft	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/nss3.dllosoft	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/softokn3.dllF	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199707802586	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/i	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/sqlt.dlld	100%	Avira URL Cloud	malware
https://jira.adguard.com/browse/AG-7791	0%	Avira URL Cloud	safe
https://t.me/g067n	100%	Avira URL Cloud	malware
https://jira.adguard.com/browse/AG-18203	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/freebl3.dllv	100%	Avira URL Cloud	malware
https://49.13.159.121:9000el	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/msvcp140.dllt	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/vcruntime140.dll	100%	Avira URL Cloud	malware
https://t.me/g067njT	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/3e98icrosoft	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	0%, Virustotal, Browse	unknown
t.me	149.154.167.99	true	true	0%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown
windowsupdatebg.s.llnwi.net	41.63.96.128	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199707802586	true	Avira URL Cloud: malware	unknown
https://t.me/g067n	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://49.13.159.121:9000/vcruntime140.dlly	MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	AFCBKF.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/	MSBuild.exe, 00000004.00000002.3354509372.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/softokn3.dllg	MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/sqlt.dllN	MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://jira.adguard.com/browse/AG-20455N	file.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	AFCBKF.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://49.13.159.121:9000oaming	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000ocal	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	file.exe	false	URL Reputation: safe	unknown
https://jira.adguard.com/browse/AG-7046	file.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jira.int.agrd.dev/browse/AG-32263-	file.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://web.telegram.org	MSBuild.exe, 00000004.00000002.3354757613.000000000162A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll	file.exe, 00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112404610.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/softokn3.dllt	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121/vFh	MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	AFCBKF.4.dr	false	URL Reputation: safe	unknown
https://jira.adguard.com/browse/AG-21228	file.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/vcruntime140.dllge	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/softokn3.dll	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://jira.adguard.com/browse/AG-7046Q	file.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jira.int.agrd.dev/browse/AG-32263	file.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/mozglue.dll10.15;	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://jira.adguard.com/browse/AG-20455	file.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jira.adguard.com/browse/AG-20454	file.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jira.adguard.com/browse/AG-15916	file.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/vcruntime140.dllX	MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/mozglue.dllft	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/.	MSBuild.exe, 00000004.00000002.3355032773.00000000016B0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/freebl3.dll	MSBuild.exe, 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	AFCBKF.4.dr	false	URL Reputation: safe	unknown
https://49.13.159.121:9000/0	MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/vcruntime140.dllI	MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121/	MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/vcruntime140.dllE	MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/freebl3.dllft	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/mozglue.dll	MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/g067nry1neMozilla/5.0	file.exe, 00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2112404610.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113529276.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/cal	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.sqlite.org/copyright.html.	MSBuild.exe, 00000004.00000002.3359533484.000000001CA84000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.4.dr	false	URL Reputation: safe	unknown
https://49.13.159.121:9000/B	MSBuild.exe, 00000004.00000002.3355084181.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/nss3.dllB	MSBuild.exe, 00000004.00000002.3355084181.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/F	MSBuild.exe, 00000004.00000002.3355032773.00000000016B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/D	MSBuild.exe, 00000004.00000002.3355084181.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sectigo.com/CPS0	file.exe	false	URL Reputation: safe	unknown
https://49.13.159.121:9000/nss3.dll	MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	AFCBKF.4.dr	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000d3e98oogle	MSBuild.exe, 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jira.adguard.com/browse/AG-18203.	file.exe	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	AFCBKF.4.dr	false	Avira URL Cloud: safe	unknown
https://jira.adguard.com/browse/AG-159168	file.exe	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000H--	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/msvcp140.dll	MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/X	MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/softokn3.dllessionKeyBackward	MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	AFCBKF.4.dr	false	URL Reputation: safe	unknown
https://jira.adguard.com/browse/AG-20454G	file.exe	false		unknown
https://49.13.159.121:9000/mozglue.dllposition:	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000d3e98icrosoft	MSBuild.exe, 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/soft	MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	AFCBKF.4.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	file.exe	false	URL Reputation: safe	unknown
https://49.13.159.121:9000/nss3.dllosoft	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/softokn3.dllF	MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/i	MSBuild.exe, 00000004.00000002.3354509372.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/	MSBuild.exe, 00000004.00000002.3354820037.000000000164C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/sqlt.dlld	MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jira.adguard.com/browse/AG-7791	file.exe	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	file.exe	false	URL Reputation: safe	unknown
https://jira.adguard.com/browse/AG-18203	file.exe	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/freebl3.dllv	MSBuild.exe, 00000004.00000002.3355084181.0000000001707000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000el	MSBuild.exe, 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/msvcp140.dllt	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/vcruntime140.dll	MSBuild.exe, 00000004.00000002.3355565324.0000000001803000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3355084181.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/g067njT	MSBuild.exe, 00000004.00000002.3354509372.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/3e98icrosoft	MSBuild.exe, 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	AFCBKF.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
49.13.159.121	unknown	Germany		24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466008
Start date and time:	2024-07-02 12:17:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/12@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 135 Number of non-executed functions: 153
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.115.3.253, 199.232.214.172, 20.12.23.50, 192.229.221.95, 13.95.31.18, 20.166.126.56, 41.63.96.128, 40.113.103.199
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, wns.notify.trafficmanager.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:18:16	API Interceptor	1x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
49.13.159.121	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse
49.13.159.121	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse
149.154.167.99	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	vSlVoTPrmP.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	RO67OsrIWi.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	t.me/cinoshibot
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	https://clicktime.cloud.postoffice.net/clicktime.php?U=https%3A%2F%2Ftelegra.ph%2FDavis-Insurance-Agency-LLC-06-28&E=kgarber%40woodlandsbank.com&X=XID311CFbwQP1837Xd1&T=WDLP&HV=U,E,X,T&H=3a14786ee7a8dd2b0305ef5dd961d4108cbfaf34	Get hash	malicious	Unknown	Browse	149.154.167.99
	zyJWi2vy29.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse	149.154.167.99
	56bDgH9sMQ.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	vjYcExA6ou.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	2E7ZdlxkOL.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	149.154.167.99
fp2e7a.wpc.phicdn.net	http://scarlet-marigold-h469.squarespace.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://go.sparkpostmail1.com/f/a/Qy8XDQJtpeYlkqMezh3Eeg~~/AAVXmQA~/RgRnyyJSP0ROaHR0cHM6Ly9pbnN0LmZlYmFmZWRlcmFsYmVuZWZpdHMuY29tL2x0LzExMjU4OTk5MjgxNjc1MTgvcDY2V19yYmFkYk9LaS02NE9GOGJZVwNzcGNCCmXi0u7pZXh5I2VSE2p1ZHkuY2FzdHJvQGJlcC5nb3ZYBAAAAAA~	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://us02web.zoom.us/webinar/register/6317193087387/WN_wbycs5lISL2eo8rEP6qUDg#/registration	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://qltuh.bellatrixmeissa.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://follyfutilefirst.com/5046d8ab865606a85a55c357926403c9/invoke.js	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://docs.google.com/presentation/d/e/2PACX-1vRs-1lM259_-Jwhsbc-dg0JIYZUboF3mrOYVHYTqbAmT7KWBl_mwNRSNl0N9QrU4kN-s-_PFfno5ZP3/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://m.exactag.com/ai.aspx?tc=d9608989bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253ABOJ.jaick.co.ke/index.xml%23?email=YWxlYy5wZXRlcnNvbkB2b3NzbG9oLmNvbQ==	Get hash	malicious	Unknown	Browse	192.229.221.95
windowsupdatebg.s.llnwi.net	https://guardianesdelbosque.org	Get hash	malicious	Unknown	Browse	178.79.242.128
	http://www.youkonew.anakembok.de/	Get hash	malicious	Unknown	Browse	87.248.204.0
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	87.248.205.0
	http://pub-72f4175190054b068a6db1f116f55ca9.r2.dev/index.html	Get hash	malicious	Unknown	Browse	87.248.204.0
	https://strangetype.shop/	Get hash	malicious	Unknown	Browse	87.248.205.0
	http://pub-0ed5a1f263894eab8341e034994e9627.r2.dev/park.html	Get hash	malicious	HTMLPhisher	Browse	178.79.208.1
	https://u23920825.ct.sendgrid.net/ls/click?upn=u001.uHc2Hvk2zEz7Em0XAnh4-2BYL9qVTLhdQvozIk8ObL-2FM-2BHl5pMQT-2FUp8EFv3L01ejhvQOz6gpUeNbJ-2FpjdVgcq199venLVkPSJZOmQA8Gp-2FAYnh4QMsVdqZir-2BsjjKJZF6oycO_3qmYhu9eGb8PmC9DYiles2d3LUitgGXA8-2B6itiWa8URzbR0lwkoj39GbNx6ZU4HBGdKq-2FSnrP-2FGKG57n2WWTRsTfK-2F1qp9GXNxMKiGc0vrVCFGOp0S4tmGxx6RAVMMa-2FjAFmG6QeWnL8-2BDqzlNJFOq15YimRp8DtIUQD7vQqdHAG4l10a2ECVnGb6-2F8b7ujCwfMLg1s0VgNaD3sN5XRq5MQ1ol4rmwfiuu8mB3nfUxc-3D	Get hash	malicious	Unknown	Browse	87.248.205.0
	http://www.thehorizondispatch.com	Get hash	malicious	Unknown	Browse	87.248.205.0
	http://62.133.61.26/Downloads/MOD_200.pdf.lnk	Get hash	malicious	Unknown	Browse	87.248.205.0
	https://m.exactag.com/ai.aspx?tc=d9476116bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Ajeffreyhensley.com%2Fwinner%2F54980%2F%2Fa2VlbGV5LmhvbGdhdGVAMnNmZy5jb20=	Get hash	malicious	HTMLPhisher	Browse	87.248.205.0
bg.microsoft.map.fastly.net	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	http://qltuh.bellatrixmeissa.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	Absa.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	x4UbCbpqkP.exe	Get hash	malicious	RedLine	Browse	199.232.210.172
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CxFHH8i5A3U7lzl-2BTzhlR6ei7mav1762I-2BKvT-2Fk6a5kJfjpj9RJPK9q48Ck5mSzSlgwV-2BsscO5sphM5t-2BVSr5yuCYcPokWOxF7VJFLVcuGxe55FXxdx2OWqy1uhpoEHKlprCsCZc7-2FzwTpK7gWkfISgE1dm3DNZag7jRcJoAY96XjRqTOiYZpVCYj4WczYZatXIFKlGImVUX-2BtzacIIXUkQ-3D-3Dxdxc_PRiWw-2BWerOwUL-2FYAA-2FiwxOm-2BJW3ubqhGFJ5iVqhmG217gfj9KgzNOSRNluvFvYbWIHUd-2ByAsKYpybXBhPgqT-2F1WfaNjyxdi-2FNqxuKfkiep8TocNXSydFj2bAYBLtB5MEDItgpH6g-2FV3171HTXrzYHtaSp7MB2B8WILdzxuyybTMsChhP3QdW9m4oU0X1zagLaXiyfnb7qkeR5CYT3FajfA-3D-3D	Get hash	malicious	Unknown	Browse	199.232.214.172
	Payment_Confirmation_Receipts.vbs	Get hash	malicious	GuLoader	Browse	199.232.210.172
	New Sample Request.scr.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	Payment Confirmation.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.210.172
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	https://telegrambot-resolved.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	Cheat.malware_exe.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Cheat.malware_exe.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://clicktime.cloud.postoffice.net/clicktime.php?U=https%3A%2F%2Ftelegra.ph%2FDavis-Insurance-Agency-LLC-06-28&E=kgarber%40woodlandsbank.com&X=XID311CFbwQP1837Xd1&T=WDLP&HV=U,E,X,T&H=3a14786ee7a8dd2b0305ef5dd961d4108cbfaf34	Get hash	malicious	Unknown	Browse	149.154.167.99
	zyJWi2vy29.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse	149.154.167.99
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	56bDgH9sMQ.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://telegrambot-resolved.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
HETZNER-ASDE	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	49.13.159.121
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	49.13.159.121
	http://www.midoregon.com	Get hash	malicious	Unknown	Browse	188.40.16.190
	lQC7IiMNX1.elf	Get hash	malicious	Mirai	Browse	46.4.110.33
	MT103-7543324334.exe	Get hash	malicious	Remcos	Browse	138.201.150.244
	file.exe	Get hash	malicious	FormBook	Browse	135.181.212.206
	file.exe	Get hash	malicious	FormBook	Browse	135.181.212.206
	Re_ gerechtelijke dagvaarding..eml	Get hash	malicious	Unknown	Browse	95.217.55.136

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	http://go.sparkpostmail1.com/f/a/Qy8XDQJtpeYlkqMezh3Eeg~~/AAVXmQA~/RgRnyyJSP0ROaHR0cHM6Ly9pbnN0LmZlYmFmZWRlcmFsYmVuZWZpdHMuY29tL2x0LzExMjU4OTk5MjgxNjc1MTgvcDY2V19yYmFkYk9LaS02NE9GOGJZVwNzcGNCCmXi0u7pZXh5I2VSE2p1ZHkuY2FzdHJvQGJlcC5nb3ZYBAAAAAA~	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://m.exactag.com/ai.aspx?tc=d9608989bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253ABOJ.jaick.co.ke/index.xml%23?email=YWxlYy5wZXRlcnNvbkB2b3NzbG9oLmNvbQ==	Get hash	malicious	Unknown	Browse	173.222.162.64
	Absa.pdf	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://docs.google.com/forms/d/e/1FAIpQLSdxwlJ42E7IP7P7FI5J10LvcZM2xU4rjZus8shJYViiMODIbA/viewform?pli=1	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://s54rew.pages.dev/	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://worker-lingering-frost-51ba.mhmdy000918.workers.dev/	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://a289.dvq.workers.dev/	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://pub-72f4175190054b068a6db1f116f55ca9.r2.dev/index.html	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	173.222.162.64
37f463bf4616ecd445d4a1937da06e19	1Bj6BoXV3z.exe	Get hash	malicious	CobaltStrike	Browse	149.154.167.99
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	Revised Invoice 7389293.vbs	Get hash	malicious	GuLoader, Remcos	Browse	149.154.167.99
	Vyuctovani_2024_07-1206812497#U00b7pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.99
	Build.exe	Get hash	malicious	DBatLoader, Neshta	Browse	149.154.167.99
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	149.154.167.99
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	68#U2466.hta	Get hash	malicious	Unknown	Browse	149.154.167.99
	MOD_200.pdf.lnk	Get hash	malicious	Arc Stealer	Browse	149.154.167.99
	SecuriteInfo.com.Win32.BootkitX-gen.7605.8583.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu	Browse	149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sqlt[1].dll	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse
	zyJWi2vy29.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse
	56bDgH9sMQ.exe	Get hash	malicious	Vidar	Browse
	vjYcExA6ou.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	2E7ZdlxkOL.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse
	S8co1ACRdn.exe	Get hash	malicious	CryptOne, Vidar	Browse
	M9dfZzH3qn.exe	Get hash	malicious	CryptOne, Vidar	Browse
	5IRIk4f1PO.exe	Get hash	malicious	CryptOne, Vidar	Browse
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\BAFCFBAEGDHI\AAAAKJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFCFBAEGDHI\AAEHDA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFCFBAEGDHI\AFCBKF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFCFBAEGDHI\EBGDAA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFCFBAEGDHI\ECFCBK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFCFBAEGDHI\EHDGIJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFCFBAEGDHI\GCBGII

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFCFBAEGDHI\GIEHJK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8508558324143882
Encrypted:	false
SSDEEP:	24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
MD5:	933D6D14518371B212F36C3835794D75
SHA1:	92D056D912B3C0260D379330D3CC0359B57A322B
SHA-256:	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
SHA-512:	EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.239498819991208
Encrypted:	false
SSDEEP:	6:kKGE9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:OHDImsLNkPlE99SNxAhUe/3
MD5:	A6047514A8E163B38D30AAFC56906436
SHA1:	3A107CEAFA590CFD3495DA5E829A2A4459AAE1D4
SHA-256:	71711802941BCC6DD558DE4F37601F7DC4214531234DADD427D11861C751FE4E
SHA-512:	4559A07389CA9AC721F46522CC964AFA4599417E4CD4F3D5D6EFAD1133B3C8667FBB8BE9D63E4E0F5353C681E7AAFE8201799FE3D297B83A72941AC1924CBF45
Malicious:	false
Preview:	p...... ........L.q#i...(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	730
Entropy (8bit):	5.3458694453090025
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9fDLI4MNZcgB2MOqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qrE4/A1E4KlKDE4KhKiKhk
MD5:	8DF93B6D82E7E7831679EC413BE8E6CA
SHA1:	307D59A9CA99E97E44631997464F841734B70D5B
SHA-256:	9CEDB9C553E6E933122596FB84C3F205AD74D6D181FCE72A63F2CBB8ABE6A2F5
SHA-512:	4CA80EA5590D08A0B33156DD9536EDD859DDB73D91C36FCAEBF91791444C484657BA487BF6524B120EAA55E39DBD53AC4B99B96C433002763F6DC9DDF5EDEE30
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime\32bcd6ad56338e82b2e9ecba5600bdb4\System.Runtime.ni.dll",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sqlt[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: pDHKarOK2v.exe, Detection: malicious, Browse Filename: 1719859269.0326595_setup.exe, Detection: malicious, Browse Filename: zyJWi2vy29.exe, Detection: malicious, Browse Filename: 56bDgH9sMQ.exe, Detection: malicious, Browse Filename: vjYcExA6ou.exe, Detection: malicious, Browse Filename: 2E7ZdlxkOL.exe, Detection: malicious, Browse Filename: S8co1ACRdn.exe, Detection: malicious, Browse Filename: M9dfZzH3qn.exe, Detection: malicious, Browse Filename: 5IRIk4f1PO.exe, Detection: malicious, Browse Filename: 1719520929.094843_setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.149516507225811
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	4'959'240 bytes
MD5:	06333e350e25e29677256d9be86e4ee1
SHA1:	088fa1f912473c3dfb5ab118b0bc39ec016cf15a
SHA256:	137a7220fb3cbe605b6c74712ad96dcb1bdea1c489e9df159044500ccc23f3c8
SHA512:	1475fd313ef0ca847eb7921b5bfb017f9b7f9274497df42fe3fa1477f40c6da8723ee0c46fa5c3fac6e9572c47712e1f4412c9460385c8f47117c82befdc329d
SSDEEP:	98304:QOHXslY4Scfsu4riBS64FsJHk0rxQyeYSKsXW:PHXslY4j4riIoJHkUeyexrXW
TLSH:	C0369E19B5F18FA3C34C263AE1D6441883A3DFE16223E34F7F95225A2D067DF4A599C8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...% .f..................I...........J.. ... J...@.. ........................K.....o.L...@................................

File Icon


Icon Hash:	3130313575703136

Static PE Info

General

Entrypoint:	0x8a0dfe
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66812025 [Sun Jun 30 09:06:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=REINVENTING MULTI-CORE ARCHITECTURE UP TO INTEL\xae CORE\u2122 I7-12650H PROCESSOR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	14/06/2024 02:33:01 15/06/2034 02:33:01
Subject Chain	CN=REINVENTING MULTI-CORE ARCHITECTURE UP TO INTEL\xae CORE\u2122 I7-12650H PROCESSOR
Version:	3
Thumbprint MD5:	297A5478DB50F1C555BC5B4B051809D6
Thumbprint SHA-1:	54DD985E65DC4A9AB4F08F33A1A2BE91077AD1D3
Thumbprint SHA-256:	134D11F457A3154D49242C6B92DF6FDCDA44FEBCFEEB7643A45F97EFB194B5EE
Serial:	25B87080977C34B54B4F56DAFF14BBF8

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4a0db0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a2000	0x19ddc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4b9200	0x1a08	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4bc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4a0d66	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x49ee04	0x49f000	987f83a9473a67a6d45b404c173aabed	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4a2000	0x19ddc	0x19e00	d7cee996d519d77895039efcf2b8d698	False	0.3285778985507246	data	4.452802563111612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4bc000	0xc	0x200	eb92e99adcea39d8cdc525cecc3cab96	False	0.041015625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4a21f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m	0.41312056737588654
RT_ICON	0x4a2658	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	0.2633677298311445
RT_ICON	0x4a3700	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m	0.20653526970954356
RT_ICON	0x4a5ca8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	0.13950668401750857
RT_ICON	0x4b64d0	0x52be	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9705410253989236
RT_GROUP_ICON	0x4bb790	0x4c	data	0.8026315789473685
RT_VERSION	0x4bb7dc	0x414	data	0.407088122605364
RT_MANIFEST	0x4bbbf0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 12:18:01.971894979 CEST	49674	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:01.971894979 CEST	49673	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:02.268613100 CEST	49672	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:08.210129023 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:08.210180044 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:08.210269928 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:08.216092110 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:08.216109991 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:08.844657898 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:08.844881058 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:08.929133892 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:08.929164886 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:08.929374933 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:08.929430962 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:08.932612896 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:08.980503082 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:09.124706984 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:09.124727011 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:09.124799967 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:09.124835014 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:09.124906063 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:09.124906063 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:09.124906063 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:09.124906063 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:09.128421068 CEST	49712	443	192.168.2.6	149.154.167.99
Jul 2, 2024 12:18:09.128437996 CEST	443	49712	149.154.167.99	192.168.2.6
Jul 2, 2024 12:18:09.134382010 CEST	49713	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:09.139221907 CEST	9000	49713	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:09.139364004 CEST	49713	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:09.139684916 CEST	49713	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:09.144473076 CEST	9000	49713	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:09.814528942 CEST	9000	49713	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:09.814682007 CEST	9000	49713	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:09.814778090 CEST	49713	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:10.573107004 CEST	49713	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:10.577934027 CEST	9000	49713	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:10.767014980 CEST	9000	49713	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:10.767216921 CEST	49713	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:10.767714024 CEST	49713	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:10.772814035 CEST	9000	49713	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:11.232152939 CEST	9000	49713	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:11.232239962 CEST	49713	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:11.235639095 CEST	49716	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:11.240540981 CEST	9000	49716	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:11.240639925 CEST	49716	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:11.240920067 CEST	49716	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:11.245716095 CEST	9000	49716	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:11.581127882 CEST	49674	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:11.581129074 CEST	49673	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:11.878045082 CEST	49672	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:11.907223940 CEST	9000	49716	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:11.907288074 CEST	49716	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:11.907967091 CEST	49716	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:11.910420895 CEST	49716	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:11.912720919 CEST	9000	49716	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:11.915201902 CEST	9000	49716	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:12.577678919 CEST	9000	49716	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:12.577739954 CEST	49716	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:12.580780983 CEST	49713	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:12.581285000 CEST	49717	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:12.586256027 CEST	9000	49713	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:12.586323977 CEST	49713	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:12.586555958 CEST	9000	49717	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:12.586636066 CEST	49717	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:12.586879015 CEST	49717	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:12.591603994 CEST	9000	49717	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:13.456151009 CEST	9000	49717	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:13.456389904 CEST	9000	49717	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:13.456423998 CEST	49717	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:13.456821918 CEST	49717	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:13.456969976 CEST	49717	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:13.458765984 CEST	49717	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:13.461515903 CEST	9000	49717	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:13.463505983 CEST	9000	49717	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:13.546372890 CEST	443	49707	173.222.162.64	192.168.2.6
Jul 2, 2024 12:18:13.547024965 CEST	49707	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:14.106210947 CEST	9000	49717	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:14.106226921 CEST	9000	49717	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:14.106324911 CEST	49717	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:14.108048916 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:14.108129978 CEST	49716	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:14.112787962 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:14.113197088 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:14.113218069 CEST	9000	49716	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:14.113317013 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:14.113336086 CEST	49716	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:14.118467093 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:14.756401062 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:14.756589890 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:14.757002115 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:14.758790970 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:14.763303995 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:14.763525963 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:15.403796911 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:15.403817892 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:15.403834105 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:15.403851032 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:15.403861046 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:15.403871059 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:15.403872013 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:15.404031992 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:15.404031992 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:15.405688047 CEST	49717	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:15.406184912 CEST	49719	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:15.410970926 CEST	9000	49717	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:15.410984039 CEST	9000	49719	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:15.411035061 CEST	49717	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:15.411077023 CEST	49719	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:15.411351919 CEST	49719	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:15.416125059 CEST	9000	49719	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:16.056453943 CEST	9000	49719	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:16.056519985 CEST	49719	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:16.057059050 CEST	49719	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:16.058779955 CEST	49719	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:16.062891006 CEST	9000	49719	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:16.064277887 CEST	9000	49719	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:16.711417913 CEST	9000	49719	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:16.711491108 CEST	49719	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:16.772038937 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:16.772500992 CEST	49720	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:16.777208090 CEST	9000	49718	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:16.777283907 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:16.777292967 CEST	49718	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:16.777338982 CEST	49720	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:16.777535915 CEST	49720	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:16.782248974 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.423686981 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.423787117 CEST	49720	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:17.437697887 CEST	49720	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:17.439440012 CEST	49720	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:17.439508915 CEST	49720	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:17.442441940 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.444150925 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.444256067 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.444273949 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.444344044 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.444466114 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.444474936 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.769515038 CEST	49719	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:17.770143986 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:17.775346041 CEST	9000	49719	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.775384903 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:17.775424004 CEST	49719	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:17.775481939 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:17.775759935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:17.781090021 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.144325972 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.144428968 CEST	49720	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.565356970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.565555096 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.566056967 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.567806005 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.570853949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.572588921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893486977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893543959 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893554926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893593073 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.893624067 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.893691063 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893702030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893712997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893722057 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893733025 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.893769026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893771887 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.893780947 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893790960 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.893810034 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.893841982 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.894217014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.894289970 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.898334980 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.898386955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.900114059 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.900161982 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.983005047 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.983015060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.983057976 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.988953114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.988993883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.989002943 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.989006042 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.989033937 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.989065886 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.992338896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.992361069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.992376089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.992396116 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.992420912 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.999820948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.999831915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.999840975 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:18.999876022 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:18.999910116 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.006694078 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.006724119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.006732941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.006738901 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.006759882 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.006769896 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.013571978 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.013619900 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.013653994 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.013668060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.013703108 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.013715029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.019360065 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.019399881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.019409895 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.019413948 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.019435883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.019458055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.028250933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.028264046 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.028275967 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.028304100 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.028322935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.032820940 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.032850027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.032860994 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.032875061 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.032893896 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.032907963 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.040196896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.040218115 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.040249109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.040256023 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.040263891 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.040307999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.046231985 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.046282053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.046911955 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.046961069 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.070344925 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.070363998 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.070374966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.070390940 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.070408106 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.077331066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.077395916 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.077404976 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.077451944 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.084589005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.084634066 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.084651947 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.084661961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.084692955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.084708929 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.087925911 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.087946892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.087977886 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.087990046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.087991953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.088032961 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.094716072 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.094727993 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.094738007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.094769955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.094800949 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.101453066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.101464033 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.101506948 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.101512909 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.101522923 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.101560116 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.108084917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.108128071 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.108138084 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.108139992 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.108180046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.114790916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.114837885 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.114845991 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.114849091 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.114880085 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.114911079 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.121624947 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.121676922 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.121685028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.121696949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.121741056 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.128236055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.128284931 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.128307104 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.128317118 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.128344059 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.128348112 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.128367901 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.128377914 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.134393930 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.134434938 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.134474039 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.134496927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.134506941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.134548903 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.140208006 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.140225887 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.140237093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.140264034 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.140305996 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.145524025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.145539045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.145581961 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.148078918 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.148119926 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.148128986 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.148139954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.148186922 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.153173923 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.153193951 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.153208017 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.153223991 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.153244019 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.158087015 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.158130884 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.158137083 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.158142090 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.158168077 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.158176899 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.162966013 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.162986040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.163002014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.163033009 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.163045883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.167825937 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.167876005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.167885065 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.167887926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.167918921 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.172681093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.172722101 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.172733068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.172771931 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.172785997 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.177776098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.177804947 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.177815914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.177848101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.177862883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.182389975 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.182410002 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.182415962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.182451963 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.182476044 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.185323954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.185365915 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.185378075 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.185419083 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.185436010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.185446024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.185476065 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.185492992 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.188368082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.188390970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.188429117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.188433886 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.188467026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.191637039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.191653013 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.191663027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.191679001 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.191708088 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.194730997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.194742918 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.194752932 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.194772959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.194773912 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.194787025 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.197702885 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.197742939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.197751999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.197753906 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.197781086 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.197796106 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.200890064 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.200901031 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.200910091 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.200943947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.200961113 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.203682899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.203695059 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.203705072 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.203737020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.203768969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.206478119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.206505060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.206515074 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.206536055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.206549883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.209546089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.209557056 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.209573030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.209610939 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.209656954 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.212634087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.212645054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.212656021 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.212697983 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.212730885 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.215492010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.215543985 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.215616941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.215627909 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.215639114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.215658903 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.215672970 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.218461990 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.218508005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.218518972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.218530893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.218554974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.221540928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.221560955 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.221571922 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.221616983 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.224471092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.224488020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.224498034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.224510908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.224525928 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.224544048 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.228226900 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.228239059 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.228249073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.228287935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.228315115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.230381966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.230400085 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.230436087 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.230463028 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.230638981 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.230679035 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.230680943 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.230724096 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.233335972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.233355045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.233366013 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.233387947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.233409882 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.236516953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.236526966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.236536980 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.236562967 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.236577034 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.236640930 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.236865044 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.239547014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.239558935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.239568949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.239603996 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.239641905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.242141008 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.242180109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.242189884 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.242208958 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.242227077 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.245028973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.245047092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.245055914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.245079994 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.245096922 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.247900009 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.247910976 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.247920990 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.247952938 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.247977018 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.250864029 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.250911951 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.250937939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.250950098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.250971079 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.250986099 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.251013041 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.253628969 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.253638029 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.253680944 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.253791094 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.253801107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.253837109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.256534100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.256542921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.256547928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.256552935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.256588936 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.259087086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.259135008 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.259296894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.259306908 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.259316921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.259344101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.259367943 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.261764050 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.261807919 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.261868954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.261912107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.262037039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.262075901 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.264487982 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.264525890 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.264535904 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.264559984 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.264571905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.267210007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.267229080 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.267239094 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.267255068 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.267281055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.269642115 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.269659996 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.269685030 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.269711971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.269768953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.269778013 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.269817114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.272305965 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.272316933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.272326946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.272353888 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.272362947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.274805069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.274842024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.274852037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.274868965 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.274888039 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.277255058 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.277301073 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.277314901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.277324915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.277358055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.277367115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.279830933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.279853106 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.279864073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.279881001 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.279902935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.281721115 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.281739950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.281754971 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.281766891 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.281793118 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.283718109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.283762932 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.283768892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.283817053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.283844948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.283854008 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.283891916 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.285659075 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.285679102 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.285690069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.285703897 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.285731077 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.287589073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.287600040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.287610054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.287643909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.287662029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.289942026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.289953947 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.289963961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.289993048 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.290010929 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.291182041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.291199923 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.291229010 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.291240931 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.291256905 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.291273117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.291311026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.292947054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.292978048 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.292988062 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.292996883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.293011904 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.293030977 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.294789076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.294800997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.294811010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.294833899 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.294857025 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.296417952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.296464920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.296474934 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.296495914 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.296505928 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.298065901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.298113108 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.298115015 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.298125982 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.298152924 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.298162937 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.299810886 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.299853086 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.299854040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.299865007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.299902916 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.301453114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.301490068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.301498890 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.301506996 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.301531076 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.301551104 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.303222895 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.303235054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.303245068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.303270102 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.303294897 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.304713964 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.304740906 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.304749966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.304759026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.304775000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.304794073 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.306371927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.306384087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.306396008 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.306420088 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.306443930 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.308032036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.308051109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.308060884 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.308078051 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.308089972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.309520006 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.309567928 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.309567928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.309578896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.309608936 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.310972929 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.311007977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.311016083 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.311018944 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.311049938 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.312679052 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.312721968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.312722921 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.312731981 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.312761068 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.314013004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.314038992 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.314049006 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.314054012 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.314079046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.314089060 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.315429926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.315469980 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.315495968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.315542936 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.315546036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.315556049 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.315593958 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.316840887 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.316850901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.316900969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.317143917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.317154884 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.317193031 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.318283081 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.318293095 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.318325996 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.318336010 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.318409920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.318419933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.318454027 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.319998026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.320009947 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.320019960 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.320049047 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.320060015 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.321194887 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.321207047 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.321217060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.321242094 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.321265936 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.322525024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.322534084 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.322570086 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.322638988 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.322649002 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.322685957 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.324003935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.324014902 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.324026108 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.324050903 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.324060917 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.325303078 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.325311899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.325351000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.325396061 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.325409889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.325443983 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.326726913 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.326736927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.326747894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.326771975 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.326785088 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.328012943 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.328032017 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.328042030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.328054905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.328073978 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.330712080 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.330760002 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.330761909 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.330774069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.330807924 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.330832958 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.330845118 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.330883026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.336607933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.336620092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.336657047 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.336668015 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.336736917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.336749077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.336766958 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.336772919 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.336785078 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.336791039 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.336806059 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.336807966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.336823940 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.336847067 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.342267036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.342289925 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.342300892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.342359066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.342360973 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.342392921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.342403889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.342418909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.342447042 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.350389004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.350416899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.350429058 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.350454092 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.350478888 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.350522995 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.350536108 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.350564957 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.350589991 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.350707054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.350744009 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.350747108 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.350789070 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.355668068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.355690956 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.355725050 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.355736971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.355782032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.355813026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.355823994 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.355829954 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.355846882 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.355865002 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.355916023 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.355926991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.355937958 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.355958939 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.355967999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.363394976 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.363432884 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.363442898 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.363446951 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.363462925 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.363481045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.363483906 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.363493919 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.363518000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.363527060 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.363565922 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.363576889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.363585949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.363606930 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.363619089 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.370414019 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.370462894 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.370471001 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.370481968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.370516062 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.370546103 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.370558023 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.370573044 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.370590925 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.370609045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.370641947 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.370685101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.376107931 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.376126051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.376135111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.376158953 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.376179934 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.376247883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.376285076 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.376287937 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.376298904 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.376327038 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.376367092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.376378059 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.376403093 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.376426935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.381516933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.381580114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.381608963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.381619930 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.381640911 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.381660938 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.381685019 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.381788015 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.381840944 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.381843090 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.381844044 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.381851912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.381863117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.381886959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.381907940 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.384921074 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.384963989 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.384977102 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.384995937 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.385005951 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.385029078 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.385081053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.385092020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.385103941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.385123014 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.385123014 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.385145903 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.385492086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.385545015 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.385549068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.385605097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.390012026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.390029907 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.390042067 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.390065908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.390067101 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.390070915 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.390090942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.390109062 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.390218973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.390259027 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.390284061 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.390294075 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.390304089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.390325069 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.390336037 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.395004034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.395045042 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.395055056 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.395061970 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.395066023 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.395082951 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.395102978 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.395112038 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.395152092 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.395172119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.395181894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.395190954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.395214081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.395224094 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.399545908 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.399585962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.399595022 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.399624109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.399630070 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.399636030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.399672985 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.399686098 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.399696112 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.399708033 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.399719954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.399736881 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.399760962 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.404052973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.404093981 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.404103994 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.404105902 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.404174089 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.404257059 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.404268026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.404283047 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.404294014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.404299021 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.404304028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.404324055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.404344082 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.406841993 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.406881094 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.406896114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.406903028 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.406924963 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.406924963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.406934977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.406934977 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.406960964 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.406968117 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.406970978 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.407008886 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.407011986 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.407021999 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.407049894 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.407064915 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.411144018 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.411154032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.411163092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.411197901 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.411214113 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.411289930 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.411303043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.411313057 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.411360025 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.411375999 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.411386013 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.411405087 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.411413908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.411432028 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.415236950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.415247917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.415258884 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.415286064 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.415308952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.415313959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.415319920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.415349007 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.415482044 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.415519953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.415528059 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.415556908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.419756889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.419806957 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.419811964 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.419827938 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.419840097 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.419852972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.419856071 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.419864893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.419887066 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.419895887 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.420016050 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.420053959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.420077085 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.420114994 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.425014019 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.425062895 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.425080061 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.425090075 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.425107002 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.425117016 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.425124884 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.425153971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.425185919 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.425200939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.425221920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.425230026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.425254107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.425261974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.439004898 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.439014912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.439059973 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.439090014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.439105034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.439116001 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.439131975 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.439160109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.439233065 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.439273119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.439275026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.439284086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.439313889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.444350004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.444367886 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.444377899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.444400072 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.444415092 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.444459915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.444509983 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.444637060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.444648027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.444658995 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.444667101 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.444684029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.444694996 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.444730043 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.452223063 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.452234030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.452244043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.452280998 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.452302933 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.452572107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.452584028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.452594995 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.452606916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.452614069 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.452621937 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.452646017 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.459014893 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.459033966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.459044933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.459063053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.459086895 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.459115028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.459156990 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.459182024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.459192991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.459227085 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.459285021 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.459323883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.464673996 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.464716911 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.464728117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.464828968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.464840889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.464842081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.464852095 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.464881897 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.464883089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.464900970 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.464925051 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.470144987 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.470211983 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.470223904 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.470231056 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.470249891 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.470264912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.470271111 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.470277071 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.470310926 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.470319033 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.470324993 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.470330954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.470357895 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.470366955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.473622084 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.473632097 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.473669052 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.473675966 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.473706007 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.473714113 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.473726034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.473748922 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.473757982 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.473767996 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.473793983 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.473829985 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.473841906 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.473870993 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.473881960 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.478780031 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.478830099 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.478831053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.478842974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.478874922 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.478943110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.478954077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.478965044 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.478975058 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.478990078 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.479032040 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.483850956 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.483907938 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.483921051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.483932018 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.483959913 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.483998060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.484009027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.484020948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.484031916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.484035969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.484064102 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.484086037 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.488183022 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.488203049 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.488214016 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.488233089 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.488255978 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.488312960 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.488357067 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.488426924 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.488437891 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.488451004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.488460064 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.488468885 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.488485098 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.488511086 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.492891073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.492904902 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.492913961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.492923021 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.492929935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.492933035 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.492947102 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.492978096 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.493002892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.493040085 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.493043900 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.493083000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.495819092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.495829105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.495841026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.495867968 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.495892048 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.495894909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.495903969 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.495914936 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.495930910 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.495930910 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.495942116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.495949030 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.495975971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.499816895 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.499828100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.499838114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.499849081 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.499871969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.499883890 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.499943972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.499984026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.500010014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.500020027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.500029087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.500049114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.500063896 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.500076056 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.503678083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.503726959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.503751993 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.503773928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.503793001 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.503810883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.503827095 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.503838062 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.503848076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.503874063 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.503901958 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.503937006 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.503947020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.503985882 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.508529902 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.508620977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.508630991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.508644104 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.508677959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.508704901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.508714914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.508725882 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.508738041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.508749008 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.508761883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.508788109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.513617039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.513637066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.513648033 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.513669014 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.513680935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.513859987 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.513870955 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.513881922 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.513904095 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.513906956 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.513925076 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.513942957 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.514002085 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.514045954 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.527532101 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.527559996 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.527570963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.527596951 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.527611017 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.527709961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.527729988 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.527740955 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.527750015 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.527777910 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.527784109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.527795076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.527825117 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.533023119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.533063889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.533072948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.533116102 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.533142090 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.533169985 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.533216000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.533226967 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.533240080 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.533278942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.533341885 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.533351898 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.533386946 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.540543079 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.540553093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.540591955 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.540608883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.540637970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.540638924 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.540649891 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.540688038 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.540724039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.540736914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.540747881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.540770054 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.540793896 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.547399044 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.547444105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.547455072 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.547467947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.547499895 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.547544003 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.547584057 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.547600985 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.547615051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.547638893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.547650099 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.547653913 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.547662020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.547687054 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.547703028 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.563859940 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.563910961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.563922882 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.563927889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.563946009 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.563970089 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.564030886 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564042091 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564054012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564064980 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564074993 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.564109087 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.564232111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564280033 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.564332008 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564351082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564367056 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564371109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.564384937 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.564400911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.564446926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564459085 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564470053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564491034 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.564502001 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.564573050 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564594030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.564627886 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.564647913 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.565262079 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.565304041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.565309048 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.565315962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.565354109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.565360069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.565404892 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.567343950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.567389965 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.567399025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.567410946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.567440987 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.567451000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.567617893 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.567630053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.567641020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.567652941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.567652941 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.567667961 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.567692995 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.572324038 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.572369099 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.572380066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.572381020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.572402000 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.572407961 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.572426081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.572436094 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.572469950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.572484970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.572501898 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.572527885 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.572556973 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.576750994 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.576807022 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.576808929 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.576821089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.576854944 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.576865911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.576886892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.576899052 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.576909065 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.576920033 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.576934099 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.576966047 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.581147909 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.581159115 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.581188917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.581201077 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.581228971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.581233025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.581244946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.581274033 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.581286907 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.581305981 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.581316948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.581327915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.581341982 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.581357956 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.581370115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.584333897 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.584376097 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.584386110 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.584387064 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.584418058 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.584429979 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.584451914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.584496975 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.584510088 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.584522009 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.584552050 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.584561110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.584562063 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.584573030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.584593058 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.584609032 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.588826895 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.588877916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.588881016 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.588890076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.588941097 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.588948011 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.588953972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.588965893 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.588975906 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.588979959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.589008093 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.589021921 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.592430115 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.592442036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.592453957 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.592484951 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.592502117 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.592515945 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.592526913 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.592538118 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.592549086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.592559099 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.592569113 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.592595100 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.597256899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.597268105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.597280025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.597290993 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.597311974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.597349882 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.597377062 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.597388029 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.597398043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.597418070 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.597445965 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.602214098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.602262020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.602262974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.602273941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.602299929 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.602299929 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.602313042 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.602339029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.602360010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.602406979 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.602436066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.602447987 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.602456093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.602483988 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.602495909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.616144896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.616195917 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.616214037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.616233110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.616244078 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.616255999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.616262913 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.616286039 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.616319895 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.616357088 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.616370916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.616381884 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.616410971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.616420984 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.616585016 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.616619110 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.621478081 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.621525049 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.621532917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.621545076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.621572971 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.621577978 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.621587992 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.621617079 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.621620893 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.621660948 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.621762037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.621809006 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.621834993 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.621879101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.629218102 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.629257917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.629268885 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.629270077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.629295111 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.629300117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.629312992 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.629324913 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.629336119 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.629363060 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.629462004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.629472971 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.629503012 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.636024952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.636065006 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.636074066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.636116028 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.636116982 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.636138916 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.636164904 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.636183023 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.636220932 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.636230946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.636243105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.636261940 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.636279106 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.636303902 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.641849995 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.641896963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.641900063 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.641907930 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.641932964 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.641942978 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.641954899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.641966105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.641990900 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.642008066 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.642110109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.642127991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.642148972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.642164946 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.647275925 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.647285938 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.647295952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.647330046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.647352934 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.647360086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.647402048 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.647419930 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.647430897 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.647464991 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.647475004 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.647490978 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.647500992 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.647536039 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.647546053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.650830030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.650876045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.650918961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.650934935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.650966883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.650975943 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.650990009 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.651000977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.651027918 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.651038885 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.651062012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.651093006 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.651110888 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.651148081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.655946016 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.655956030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.655966043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.655986071 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.656002045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.656043053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.656089067 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.656091928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.656101942 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.656127930 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.656130075 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.656140089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.656147003 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.656167984 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.660831928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.660866022 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.660876036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.660877943 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.660897970 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.660916090 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.660953045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.660980940 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.660990953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.660996914 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.661011934 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.661020994 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.661062956 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.661073923 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.661103964 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.665350914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.665379047 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.665386915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.665417910 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.665453911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.665484905 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.665513992 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.665524960 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.665525913 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.665559053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.665565014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.665612936 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.665936947 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.665982962 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.669876099 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.669888020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.669899940 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.669919968 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.669934034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.669945955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.669946909 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.669967890 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.669971943 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.669995070 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.670007944 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.670013905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.670044899 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.672858953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.672868967 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.672909021 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.672914028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.672945023 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.672951937 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.672959089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.672991037 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.673000097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.673027992 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.673039913 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.673051119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.673072100 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.673083067 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.677405119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.677417040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.677432060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.677463055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.677474022 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.677520037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.677550077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.677561998 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.677566051 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.677577972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.677586079 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.677598000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.677613974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.677916050 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.677961111 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.681169033 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.681216955 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.681245089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.681246996 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.681257010 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.681272984 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.681281090 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.681283951 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.681308031 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.681317091 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.681503057 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.681545973 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.681583881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.681595087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.681606054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.681632042 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.681644917 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.685714960 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.685726881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.685739040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.685760975 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.685789108 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.685858011 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.685868979 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.685879946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.685894012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.685900927 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.685905933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.685924053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.685947895 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.690802097 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.690814018 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.690824986 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.690836906 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.690857887 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.690879107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.691010952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.691030979 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.691041946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.691057920 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.691076994 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.691092968 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.691121101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.704852104 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.704884052 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.704895973 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.704895973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.704921007 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.704937935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.704974890 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.705018997 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.705032110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.705044031 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.705066919 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.705075026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.705106974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.705676079 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.705724955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.710084915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.710130930 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.710211039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.710220098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.710230112 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.710238934 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.710257053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.710283041 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.710419893 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.710467100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.710469007 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.710510969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.710549116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.710594893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.710619926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.710660934 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.722054958 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.722073078 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.722084045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.722127914 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.722162962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.722166061 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.722173929 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.722183943 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.722209930 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.722237110 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.722249985 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.722290993 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.724956989 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.724970102 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.724980116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.725016117 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.725042105 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.725066900 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.725079060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.725095034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.725109100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.725109100 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.725126982 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.725141048 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.732526064 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.732578039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.732589006 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.732606888 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.732634068 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.732660055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.732671976 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.732682943 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.732695103 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.732706070 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.732723951 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.732749939 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.736102104 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.736155033 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.736180067 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.736191988 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.736229897 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.736268044 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.736279964 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.736296892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.736308098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.736313105 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.736347914 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.739588022 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.739622116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.739633083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.739645004 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.739675045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.739759922 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.739770889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.739805937 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.739818096 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.739861012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.739902020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.739907980 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.739949942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.744647026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.744657993 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.744695902 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.744784117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.744796038 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.744807959 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.744829893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.744848967 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.744856119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.744868040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.744879007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.744898081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.744919062 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.749866009 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.749885082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.749897957 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.749908924 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.749922037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.749934912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.749943018 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.749947071 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.749979973 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.750015020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.754025936 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.754074097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.754160881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.754168987 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.754179955 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.754189968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.754201889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.754208088 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.754234076 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.754285097 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.754321098 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.754631042 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.754671097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.758498907 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.758514881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.758541107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.758542061 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.758559942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.758573055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.758585930 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.758595943 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.758622885 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.758630991 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.758654118 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.758691072 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.759063959 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.759074926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.759113073 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.763371944 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.763390064 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.763411045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.763422966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.763447046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.763457060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.763457060 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.763492107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.763518095 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.763529062 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.763556004 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.763565063 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.763581038 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.763591051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.763619900 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.767327070 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.767368078 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.767427921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.767438889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.767453909 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.767462969 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.767463923 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.767477036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.767496109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.767570972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.767610073 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.767611027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.767647028 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.770169973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.770186901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.770201921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.770212889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.770222902 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.770260096 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.770287037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.770298004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.770308018 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.770318985 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.770334959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.770359993 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.774344921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.774355888 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.774365902 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.774382114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.774384022 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.774405003 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.774432898 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.774435997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.774447918 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.774476051 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.774480104 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.774486065 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.774492025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.774521112 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.774530888 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.779421091 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.779441118 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.779452085 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.779463053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.779475927 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.779496908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.779563904 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.779575109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.779603004 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.779612064 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.779701948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.779737949 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.779793024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.779830933 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.794295073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.794306040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.794317961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.794343948 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.794363976 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.794380903 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.794392109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.794403076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.794421911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.794437885 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.794603109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.794641972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.798826933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.798837900 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.798867941 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.798877954 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.798909903 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.798919916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.798952103 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.798965931 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.798985004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.799029112 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.799030066 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.799038887 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.799072027 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.799077988 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.799083948 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.799124002 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.809487104 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.809505939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.809537888 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.809542894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.809545994 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.809590101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.809623957 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.809667110 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.809674025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.809685946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.809710979 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.809720993 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.809743881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.809755087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.809779882 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.809788942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.813654900 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.813674927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.813687086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.813699961 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.813709021 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.813726902 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.813759089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.813801050 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.813815117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.813827991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.813868046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.813873053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.813918114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.821063995 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.821074009 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.821125031 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.821186066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.821199894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.821211100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.821229935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.821238995 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.821261883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.821266890 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.821273088 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.821293116 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.821322918 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.824589014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.824606895 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.824635029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.824645996 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.824664116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.824681044 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.824707985 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.824717045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.824750900 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.824795961 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.824801922 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.824812889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.824841976 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.824851990 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.825098991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.825166941 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.828371048 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.828388929 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.828399897 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.828414917 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.828424931 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.828500986 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.828511953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.828522921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.828536034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.828536987 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.828562021 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.828582048 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.833348036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.833396912 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.833403111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.833414078 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.833444118 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.833455086 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.833503962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.833544016 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.833558083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.833570004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.833595991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.833600044 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.833611012 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.833631992 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.833936930 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.833978891 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.838378906 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.838388920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.838423967 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.838435888 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.838455915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.838474989 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.838489056 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.838500023 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.838510036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.838527918 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.838565111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.838596106 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.838628054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.838640928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.838668108 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.842853069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.842866898 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.842876911 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.842900038 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.842921019 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.842922926 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.842933893 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.842945099 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.842956066 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.842978954 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.842998981 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.843035936 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.847208023 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.847248077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.847254992 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.847285032 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.847338915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.847349882 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.847363949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.847373962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.847390890 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.847403049 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.847421885 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.847428083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.847439051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.847462893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.847472906 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.852076054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.852088928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.852102995 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.852113962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.852123976 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.852152109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.852164984 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.852176905 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.852188110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.852221966 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.852236986 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.856018066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.856029987 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.856041908 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.856076956 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.856077909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.856089115 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.856101036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.856101990 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.856123924 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.856144905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.856178045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.856189013 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.856219053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.858891964 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.858902931 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.858913898 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.858949900 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.858959913 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.858961105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.858972073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.858989000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.859026909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.859716892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.859765053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.862987041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.863044024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.863054991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.863073111 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.863086939 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.863107920 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.863146067 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.863157034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.863172054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.863188982 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.863195896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.863208055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.863214970 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.863238096 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.863245010 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.868088007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.868099928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.868109941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.868140936 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.868151903 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.868185997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.868197918 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.868210077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.868232012 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.868252039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.868257046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.868294001 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.882931948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.882944107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.882953882 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.882994890 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.883021116 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.883023977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.883035898 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.883047104 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.883060932 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.883094072 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.883367062 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.883420944 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.883522034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.883568048 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.887355089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.887392998 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.887409925 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.887423992 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.887428999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.887460947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.887518883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.887531042 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.887542963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.887561083 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.887567043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.887573957 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.887593985 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.887604952 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.887957096 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.888004065 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.898205042 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.898245096 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.898255110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.898294926 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.898313046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.898436069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.898447037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.898473978 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.898483038 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.898500919 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.898520947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.898549080 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.898588896 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.902041912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.902089119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.902093887 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.902100086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.902144909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.902174950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.902199984 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.902211905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.902213097 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.902245998 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.902271032 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.902296066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.902307987 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.902337074 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.902369022 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.909708977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.909789085 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.909827948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.909841061 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.909872055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.909883022 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.909893990 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.909904957 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.910017967 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.913702965 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.913744926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.913757086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.913762093 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.913779020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.913788080 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.913800955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.913831949 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.913877010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.913919926 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.913943052 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.913955927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.913966894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.913985014 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.914002895 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.916964054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.916984081 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.916995049 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.917021036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.917033911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.917077065 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.917114019 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.917115927 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.917125940 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.917154074 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.917171955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.917185068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.917196035 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.917222977 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.917233944 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.922034025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.922080040 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.922086954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.922097921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.922122955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.922138929 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.922168016 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.922179937 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.922213078 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.922226906 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.922322035 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.922358036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.922373056 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.922415972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.926924944 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.926961899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.926970959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.926973104 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.927000999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.927012920 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.927052021 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.927100897 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.927103043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.927139997 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.927300930 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.927313089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.927325010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.927342892 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.927354097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.927376032 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.931454897 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.931469917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.931480885 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.931497097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.931513071 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.931514025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.931526899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.931554079 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.931582928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.931582928 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.931596041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.931622028 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.931639910 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.935837984 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.935883999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.935885906 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.935898066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.935909986 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.935925007 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.935945034 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.936038017 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.936072111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.936084032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.936084032 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.936094046 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.936105013 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.936124086 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.936134100 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.940623999 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.940673113 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.940690041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.940707922 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.940721035 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.940732956 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.940736055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.940754890 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.940756083 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.940768003 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.940783024 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.940792084 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.940828085 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.940838099 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.944659948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.944674969 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.944688082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.944699049 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.944710970 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.944746971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.944767952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.944824934 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.944837093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.944849968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.944860935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.944875002 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.944891930 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.948402882 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.948451042 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.948476076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.948493004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.948504925 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.948517084 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.948520899 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.948548079 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.948560953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.948573112 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.948575020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.948585987 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.948604107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.948626041 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.951710939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.951723099 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.951734066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.951756001 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.951780081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.951831102 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.951843023 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.951853991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.951890945 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.951984882 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.952024937 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.956547976 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.956568003 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.956578970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.956597090 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.956625938 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.956686020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.956728935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.956731081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.956741095 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.956773043 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.956783056 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.956856012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.956867933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.956901073 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.971775055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.971795082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.971807003 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.971827030 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.971847057 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.971935034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.971946955 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.971959114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.971968889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.971985102 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.972008944 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.976169109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.976217985 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.976227045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.976238012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.976267099 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.976277113 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.976293087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.976304054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.976315975 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.976331949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.976334095 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.976346016 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.976377964 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.976385117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.976423979 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.986810923 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.986830950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.986845970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.986860037 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.986871958 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.986891031 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.986943007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.986953974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.986964941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.986989975 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.987010956 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.987545967 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.987595081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.990726948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.990777016 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.990777969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.990788937 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.990814924 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.990865946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.990878105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.990880013 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.990889072 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.990900040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:19.990951061 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:19.990951061 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.003308058 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003350973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003362894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003490925 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.003562927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003578901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003590107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003601074 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003613949 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.003654957 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.003748894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003787994 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003797054 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.003823996 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003830910 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.003835917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003870964 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.003941059 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003952980 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003962994 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.003979921 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.004004002 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.005909920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.005958080 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.005965948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.005978107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.006007910 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.006025076 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.006340027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.006351948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.006362915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.006381035 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.006398916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.006403923 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.006437063 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.010823011 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.010868073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.010874987 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.010885954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.010898113 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.010910988 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.010931015 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.010967970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.010979891 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.011023045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.011043072 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.011085987 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024323940 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024373055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024374962 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024384975 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024415016 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024429083 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024557114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024569035 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024580002 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024590969 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024601936 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024621010 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024632931 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024650097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024841070 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024863005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024873972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024883986 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024888039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024899006 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024902105 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024909973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024919033 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024926901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024929047 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024936914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024949074 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024959087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024962902 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.024971962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.024987936 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.025017977 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.025041103 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.025052071 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.025063038 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.025087118 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.025098085 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.029565096 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.029607058 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.029616117 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.029642105 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.029659986 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.029670954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.029683113 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.029706955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.029732943 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.029917002 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.029928923 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.029963017 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.033601999 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.033651114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.033651114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.033663034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.033694983 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.033709049 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.033730030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.033742905 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.033751965 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.033765078 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.033772945 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.033807039 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.037579060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.037627935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.037897110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.037946939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.037959099 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.037965059 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.037992954 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.038028002 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.038053989 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.038064003 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.038074970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.038090944 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.038104057 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.038127899 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.040616989 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.040636063 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.040647030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.040663958 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.040688038 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.040776968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.040788889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.040800095 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.040822029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.040848970 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.040908098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.040919065 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.040951014 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.053859949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.053878069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.053889036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.053913116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.053915977 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.053924084 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.053935051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.053941965 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.053946018 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.053972006 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.053986073 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.062135935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.062167883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.062177896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.062191963 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.062205076 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.062680960 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.062691927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.062702894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.062714100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.062730074 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.062752008 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.065108061 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.065126896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.065138102 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.065164089 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.065192938 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.065259933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.065272093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.065283060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.065296888 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.065311909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.065331936 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.065356016 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.076265097 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.076289892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.076301098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.076349974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.076381922 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.076410055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.076421976 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.076431036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.076443911 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.076456070 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.076488018 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.079262972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.079319000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.079325914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.079338074 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.079372883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.079447031 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.079458952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.079503059 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.079536915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.079550028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.079576969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.079607010 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.091892958 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.091914892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.091957092 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.091976881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.091984034 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.091989994 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092022896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092032909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092032909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092035055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092063904 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092076063 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092096090 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092137098 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092216015 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092262983 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092288971 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092327118 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092346907 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092381954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092389107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092394114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092418909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092442989 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092498064 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092508078 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092519045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.092541933 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.092571020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.094260931 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.094296932 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.094309092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.094312906 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.094333887 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.094336987 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.094347000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.094373941 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.094456911 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.094501019 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.094520092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.094532013 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.094567060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.094588995 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.094614983 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.099728107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.099780083 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.099811077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.099822998 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.099854946 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.099858046 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.099896908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.099925041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.099941015 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.099972010 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.099984884 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.099999905 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.100012064 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.100049019 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.107649088 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.107680082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.107690096 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.107700109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.107728004 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.107791901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.107835054 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.107866049 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.107906103 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.107923985 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.107934952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.107944965 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.107971907 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.107992887 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.112622976 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.112665892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.112673044 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.112678051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.112706900 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.112719059 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.112734079 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.112751961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.112780094 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.112795115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.112915039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.112958908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.113045931 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.113090992 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.113388062 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.113428116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.113431931 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.113440037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.113464117 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.113485098 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.113540888 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.113553047 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.113562107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.113573074 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.113588095 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.113616943 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.118206024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.118256092 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.118258953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.118269920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.118304968 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.118333101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.118413925 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.118424892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.118436098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.118462086 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.118469954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.118480921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.118486881 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.118513107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.118525028 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.122097015 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.122117043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.122131109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.122143984 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.122155905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.122181892 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.122237921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.122282982 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.122308969 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.122350931 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.122394085 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.122405052 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.122416019 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.122440100 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.122463942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.127593040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.127629995 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.127640963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.127649069 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.127672911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.127688885 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.127739906 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.127753973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.127763987 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.127774954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.127785921 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.127803087 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.127830982 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.130270004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.130280972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.130299091 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.130309105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.130315065 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.130326986 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.130327940 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.130337000 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.130353928 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.130376101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.141515970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.141554117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.141565084 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.141566992 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.141596079 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.141633034 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.141644955 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.141655922 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.141679049 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.141704082 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.141738892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.141752005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.141787052 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.150661945 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.150676966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.150712013 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.150713921 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.150723934 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.150753021 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.150778055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.150835037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.150847912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.150859118 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.150881052 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.150907040 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.154041052 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.154057026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.154069901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.154081106 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.154093027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.154093981 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.154103994 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.154109955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.154119968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.154131889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.154149055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.154170990 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.164709091 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.164752007 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.164762974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.164788961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.164809942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.164824009 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.164890051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.164901972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.164911985 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.164933920 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.164933920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.164952040 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.164973974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.165229082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.165272951 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.167956114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.168004036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.168006897 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.168020010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.168040991 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.168055058 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.168098927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.168116093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.168135881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.168143988 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.168160915 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.168176889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.168345928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.168390036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.168390036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.168437958 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.180402040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.180413008 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.180448055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.180459976 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.180500984 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.180510998 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.180511951 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.180524111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.180538893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.180552006 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.180568933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.180569887 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.180629969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.180960894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.181008101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.181114912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.181159019 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.181181908 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.181217909 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.181235075 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.181277037 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.181288958 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.181301117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.181310892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.181333065 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.181356907 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.181576014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.181621075 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.181631088 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.181669950 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.182909966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.182950020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.182960987 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.182962894 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.182993889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.182993889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.183010101 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.183032990 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.183057070 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.183105946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.183118105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.183128119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.183152914 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.183176041 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.188447952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.188466072 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.188477039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.188498974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.188513041 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.188533068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.188575029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.188648939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.188694000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.188736916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.188749075 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.188757896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.188785076 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.188810110 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.196470022 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.196487904 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.196499109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.196525097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.196535110 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.196557999 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.196568966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.196579933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.196599960 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.196629047 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.196686029 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.196697950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.196724892 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.196752071 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.201271057 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201291084 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201301098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201323032 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.201334953 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.201462030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201473951 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201486111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201509953 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.201519966 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.201529980 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201541901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201576948 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.201936007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201946974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201957941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201976061 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.201981068 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.202003956 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.202034950 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.202280045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.202327013 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.202328920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.202341080 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.202349901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.202366114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.202392101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.206955910 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.206996918 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.207010031 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.207010031 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.207034111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.207036972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.207051039 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.207067013 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.207360983 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.207381010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.207391977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.207398891 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.207402945 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.207412958 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.207432985 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.207442999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.210832119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.210853100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.210865021 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.210927963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.210941076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.211000919 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.211061001 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.211105108 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.211119890 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.211160898 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.216092110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.216140032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.216146946 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.216150045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.216162920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.216186047 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.216187954 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.216196060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.216219902 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.216234922 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.216243982 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.216255903 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.216295004 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.218847990 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.218897104 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.218899012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.218911886 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.218940020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.218961000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.219014883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.219027042 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.219038010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.219049931 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.219065905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.219088078 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.230233908 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.230299950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.230312109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.230323076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.230331898 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.230344057 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.230364084 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.230489016 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.230500937 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.230511904 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.230549097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.230561972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.230619907 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.230667114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.239247084 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.239267111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.239280939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.239327908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.239341974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.239397049 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.239408970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.239420891 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.239434004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.239440918 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.239455938 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.239486933 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.242578983 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.242644072 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.242671013 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.242701054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.242711067 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.242713928 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.242753029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.242777109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.242789030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.242800951 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.242820978 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.242842913 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.253667116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.253706932 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.253717899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.253730059 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.253756046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.253819942 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.253832102 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.253842115 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.253853083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.253865957 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.253894091 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.256934881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.256946087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.256957054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.256977081 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.256987095 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.256997108 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.256998062 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.257009983 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.257019043 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.257034063 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.257052898 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269088984 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269141912 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269169092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269179106 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269191027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269212961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269218922 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269258022 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269397974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269440889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269449949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269462109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269488096 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269500017 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269539118 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269572020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269723892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269763947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269783974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269794941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269825935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269896030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269906998 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269917965 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269933939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.269953012 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269968033 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.269989014 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.271733046 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.271750927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.271763086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.271778107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.271790028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.271796942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.271801949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.271806955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.271831036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.271851063 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.271852970 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.271888018 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.277090073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.277131081 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.277137995 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.277143002 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.277182102 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.277240038 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.277251959 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.277287960 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.277363062 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.277410030 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.277441025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.277486086 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.285042048 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.285108089 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.285135984 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.285145998 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.285185099 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.285187006 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.285201073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.285226107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.285260916 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.285343885 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.285362959 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.285375118 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.285393000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.285408974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.285414934 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.285454988 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290210009 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290245056 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290256977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290265083 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290276051 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290298939 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290359020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290405035 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290436983 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290448904 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290482044 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290482044 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290514946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290518999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290528059 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290538073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290554047 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290570974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290704012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290750027 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290774107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290786028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290818930 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290839911 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290855885 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.290879011 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.290904999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.295610905 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.295653105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.295655966 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.295690060 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.295700073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.295720100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.295732021 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.295743942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.295753956 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.295759916 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.295778036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.295790911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.295820951 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.295833111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.295867920 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.299489021 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.299500942 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.299511909 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.299535990 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.299540043 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.299549103 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.299556971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.299560070 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.299582005 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.299607038 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.299632072 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.299643993 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.299690008 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.304541111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.304562092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.304573059 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.304594040 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.304626942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.304683924 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.304739952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.304753065 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.304797888 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.304809093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.304884911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.307423115 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.307441950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.307451963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.307471037 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.307492971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.307558060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.307570934 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.307589054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.307600975 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.307604074 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.307631969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.307643890 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.307646990 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.307686090 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.319025993 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.319077969 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.319081068 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.319089890 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.319116116 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.319139004 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.319159985 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.319171906 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.319183111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.319199085 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.319226027 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.319242954 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.319291115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.327845097 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.327893019 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.327920914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.327931881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.327967882 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.327967882 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.327991962 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.328010082 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.328047991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.328059912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.328074932 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.328087091 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.328095913 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.328109980 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.328140974 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.331116915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.331172943 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.331176996 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.331183910 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.331214905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.331245899 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.331300974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.331320047 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.331331015 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.331348896 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.331367016 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.331373930 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.331403971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.331681013 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.331727028 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.342219114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.342261076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.342272043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.342279911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.342298985 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.342319012 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.342329979 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.342375994 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.342398882 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.342446089 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.342469931 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.342482090 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.342493057 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.342508078 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.342521906 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.342541933 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.345417023 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.345472097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.345494032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.345509052 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.345525980 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.345539093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.345539093 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.345552921 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.345575094 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.345594883 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.345671892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.345685005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.345696926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.345719099 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.345741987 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.357775927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.357817888 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.357845068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.357857943 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.357868910 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.357886076 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.357904911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.358053923 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358066082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358083963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358098030 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.358122110 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.358141899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358181000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.358356953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358393908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.358401060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358413935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358438969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.358450890 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.358521938 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358534098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358544111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358556032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.358567953 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.358597040 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.360351086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.360362053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.360373020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.360399008 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.360414028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.360416889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.360425949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.360450029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.360461950 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.360750914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.360793114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.360824108 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.360867977 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.365689039 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.365737915 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.365747929 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.365760088 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.365789890 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.365813017 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.365814924 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.365859985 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.365880966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.365926027 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.365952015 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.365962982 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.365973949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.366000891 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.366024971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.373796940 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.373842955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.373851061 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.373862028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.373895884 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.373899937 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.373936892 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.373964071 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.373974085 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.374006987 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.374044895 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.374056101 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.374085903 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.378906012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.378917933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.378930092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.378959894 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.378974915 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.379054070 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379065037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379077911 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379090071 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379106045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.379136086 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.379230022 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379277945 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379277945 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.379288912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379319906 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.379338980 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.379359007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379369974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379380941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379391909 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.379405022 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.379465103 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.379483938 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.384320021 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.384375095 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.384378910 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.384392023 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.384404898 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.384421110 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.384440899 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.384471893 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.384516001 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.384521961 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.384526968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.384565115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.384565115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.384584904 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.384629011 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.388151884 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.388180017 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.388192892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.388202906 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.388214111 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.388241053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.388339996 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.388351917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.388364077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.388380051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.388391018 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.388417959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.393484116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.393495083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.393506050 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.393536091 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.393547058 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.393573999 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.393584967 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.393595934 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.393611908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.393634081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.393646002 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.393687010 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.396065950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.396078110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.396116018 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.396136999 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.396178961 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.396181107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.396190882 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.396219969 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.396265030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.396275043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.396281004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.396322966 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.407623053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.407633066 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.407644033 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.407681942 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.407713890 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.407726049 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.407737017 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.407746077 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.407773018 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.408034086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.408057928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.408081055 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.408109903 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.416594982 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.416614056 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.416639090 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.416665077 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.416671991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.416683912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.416712046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.416732073 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.416762114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.416773081 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.416800022 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.416820049 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.416865110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.416906118 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.420077085 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.420123100 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.420140028 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.420150042 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.420181990 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.420213938 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.420253038 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.420289993 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.420301914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.420331001 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.420346022 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.420356989 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.420381069 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.420408964 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.430934906 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.430948019 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.430958986 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.431010962 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.431032896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.431057930 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.431076050 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.431087017 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.431099892 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.431102037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.431113005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.431118965 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.431143045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.431175947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.434156895 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.434212923 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.434252977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.434262991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.434274912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.434288025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.434293032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.434298038 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.434333086 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.434340000 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.434350967 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.434385061 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.446365118 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.446419954 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.446449041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.446459055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.446496964 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.446516991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.446533918 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.446544886 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.446571112 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.446584940 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.446855068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.446898937 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.446913004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.446954966 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.447072983 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.447117090 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.447123051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.447134972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.447164059 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.447194099 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.447206974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.447242975 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.447566032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.447609901 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.447626114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.447670937 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.448981047 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.448992968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.449004889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.449028015 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.449038029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.449101925 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.449114084 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.449126005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.449137926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.449156046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.449166059 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.449191093 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.454359055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.454407930 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.454437971 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.454453945 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.454482079 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.454483986 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.454505920 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.454530954 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.454551935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.454595089 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.454643011 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.454653978 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.454672098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.454689026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.454741001 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.462582111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.462594032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.462610960 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.462636948 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.462660074 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.462667942 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.462681055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.462709904 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.462722063 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.462723017 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.462740898 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.462755919 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.462820053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.462860107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.467573881 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.467585087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.467596054 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.467623949 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.467643023 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.467703104 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.467715025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.467725992 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.467736959 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.467750072 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.467773914 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.467924118 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.467967033 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.467968941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.467981100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.468014002 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.468020916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.468031883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.468061924 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.468084097 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.468461037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.468502045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.468507051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.468549967 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.473052025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.473100901 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.473107100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.473119020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.473153114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.473205090 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.473217010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.473227024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.473237991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.473253012 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.473274946 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.476762056 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.476809025 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.476814032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.476825953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.476856947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.476860046 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.476895094 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.476984978 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.476996899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.477009058 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.477022886 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.477032900 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.477058887 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.477082968 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.482105970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.482125998 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.482136965 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.482153893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.482172966 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.482305050 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.482316017 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.482326984 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.482342958 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.482351065 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.482369900 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.482393026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.484904051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.484949112 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.484955072 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.484966040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.484999895 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.485057116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.485068083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.485080004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.485090017 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.485106945 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.485119104 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.496362925 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.496385098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.496396065 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.496478081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.496478081 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.496507883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.496520042 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.496530056 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.496541977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.496558905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.496571064 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.496599913 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.505264997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.505306005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.505316973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.505332947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.505342960 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.505362034 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.505398035 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.505410910 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.505443096 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.505467892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.505480051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.505503893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.505527020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.509078026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.509123087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.509124994 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.509135962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.509169102 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.509176016 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.509191990 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.509205103 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.509217024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.509222031 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.509248018 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.519784927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.519839048 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.519840002 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.519850969 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.519902945 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.519902945 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.519999981 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.520011902 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.520023108 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.520034075 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.520047903 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.520059109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.520085096 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.522819996 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.522840977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.522850990 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.522866964 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.522886038 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.522980928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.522993088 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.523005009 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.523027897 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.523040056 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.523081064 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.523127079 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.523319960 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.523364067 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.535075903 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535087109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535098076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535125971 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.535145044 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.535156965 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535200119 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.535281897 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535329103 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.535352945 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535366058 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535392046 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.535433054 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.535578966 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535617113 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.535634041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535645008 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535667896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535676003 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.535701990 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.535715103 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.535748959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.536088943 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.536102057 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.536113977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.536123037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.536125898 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.536142111 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.536164999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.537632942 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.537676096 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.537682056 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.537688017 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.537727118 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.537790060 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.537801027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.537811995 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.537822962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.537831068 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.537844896 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.537868023 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.543071032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.543123007 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.543124914 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.543138027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.543173075 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.543176889 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.543222904 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.543283939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.543333054 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.543337107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.543349981 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.543361902 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.543384075 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.543409109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.551568031 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.551606894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.551619053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.551620007 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.551650047 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.551736116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.551748037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.551759005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.551770926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.551781893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.551798105 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.551820040 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.565052032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565184116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565201998 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565215111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565222979 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.565228939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565241098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565252066 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.565257072 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565268040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565279007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565291882 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565293074 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.565304041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565315008 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.565316916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565327883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565339088 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565339088 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.565351963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565359116 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.565363884 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565376043 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.565407991 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.565951109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.565994024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.566004992 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.566009998 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.566036940 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.566037893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.566059113 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.566073895 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.566365004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.566385031 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.566395998 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.566411972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.566422939 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.566445112 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.570116997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.570128918 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.570168972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.570280075 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.570297003 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.570323944 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.570348024 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.571047068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.571058989 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.571069956 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.571080923 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.571093082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.571094036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.571105003 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.571109056 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.571118116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.571145058 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.571212053 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.573911905 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.573960066 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.573973894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.573985100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.574012995 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.574827909 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.574839115 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.574850082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.574862003 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.574876070 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.574887037 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.574913979 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.587641001 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.587703943 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.587801933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.587814093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.587826014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.587836027 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.587850094 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.587852001 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.587863922 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.587883949 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.587901115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.595155001 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.595170975 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.595233917 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.595246077 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.595310926 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.595323086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.595334053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.595345020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.595355988 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.595361948 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.595371008 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.595402956 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.597924948 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.597937107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.597985029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.597995043 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.598037004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.598077059 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.598251104 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.598263025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.598274946 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.598299026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.598310947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.598437071 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.598478079 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.608454943 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.608503103 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.608519077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.608530045 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.608562946 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.608582020 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.608710051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.608721018 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.608763933 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.608869076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.608880997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.608906031 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.608936071 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.611893892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.612061977 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.612091064 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.612103939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.612137079 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.612159967 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.612276077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.612363100 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.612458944 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.612474918 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.612495899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.612504005 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.612526894 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.612546921 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.624202967 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624221087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624233007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624243975 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624254942 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624268055 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624326944 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624337912 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624385118 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.624424934 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624430895 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.624435902 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624447107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624458075 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624461889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.624500036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.624867916 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.624921083 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.625094891 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.625140905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.626513004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.626523972 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.626534939 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.626560926 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.626585007 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.626665115 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.626677036 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.626688004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.626701117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.626713991 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.626743078 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.626811981 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.626852036 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.632565022 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.632616043 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.632630110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.632641077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.632652044 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.632663012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.632668972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.632674932 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.632685900 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.632690907 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.632720947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.632741928 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.640378952 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.640398026 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.640408993 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.640427113 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.640440941 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.640799999 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.640811920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.640822887 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.640839100 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.640872955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.640887022 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.653140068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653234959 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.653243065 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653254986 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653264999 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653275967 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653285980 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653297901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653337002 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.653359890 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653395891 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.653409958 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.653711081 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653760910 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653773069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653836012 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653847933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.653862000 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.653942108 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.654206991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.654256105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.654267073 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.654285908 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.654323101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.654350042 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.654361010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.654371977 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.654381990 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.654408932 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.654462099 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.654483080 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.654527903 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.655000925 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.655061007 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.655066967 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.655117035 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.655128002 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.655139923 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.655147076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.655194998 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.655215025 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.655258894 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.655558109 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.655601025 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.655621052 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.655658960 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.659461975 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.659512997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.659521103 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.659526110 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.659558058 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.659601927 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.659614086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.659625053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.659635067 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.659646034 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.659678936 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.662591934 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.662615061 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.662630081 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.662642002 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.662664890 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.662684917 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.662710905 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.662722111 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.662731886 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.662743092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.662784100 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.662802935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.662802935 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.676199913 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.676220894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.676233053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.676280975 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.676309109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.676321030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.676331997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.676343918 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.676356077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.676363945 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.676383018 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.676404953 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.683521032 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.683573961 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.683671951 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.683718920 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.683744907 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.683757067 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.683788061 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.683810949 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.683939934 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.683950901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.683962107 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.683970928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.683985949 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.684004068 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.684026003 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.686568975 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.686580896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.686592102 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.686603069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.686614037 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.686625004 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.686625004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.686638117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.686647892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.686651945 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.686675072 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.686686993 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.697012901 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.697069883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.697072029 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.697087049 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.697098970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.697109938 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.697109938 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.697134972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.697173119 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.697173119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.697207928 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.697217941 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.697217941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.697257042 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.700318098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.700370073 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.700397968 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.700408936 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.700439930 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.700448990 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.700484991 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.700534105 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.700544119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.700555086 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.700563908 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.700582981 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.700609922 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.712670088 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.712686062 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.712697029 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.712722063 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.712737083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.712744951 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.712749004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.712774992 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.712776899 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.712795973 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.712806940 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.712867975 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.712878942 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.712888956 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.712908030 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.712927103 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.713254929 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.713298082 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.713305950 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.713310957 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.713339090 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.713346958 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.713356972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.713383913 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.713514090 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.713561058 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.713581085 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.713628054 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.714845896 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.714890957 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.714895964 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.714906931 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.714939117 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.714950085 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.714960098 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.715003967 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.715022087 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.715034008 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.715071917 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.715085030 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.715095997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.715128899 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.715147972 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.720380068 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.720391035 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.720401049 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.720432997 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.720457077 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.720535040 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.720546007 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.720556974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.720567942 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.720586061 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.720613956 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.728940010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.728960991 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.728971004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.728992939 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.729017019 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.729072094 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.729110956 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.729123116 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.729134083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.729173899 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.729182005 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.729218960 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.730006933 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.730067015 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.741782904 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.741827011 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.741833925 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.741837978 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.741872072 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.741904974 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.741950989 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.741962910 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.741975069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742010117 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.742022991 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.742098093 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742110014 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742121935 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742134094 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742149115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.742177963 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.742237091 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742248058 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742259979 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742289066 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.742295980 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742324114 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.742350101 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.742820024 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742867947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.742882967 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742893934 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742918015 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.742930889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.742959976 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.743002892 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.743050098 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.743226051 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.743269920 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.743272066 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.743309975 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.743387938 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.743432999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.743446112 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.743458033 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.743505955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.743530035 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.743542910 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.743555069 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.743577957 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.743596077 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.743930101 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.743971109 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.748075962 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.748128891 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.748136997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.748148918 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.748161077 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.748183012 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.748200893 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.748245955 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.748286963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.748290062 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.748298883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.748310089 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.748328924 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.748349905 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.751471043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.751482010 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.751493931 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.751522064 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.751549006 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.751625061 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.751636982 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.751647949 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.751657963 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.751677990 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.751718044 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.765703917 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.765716076 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.765727043 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.765805006 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.765815973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.765825987 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.765826941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.765842915 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.765872955 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.765885115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.773118973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.773130894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.773142099 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.773180008 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.773205042 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.773262978 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.773274899 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.773279905 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.773292065 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.773313999 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.773339033 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.776009083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.776019096 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.776030064 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.776060104 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.776066065 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.776077986 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.776107073 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.776156902 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.776201963 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.776206970 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.776220083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.776242018 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.776253939 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.776278019 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.785847902 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.785901070 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.786039114 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.786051035 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.786067009 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.786077976 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.786086082 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.786093950 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.786099911 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.786109924 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.786137104 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.788948059 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.788979053 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.788990021 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.788997889 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.789024115 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.789028883 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.789047956 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.789058924 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.789069891 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.789073944 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.789098024 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.789113045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.789140940 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.789151907 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.789191961 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.801373959 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801419020 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801424026 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.801430941 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801456928 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.801471949 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.801498890 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801511049 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801549911 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.801583052 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801594973 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801606894 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801624060 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.801661015 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.801728964 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801740885 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801752090 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801770926 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.801790953 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801803112 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.801808119 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.801832914 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.801867962 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.802037001 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.802084923 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.803579092 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.803625107 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.803636074 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.803647041 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.803693056 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.803693056 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.803713083 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.803725004 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.803755045 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.803765059 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.804050922 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.804092884 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.804105997 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.804146051 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.871395111 CEST	49720	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.871879101 CEST	49723	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.876729965 CEST	9000	49720	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.876775980 CEST	49720	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.876945972 CEST	9000	49723	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:20.877003908 CEST	49723	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.878146887 CEST	49723	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:20.883899927 CEST	9000	49723	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:21.532411098 CEST	9000	49723	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:21.532464981 CEST	49723	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:21.532871962 CEST	49723	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:21.534444094 CEST	49723	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:21.534461975 CEST	49723	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:21.538435936 CEST	9000	49723	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:21.539235115 CEST	9000	49723	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:21.539244890 CEST	9000	49723	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:21.968745947 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:21.969340086 CEST	49725	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:21.974033117 CEST	9000	49721	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:21.974098921 CEST	49721	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:21.974123001 CEST	9000	49725	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:21.974186897 CEST	49725	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:21.974761009 CEST	49725	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:21.979516983 CEST	9000	49725	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:22.346275091 CEST	9000	49723	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:22.346458912 CEST	49723	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:22.630877972 CEST	9000	49725	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:22.632756948 CEST	49725	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:22.660178900 CEST	49725	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:22.664995909 CEST	9000	49725	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:22.666455030 CEST	49725	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:22.671471119 CEST	9000	49725	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:23.105381012 CEST	49723	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:23.105829000 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:23.110515118 CEST	9000	49723	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:23.110575914 CEST	49723	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:23.110686064 CEST	9000	49728	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:23.110745907 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:23.110974073 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:23.115678072 CEST	9000	49728	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:23.485815048 CEST	9000	49725	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:23.485912085 CEST	49725	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:23.528820992 CEST	49707	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:23.528896093 CEST	49707	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:23.533638954 CEST	443	49707	173.222.162.64	192.168.2.6
Jul 2, 2024 12:18:23.533649921 CEST	443	49707	173.222.162.64	192.168.2.6
Jul 2, 2024 12:18:23.534190893 CEST	49729	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:23.534235001 CEST	443	49729	173.222.162.64	192.168.2.6
Jul 2, 2024 12:18:23.534316063 CEST	49729	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:23.543673992 CEST	49729	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:23.543689013 CEST	443	49729	173.222.162.64	192.168.2.6
Jul 2, 2024 12:18:23.778652906 CEST	9000	49728	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:23.778727055 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:23.779858112 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:23.781959057 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:23.787339926 CEST	9000	49728	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:23.789618969 CEST	9000	49728	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:24.164138079 CEST	443	49729	173.222.162.64	192.168.2.6
Jul 2, 2024 12:18:24.164237976 CEST	49729	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:24.240380049 CEST	49725	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.241518974 CEST	49731	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.247358084 CEST	9000	49725	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:24.247448921 CEST	49725	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.248425961 CEST	9000	49731	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:24.248509884 CEST	49731	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.248769999 CEST	49731	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.256190062 CEST	9000	49731	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:24.607950926 CEST	9000	49728	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:24.608028889 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.901384115 CEST	9000	49731	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:24.901504040 CEST	49731	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.901948929 CEST	49731	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.910160065 CEST	9000	49731	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:24.930493116 CEST	49731	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.933003902 CEST	49732	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.936464071 CEST	9000	49731	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:24.936520100 CEST	49731	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.938782930 CEST	9000	49732	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:24.938867092 CEST	49732	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.939100027 CEST	49732	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:24.945979118 CEST	9000	49732	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:25.585390091 CEST	9000	49732	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:25.585477114 CEST	49732	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:25.587701082 CEST	49732	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:25.587701082 CEST	49732	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:25.592611074 CEST	9000	49732	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:25.592664003 CEST	49733	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:25.592793941 CEST	9000	49732	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:25.593030930 CEST	49732	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:25.597526073 CEST	9000	49733	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:25.597630024 CEST	49733	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:25.597826958 CEST	49733	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:25.602585077 CEST	9000	49733	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:26.249897003 CEST	9000	49733	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:26.250729084 CEST	49733	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.251410007 CEST	49733	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.253448963 CEST	49733	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.256172895 CEST	9000	49733	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:26.256201029 CEST	49734	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.258646011 CEST	9000	49733	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:26.260730028 CEST	49733	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.260973930 CEST	9000	49734	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:26.264058113 CEST	49734	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.264394045 CEST	49734	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.269170046 CEST	9000	49734	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:26.910264969 CEST	9000	49734	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:26.910326004 CEST	49734	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.910804987 CEST	49734	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.912627935 CEST	49734	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.914665937 CEST	49735	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.915646076 CEST	9000	49734	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:26.917725086 CEST	9000	49734	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:26.917776108 CEST	49734	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.919686079 CEST	9000	49735	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:26.919768095 CEST	49735	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.919966936 CEST	49735	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:26.924799919 CEST	9000	49735	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:27.564374924 CEST	9000	49735	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:27.564459085 CEST	49735	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:27.564992905 CEST	49735	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:27.567027092 CEST	49735	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:27.568722963 CEST	49736	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:27.569705963 CEST	9000	49735	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:27.572510958 CEST	9000	49735	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:27.572562933 CEST	49735	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:27.573451996 CEST	9000	49736	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:27.573517084 CEST	49736	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:27.573707104 CEST	49736	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:27.578485966 CEST	9000	49736	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:28.255032063 CEST	9000	49736	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:28.255095005 CEST	49736	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:28.255589008 CEST	49736	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:28.257210970 CEST	49736	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:28.261156082 CEST	9000	49736	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:28.262605906 CEST	9000	49736	49.13.159.121	192.168.2.6
Jul 2, 2024 12:18:28.262684107 CEST	49736	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:18:43.328965902 CEST	443	49729	173.222.162.64	192.168.2.6
Jul 2, 2024 12:18:43.329108000 CEST	49729	443	192.168.2.6	173.222.162.64
Jul 2, 2024 12:18:48.956271887 CEST	49702	80	192.168.2.6	104.18.38.233
Jul 2, 2024 12:18:48.956321001 CEST	49700	80	192.168.2.6	104.18.38.233
Jul 2, 2024 12:18:48.961957932 CEST	80	49702	104.18.38.233	192.168.2.6
Jul 2, 2024 12:18:48.962028027 CEST	49702	80	192.168.2.6	104.18.38.233
Jul 2, 2024 12:18:48.962069035 CEST	80	49700	104.18.38.233	192.168.2.6
Jul 2, 2024 12:18:48.962121010 CEST	49700	80	192.168.2.6	104.18.38.233
Jul 2, 2024 12:19:34.610780954 CEST	9000	49728	49.13.159.121	192.168.2.6
Jul 2, 2024 12:19:34.610837936 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:19:34.611341000 CEST	9000	49728	49.13.159.121	192.168.2.6
Jul 2, 2024 12:19:34.611388922 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:19:41.691802025 CEST	49706	80	192.168.2.6	93.184.221.240
Jul 2, 2024 12:19:41.697516918 CEST	80	49706	93.184.221.240	192.168.2.6
Jul 2, 2024 12:19:41.697618008 CEST	49706	80	192.168.2.6	93.184.221.240
Jul 2, 2024 12:19:58.159801006 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:19:58.159825087 CEST	49728	9000	192.168.2.6	49.13.159.121
Jul 2, 2024 12:19:58.164712906 CEST	9000	49728	49.13.159.121	192.168.2.6
Jul 2, 2024 12:19:58.164782047 CEST	49728	9000	192.168.2.6	49.13.159.121

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 12:18:08.197577953 CEST	55243	53	192.168.2.6	1.1.1.1
Jul 2, 2024 12:18:08.204902887 CEST	53	55243	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 12:18:08.197577953 CEST	192.168.2.6	1.1.1.1	0x7b76	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 12:18:08.204902887 CEST	1.1.1.1	192.168.2.6	0x7b76	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Jul 2, 2024 12:18:09.856331110 CEST	1.1.1.1	192.168.2.6	0xe31c	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 2, 2024 12:18:09.856331110 CEST	1.1.1.1	192.168.2.6	0xe31c	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 2, 2024 12:18:22.702490091 CEST	1.1.1.1	192.168.2.6	0xf430	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 2, 2024 12:18:22.702490091 CEST	1.1.1.1	192.168.2.6	0xf430	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 2, 2024 12:18:35.120188951 CEST	1.1.1.1	192.168.2.6	0xbf73	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 2, 2024 12:18:35.120188951 CEST	1.1.1.1	192.168.2.6	0xbf73	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 2, 2024 12:19:24.477835894 CEST	1.1.1.1	192.168.2.6	0x4b7a	No error (0)	windowsupdatebg.s.llnwi.net		41.63.96.128	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	149.154.167.99	443	6312	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 10:18:08 UTC	84	OUT	GET /g067n HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-07-02 10:18:09 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 02 Jul 2024 10:18:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12304 Connection: close Set-Cookie: stel_ssid=6814f2dde534755e23_7550470134956208794; expires=Wed, 03 Jul 2024 10:18:09 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-07-02 10:18:09 UTC	12304	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 67 30 36 37 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 2e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @g067n</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent.

Target ID:	0
Start time:	06:18:04
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x670000
File size:	4'959'240 bytes
MD5 hash:	06333E350E25E29677256D9BE86E4EE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2112404610.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2113529276.0000000003F3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2113529276.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2113529276.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2113529276.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2106139036.0000000000672000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:18:04
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x280000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:18:04
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x550000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:18:04
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xf40000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	73.5%
Signature Coverage:	0%
Total number of Nodes:	34
Total number of Limit Nodes:	2

Executed Functions

Function 05399AEB Relevance: 46.9, Strings: 37, Instructions: 655
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<, xrefs: 0539A4CD
a, xrefs: 05399E07
2, xrefs: 0539A444
., xrefs: 0539A1F9
U, xrefs: 0539A086
F, xrefs: 0539A105
@, xrefs: 05399F8B
Q, xrefs: 0539A2FD
F, xrefs: 05399ED7
/, xrefs: 0539A4C6
b, xrefs: 05399D7F
R, xrefs: 0539A4B2
', xrefs: 05399CE5
,, xrefs: 0539A185
S, xrefs: 0539A47E
;, xrefs: 05399F37
6, xrefs: 0539A20F
b, xrefs: 0539A318
0, xrefs: 0539A05B
_, xrefs: 05399DD1
Y, xrefs: 0539A32E
dnEA, xrefs: 0539A024
Q, xrefs: 0539A276
<, xrefs: 0539A4E3
S, xrefs: 05399D10
G, xrefs: 0539A307
/, xrefs: 05399DAD
`, xrefs: 05399EF1
], xrefs: 0539A311
#WrA, xrefs: 0539A0AC
:j)B, xrefs: 0539A43A
4, xrefs: 0539A2B0
^, xrefs: 0539A2E9
L, xrefs: 05399E2F
,, xrefs: 0539A0D2
4, xrefs: 05399C75
b, xrefs: 05399CF7

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: #WrA$'$,$,$.$/$/$0$2$4$4$6$:j)B$;$<$<$@$F$F$G$L$Q$Q$R$S$S$U$Y$]$^$_$`$a$b$b$b$dnEA
API String ID: 0-3494415311
Opcode ID: 3d0c6643492c2b5eb5ae57acfdf34561f2292d3610a0cf5766594280de2b5686
Instruction ID: 01f4b49c4e94afa0de331ef69b3925c85267ee44f1a1b1c108e4c4e141124306
Opcode Fuzzy Hash: 3d0c6643492c2b5eb5ae57acfdf34561f2292d3610a0cf5766594280de2b5686
Instruction Fuzzy Hash: CE829FB1E016298FEB65DF2AC944799BBF6FB88300F1491EAD50CA7354DB755AC18F00

Function 0539439B Relevance: 46.9, Strings: 37, Instructions: 604
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4, xrefs: 05394B88
@, xrefs: 05394869
Y, xrefs: 05394C09
F, xrefs: 053947AC
6, xrefs: 05394AF6
,, xrefs: 05394A6C
L, xrefs: 05394707
_, xrefs: 053946AF
], xrefs: 05394BEC
,, xrefs: 053949B3
<, xrefs: 05394DBB
/, xrefs: 0539468B
`, xrefs: 053947C6
Q, xrefs: 05394B51
;, xrefs: 05394812
R, xrefs: 05394D87
F, xrefs: 053949E6
a, xrefs: 053946DF
0, xrefs: 0539493C
:j)B, xrefs: 05394D0F
b, xrefs: 0539465D
b, xrefs: 053945D5
4, xrefs: 0539454D
S, xrefs: 053945EE
<, xrefs: 05394DA5
G, xrefs: 05394BE2
/, xrefs: 05394D9B
U, xrefs: 0539496A
', xrefs: 053945C6
Q, xrefs: 05394BD8
#WrA, xrefs: 0539498D
b, xrefs: 05394BF6
S, xrefs: 05394D4D
dnEA, xrefs: 05394905
2, xrefs: 05394D19
^, xrefs: 05394BC4
., xrefs: 05394AE0

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: #WrA$'$,$,$.$/$/$0$2$4$4$6$:j)B$;$<$<$@$F$F$G$L$Q$Q$R$S$S$U$Y$]$^$_$`$a$b$b$b$dnEA
API String ID: 0-3494415311
Opcode ID: 4d582a7d85b17101a6f0b83d0acdb3cdc28a4b2bf0eab2b05376b41d076a1ce0
Instruction ID: 271f429561bf22d91e1be406c17d987c5e1bd42cc4fc374591e66e150bcd5a5a
Opcode Fuzzy Hash: 4d582a7d85b17101a6f0b83d0acdb3cdc28a4b2bf0eab2b05376b41d076a1ce0
Instruction Fuzzy Hash: 2A72AEB5D016698FEB65DF2AC984799BBF6FB88300F1081EA940CAB354DB755AC1CF00

Function 053943A8 Relevance: 46.9, Strings: 37, Instructions: 601
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4, xrefs: 05394B88
@, xrefs: 05394869
Y, xrefs: 05394C09
F, xrefs: 053947AC
6, xrefs: 05394AF6
,, xrefs: 05394A6C
L, xrefs: 05394707
_, xrefs: 053946AF
], xrefs: 05394BEC
,, xrefs: 053949B3
<, xrefs: 05394DBB
/, xrefs: 0539468B
`, xrefs: 053947C6
Q, xrefs: 05394B51
;, xrefs: 05394812
R, xrefs: 05394D87
F, xrefs: 053949E6
a, xrefs: 053946DF
0, xrefs: 0539493C
:j)B, xrefs: 05394D0F
b, xrefs: 0539465D
b, xrefs: 053945D5
4, xrefs: 0539454D
S, xrefs: 053945EE
<, xrefs: 05394DA5
G, xrefs: 05394BE2
/, xrefs: 05394D9B
U, xrefs: 0539496A
', xrefs: 053945C6
Q, xrefs: 05394BD8
#WrA, xrefs: 0539498D
b, xrefs: 05394BF6
S, xrefs: 05394D4D
dnEA, xrefs: 05394905
2, xrefs: 05394D19
^, xrefs: 05394BC4
., xrefs: 05394AE0

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: #WrA$'$,$,$.$/$/$0$2$4$4$6$:j)B$;$<$<$@$F$F$G$L$Q$Q$R$S$S$U$Y$]$^$_$`$a$b$b$b$dnEA
API String ID: 0-3494415311
Opcode ID: 791efdb080b365486e3ce9dce1f29f2b6b29ff2c3b43e9314f0c46fa07e79b3a
Instruction ID: fba7773efee9e3396ad52391eb5174ece7a8ec921e4afaee8d549edc5d4dc5c8
Opcode Fuzzy Hash: 791efdb080b365486e3ce9dce1f29f2b6b29ff2c3b43e9314f0c46fa07e79b3a
Instruction Fuzzy Hash: 4472ADB5D016698FEB65DF2AC984799BBF6FB88300F1085EA940CAB354DB755AC1CF00

Function 053965BB Relevance: 46.8, Strings: 37, Instructions: 590
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 053968F1
`, xrefs: 05396A2F
0, xrefs: 05396B96
2, xrefs: 05396F7F
/, xrefs: 05397001
;, xrefs: 05396A72
#WrA, xrefs: 05396BE7
b, xrefs: 053968C6
dnEA, xrefs: 05396B5F
., xrefs: 05396D34
@, xrefs: 05396AC9
F, xrefs: 05396C40
Q, xrefs: 05396E32
,, xrefs: 05396CC6
S, xrefs: 05396854
<, xrefs: 0539701E
U, xrefs: 05396BC1
_, xrefs: 05396915
^, xrefs: 05396E1E
', xrefs: 05396826
a, xrefs: 05396945
Q, xrefs: 05396DB1
R, xrefs: 05396FED
G, xrefs: 05396E39
4, xrefs: 053967AD
b, xrefs: 05396838
], xrefs: 05396E43
b, xrefs: 05396E4D
,, xrefs: 05396C0D
F, xrefs: 05396A15
4, xrefs: 05396DEB
Y, xrefs: 05396E63
S, xrefs: 05396FB3
6, xrefs: 05396D4A
<, xrefs: 05397008
:j)B, xrefs: 05396F75
L, xrefs: 0539696D

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: #WrA$'$,$,$.$/$/$0$2$4$4$6$:j)B$;$<$<$@$F$F$G$L$Q$Q$R$S$S$U$Y$]$^$_$`$a$b$b$b$dnEA
API String ID: 0-3494415311
Opcode ID: dc851a92d80323b16093902367667d69dbdc077f587d8b4c00822b145c32e45f
Instruction ID: fb337f13d6326ad1c94e6978eb040d84336012925d4b0b844eb64cc8959c5e1f
Opcode Fuzzy Hash: dc851a92d80323b16093902367667d69dbdc077f587d8b4c00822b145c32e45f
Instruction Fuzzy Hash: BF7284B1D016698FEB65DF1AC984799BBF6FF88300F0581EA940CA7354EB755B858F00

Function 0539734F Relevance: 46.8, Strings: 37, Instructions: 533
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F, xrefs: 05397A2A
G, xrefs: 05397C29
,, xrefs: 05397AB6
_, xrefs: 053976F9
dnEA, xrefs: 05397949
', xrefs: 0539760A
U, xrefs: 053979AE
^, xrefs: 05397C0E
@, xrefs: 053978AA
Y, xrefs: 05397C50
/, xrefs: 05397DE8
b, xrefs: 0539761C
S, xrefs: 05397638
Q, xrefs: 05397B9B
Q, xrefs: 05397C22
b, xrefs: 053976A7
<, xrefs: 05397DF2
<, xrefs: 05397E08
4, xrefs: 05397594
;, xrefs: 05397856
/, xrefs: 053976D5
6, xrefs: 05397B3A
R, xrefs: 05397DD7
L, xrefs: 05397751
`, xrefs: 05397810
:j)B, xrefs: 05397D5C
,, xrefs: 053979F4
], xrefs: 05397C30
F, xrefs: 053977F6
0, xrefs: 05397980
S, xrefs: 05397D9D
a, xrefs: 05397729
., xrefs: 05397B27
b, xrefs: 05397C3A
#WrA, xrefs: 053979CE
2, xrefs: 05397D66
4, xrefs: 05397BD5

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: #WrA$'$,$,$.$/$/$0$2$4$4$6$:j)B$;$<$<$@$F$F$G$L$Q$Q$R$S$S$U$Y$]$^$_$`$a$b$b$b$dnEA
API String ID: 0-3494415311
Opcode ID: a5b69a43ae659bee509b20f3c961ae2107b25c7c10f16cf29fbcbee4e2048ac2
Instruction ID: 9c9ccefecdcadf1814cce1eebad222b91ca99cc7d53ca8ef223434a2be2b10fb
Opcode Fuzzy Hash: a5b69a43ae659bee509b20f3c961ae2107b25c7c10f16cf29fbcbee4e2048ac2
Instruction Fuzzy Hash: E36271B1D016698FEB65DF1AC984799BBF6FB88300F15C1EA941CAB354EB754AC18F00

Function 05397360 Relevance: 46.8, Strings: 37, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F, xrefs: 05397A2A
G, xrefs: 05397C29
,, xrefs: 05397AB6
_, xrefs: 053976F9
dnEA, xrefs: 05397949
', xrefs: 0539760A
U, xrefs: 053979AE
^, xrefs: 05397C0E
@, xrefs: 053978AA
Y, xrefs: 05397C50
/, xrefs: 05397DE8
b, xrefs: 0539761C
S, xrefs: 05397638
Q, xrefs: 05397B9B
Q, xrefs: 05397C22
b, xrefs: 053976A7
<, xrefs: 05397DF2
<, xrefs: 05397E08
4, xrefs: 05397594
;, xrefs: 05397856
/, xrefs: 053976D5
6, xrefs: 05397B3A
R, xrefs: 05397DD7
L, xrefs: 05397751
`, xrefs: 05397810
:j)B, xrefs: 05397D5C
,, xrefs: 053979F4
], xrefs: 05397C30
F, xrefs: 053977F6
0, xrefs: 05397980
S, xrefs: 05397D9D
a, xrefs: 05397729
., xrefs: 05397B27
b, xrefs: 05397C3A
#WrA, xrefs: 053979CE
2, xrefs: 05397D66
4, xrefs: 05397BD5

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: #WrA$'$,$,$.$/$/$0$2$4$4$6$:j)B$;$<$<$@$F$F$G$L$Q$Q$R$S$S$U$Y$]$^$_$`$a$b$b$b$dnEA
API String ID: 0-3494415311
Opcode ID: 7d64b558f22efcc86deb34a1869d3d93af1a9e5eed8efd58be8ae86128135a20
Instruction ID: 9035655f680ea78f570db387608d0e66b7c17f378d589c0f6b04586228b74499
Opcode Fuzzy Hash: 7d64b558f22efcc86deb34a1869d3d93af1a9e5eed8efd58be8ae86128135a20
Instruction Fuzzy Hash: C56261B1D016698FEB65DF1AC984799BBF6FB88300F15C1EA941CAB354EB754AC18F00

Function 053B8A58 Relevance: 3.3, Instructions: 3331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c6f7cad34b1c795398c81e95c08b17ec3058925bc4487288746c58ff221e8b
Instruction ID: 847648f4c9d907b1cbab879434e52b0c9b0b3f59988265061e436d3a167b63ba
Opcode Fuzzy Hash: 74c6f7cad34b1c795398c81e95c08b17ec3058925bc4487288746c58ff221e8b
Instruction Fuzzy Hash: 8C731D74A00219CFDB14DF68C898AEDB7B2BF89310F158199E619AB761DB70ED81CF50

Function 0539B008 Relevance: 1.8, Strings: 1, Instructions: 578
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 0539B75C

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: f13428c31f4895a08a59fcab1b206fa8d81cb0c156ac576ee6f4dae5281bc928
Instruction ID: 361884c19348483af34d4f480d1c1e57794770808969062b9355c0dfa7069302
Opcode Fuzzy Hash: f13428c31f4895a08a59fcab1b206fa8d81cb0c156ac576ee6f4dae5281bc928
Instruction Fuzzy Hash: 3952CC70E00229CFDB68DF65C894BDDBBB2BF89304F1485EAD409AB290DB745A85CF50

Function 053B2A98 Relevance: 1.0, Instructions: 1043COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0ea7b1e3075f4fea2216ec3ab9040e899d57e579a3a6096f8ca0c9d4c0db26
Instruction ID: 23c1eba9e4c5261a6ee222f3fee2e57c5a33006f45fee25525ab069682f7c515
Opcode Fuzzy Hash: 8b0ea7b1e3075f4fea2216ec3ab9040e899d57e579a3a6096f8ca0c9d4c0db26
Instruction Fuzzy Hash: A7B2C074E00228DFDB65CF69C984AD9BBB2FF89300F1581E9D549AB225DB319E81CF40

Function 053B8998 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3e461fed727ac77eb8c9a9fc62702e4093680bce6aa0eee2a5896b9e43dbf7
Instruction ID: 8c4fda6932d97da57b4610d1d92bd04569e7ddd37a7784a83a659046ee5375ec
Opcode Fuzzy Hash: 3a3e461fed727ac77eb8c9a9fc62702e4093680bce6aa0eee2a5896b9e43dbf7
Instruction Fuzzy Hash: 71F1A271B002199FDF05DF68D844AAEBBBABF84350F148429EA05DB750DBB0DD52CB91

Function 02C2F9C8 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112237908.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6c8b78f2fcf6799cb0e429cc15b0238ca8c0b88767d34d2889de99062b43b8
Instruction ID: 956efbf60b4859d8165806790fa473a3c38c3ab32cfd2439de2c8719acd866a3
Opcode Fuzzy Hash: cc6c8b78f2fcf6799cb0e429cc15b0238ca8c0b88767d34d2889de99062b43b8
Instruction Fuzzy Hash: 8AB1CF74E00218CFDB54DFA9D884BAEBBB2FF89300F108169D909AB359DB745985CF51

Function 053954FD Relevance: 4.5, Strings: 3, Instructions: 704
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

dnEA, xrefs: 05395A78
#WrA, xrefs: 05395B13
:j)B, xrefs: 05395F7D

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: #WrA$:j)B$dnEA
API String ID: 0-559844328
Opcode ID: 8f3d27fb86a2b9d9c78895730631afaedb8fb85ef880b92c1117e1ec47b5c0c1
Instruction ID: 0acd3109c810f32aaffebfa31560c4da5058207222460a59818addf6f6b92538
Opcode Fuzzy Hash: 8f3d27fb86a2b9d9c78895730631afaedb8fb85ef880b92c1117e1ec47b5c0c1
Instruction Fuzzy Hash: 7B9294B4A0024ACFDB01DF98D489BEEBFB1FB49314F1541A8DA086B356D775A885CF90

Function 05ACFA10 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05ACFCD7

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 272f6f58bbf3e6f2200e32135ec38c1748da316ed7710adbab9718fa29b1d6e1
Instruction ID: 5aed9d1448e26692d5aaec02579e3e6bd17184a767f6d7e9ec064d8be78a09ca
Opcode Fuzzy Hash: 272f6f58bbf3e6f2200e32135ec38c1748da316ed7710adbab9718fa29b1d6e1
Instruction Fuzzy Hash: DAC10470D002299FDB24CFA8C845BEEBBB2BB49304F1095A9D919B7240DB749A85CF95

Function 05ACF5E0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05ACF6B3

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 97f3cf9ccd8532197b31543595c2c0228c0cfb0ace76268b650bd3b230f6b87c
Instruction ID: c2c50a6f5925c113ec8c74560a67a985bf3c3091b7a681423707b603e0969d8a
Opcode Fuzzy Hash: 97f3cf9ccd8532197b31543595c2c0228c0cfb0ace76268b650bd3b230f6b87c
Instruction Fuzzy Hash: 3741A9B5D012599FDF00CFA9D984ADEFBF1BB49310F20902AE818B7210D775AA41CF64

Function 05ACCEC0 Relevance: 1.6, APIs: 1, Instructions: 112
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 05ACCFC9

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0cee01efd17f3a5c0713d78351d2d735791eb57957d8c6a0637d74de7216f55d
Instruction ID: f3a946244fc8f59b0e75a0137ef76d64fa3604af8fa1d9e8069dcf4453214038
Opcode Fuzzy Hash: 0cee01efd17f3a5c0713d78351d2d735791eb57957d8c6a0637d74de7216f55d
Instruction Fuzzy Hash: C64113B4D00358DFDB14CFA9D884B9EBBF1FB49314F10912AE829AB254D7B49945CF81

Function 05ACF488 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05ACF532

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c5e7b0cbc8b286cec5cc070d8dafe248e444fd3e8cb90ef2ba90665a68ff4cc6
Instruction ID: ace551d1b4a80a7e1786a553834b7f51e1ebf043ab12ccd5312adee67a4808e3
Opcode Fuzzy Hash: c5e7b0cbc8b286cec5cc070d8dafe248e444fd3e8cb90ef2ba90665a68ff4cc6
Instruction Fuzzy Hash: CE31A8B9D00258DFCF10CFA9D980A9EFBB1BB49310F10A42AE915B7210D775A901CF54

Function 05ACF280 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05ACF32F

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 617bd354680a47d430b3aec706f92800174c17b2d11a3443853285c398ca8136
Instruction ID: 71a9d3d9d63b64e156fa7a05feca5763a9324b5a81568882ad9c72212d8828df
Opcode Fuzzy Hash: 617bd354680a47d430b3aec706f92800174c17b2d11a3443853285c398ca8136
Instruction Fuzzy Hash: 0F31BAB5D012589FDB10CFAAD884AEEBFF1BF48310F24902AE419B7240D778A945CF94

Function 05ACCBE8 Relevance: 1.6, APIs: 1, Instructions: 92
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05ACCC8F

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9d4448278c7d7f217d1ff74458a48309d73a921b0f2657f120c44644d9d5c443
Instruction ID: b47fbfbbfdabe1cca9971c71c508b4f4a81f32603372d74b57337e5c1a646bab
Opcode Fuzzy Hash: 9d4448278c7d7f217d1ff74458a48309d73a921b0f2657f120c44644d9d5c443
Instruction Fuzzy Hash: 913177B9D042589FCB10CFA9D584A9EFBB1BB49310F24A02AE828B7310D775A945CF64

Function 05ACF158 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 05ACF1D6

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1bfbe493c2671a13b749ccc0bb1495e9b3bef1c7c77a8ea753bd2eda7821ace4
Instruction ID: 50a8ccc727478ba1a52fea2807a8ec505746a18887367e49296d88ad02765dde
Opcode Fuzzy Hash: 1bfbe493c2671a13b749ccc0bb1495e9b3bef1c7c77a8ea753bd2eda7821ace4
Instruction Fuzzy Hash: 9931C9B4D012199FDF14CFAAD884A9EFBB5BF48320F14942AE919B7200C775A901CF98

Function 053BCEEE Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

$, xrefs: 053BD3C6

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: fbb601daa62fed697f0a80b147bc002b52c130f3477122699c017ba1172ab74f
Instruction ID: d33ed8bc9619f39acaeff7d67b545782ccc112015111ac54d301419d97fa2689
Opcode Fuzzy Hash: fbb601daa62fed697f0a80b147bc002b52c130f3477122699c017ba1172ab74f
Instruction Fuzzy Hash: 8AD1C274E00A289FDB64EF24DC90AAEBBB2EB89301F4041E9960DA7354DB711ED5DF50

Function 02C22193 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

k, xrefs: 02C26A02

Memory Dump Source

Source File: 00000000.00000002.2112237908.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c20000_file.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: b6363b40c463c1cf6daeebe45940cba88feb516b679d365a745d7884aafc749c
Instruction ID: 512ddff7a9457ca440b544b2787ee764a4ad5fe169a82342618b9c31acd106a1
Opcode Fuzzy Hash: b6363b40c463c1cf6daeebe45940cba88feb516b679d365a745d7884aafc749c
Instruction Fuzzy Hash: FF51B678D01269CFDB24EF24E8846EABBB2FB48304F0045E9D909E7344DB345EA59F51

Function 02C2581F Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

k, xrefs: 02C26A02

Memory Dump Source

Source File: 00000000.00000002.2112237908.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c20000_file.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: 635ae7bc8d4feaf050e9128c55c2abc177a97d44f50f682a9cbcfe272f07069a
Instruction ID: e665541b649ad96b4ce8585ffda6b5261dccf2ad645efefc754dd8324b9b8dc2
Opcode Fuzzy Hash: 635ae7bc8d4feaf050e9128c55c2abc177a97d44f50f682a9cbcfe272f07069a
Instruction Fuzzy Hash: 1751CA78D01269CFDB24EF24E8846DABBB2FB48304F1046E9D909E7384D7345EA59F50

Function 05396467 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

lo%q, xrefs: 053964CC

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: lo%q
API String ID: 0-3704523511
Opcode ID: 388188dbb43d7ffd5e5c6ed57ac3e99cbf0eeba57c471b60777868f8ca33231d
Instruction ID: 03e6cf3fbdeec125cdab0c0f4bfc5de3ffcc2ccc4a921476bc1951b77337bf4f
Opcode Fuzzy Hash: 388188dbb43d7ffd5e5c6ed57ac3e99cbf0eeba57c471b60777868f8ca33231d
Instruction Fuzzy Hash: 1C41B1B5E012199FCB44DFA9D985AADBBF2BF88310F14816AE815B7360DB31A901CF50

Function 05ACDF88 Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 05ACE029

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eb32e8f9d6a7864e421f92a213a45287ee3df1c6fdc64fc8e653ccb042c43b93
Instruction ID: 4830d056c9715f5450a08cf76bdda99c0d0ba5f6821b2007cf983000f26fb0f4
Opcode Fuzzy Hash: eb32e8f9d6a7864e421f92a213a45287ee3df1c6fdc64fc8e653ccb042c43b93
Instruction Fuzzy Hash: 793186B8D002589FCF10CFA9D984A9EFBB5BB49310F10A02AE818B7310D375A945CF64

Function 05396478 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

lo%q, xrefs: 053964CC

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: lo%q
API String ID: 0-3704523511
Opcode ID: a889a6ac6fc72313e6ab6e4c89a589ab543b60649a30f03296d38b81daaa9fec
Instruction ID: 5fab9fad72cf63e512798c48dfd4cdc7fb96a5b83ef19fc81fa5e6701db4b899
Opcode Fuzzy Hash: a889a6ac6fc72313e6ab6e4c89a589ab543b60649a30f03296d38b81daaa9fec
Instruction Fuzzy Hash: 8A417FB4E012199FCB48DFA9D9849DEBBF2FF89310F108169E915AB360DB35A901CF54

Function 05390040 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70d58ca2413f50d0f682cf54c78b9db2aa554cb06352fe59152eb9e0eee09cc
Instruction ID: b4e944fed1aa7b040797c99b463b6be9da6b60eab8ca1825587ba53842f9bf22
Opcode Fuzzy Hash: d70d58ca2413f50d0f682cf54c78b9db2aa554cb06352fe59152eb9e0eee09cc
Instruction Fuzzy Hash: 15127239600214DFEB0AABB6E458B263FA3FBC8304F11552EFA054779ACF75A841DB15

Function 05391150 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99679d14a87c9e75026586a0b42112545095e7d70ccd2d3e4ebafa8b770b92b6
Instruction ID: 2178847dda8c7a8da5f87407be69effbd11ce0e827fef5c2dd8fc962963ade77
Opcode Fuzzy Hash: 99679d14a87c9e75026586a0b42112545095e7d70ccd2d3e4ebafa8b770b92b6
Instruction Fuzzy Hash: 7DC14D70B10219DFDF18DFA8D844AAEBBF6BF88350F148429E506A73A1CB749C51CB91

Function 053B0D1F Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75764a56fffb87b29ecd3aa104527990e5ca83624c330ad9f54fd29cca3e82d8
Instruction ID: f70cd08dc6f9e8944fb3c9e4fd782dd89cc60e33c62061eeeb21b368c3c2d387
Opcode Fuzzy Hash: 75764a56fffb87b29ecd3aa104527990e5ca83624c330ad9f54fd29cca3e82d8
Instruction Fuzzy Hash: 08C1D474A00228CFDB64DF64DC84BAABBB2FB88300F1086E9D90DA3355DB755E949F51

Function 053927E6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a8dae88e3a90822e02b0130a07ff78df32486d857afd352e8b9b51c64b1980
Instruction ID: 9e6238ad85e30ce4573f2d36fef0932da3b85e3c0bb52a1cdfbda35d8d549688
Opcode Fuzzy Hash: 13a8dae88e3a90822e02b0130a07ff78df32486d857afd352e8b9b51c64b1980
Instruction Fuzzy Hash: A3B1C6B4A00628DFDB64EF24DC84A9EBBB2FB89300F0041E9D60DA7355DB715E958F58

Function 053B8555 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7ffb75b62f585a57777367f6a999f8a4d672140924cbb33ff29c0def20bbdb
Instruction ID: 9cc8ddf4f5729b4b468bb0808cf7f0a61de302ad7e8e1359bb57fd0fdaf8e90f
Opcode Fuzzy Hash: ad7ffb75b62f585a57777367f6a999f8a4d672140924cbb33ff29c0def20bbdb
Instruction Fuzzy Hash: 91617E35B002099FDB14DF64D854AEDBBFABF88311F145469EA02AB790CBB1DD01CB91

Function 053B4CF0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190c34c52afd1409348451f2e35d157ba83e0dce38090022ac6574c10af16e88
Instruction ID: 2da197b3735e47ff6003ec5195f8c58bb303c4aa96b32a4691ed627902c10cba
Opcode Fuzzy Hash: 190c34c52afd1409348451f2e35d157ba83e0dce38090022ac6574c10af16e88
Instruction Fuzzy Hash: 808139B4E14258CFDB04DFA8E484AEEBBF6FB88304F108429E529A7795CB745945CF50

Function 053B4364 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84930892b93ef0449913eea74b62224cb7f7656cc0d3527f00bf1ad378c4ed4
Instruction ID: 4c14bef791ad630b71b98baebe4097068a9eafcc560763c54f3e78d1c8ba298a
Opcode Fuzzy Hash: e84930892b93ef0449913eea74b62224cb7f7656cc0d3527f00bf1ad378c4ed4
Instruction Fuzzy Hash: FF81AE74E00219CFDB14DFA8D884BAEBBB2FF89304F1081A9D909A7355DB306A95CF51

Function 02C23BF1 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112237908.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077712fe51f81b2687e144e63e35fef3d76e9bbeb879690c9756a6d161c7402d
Instruction ID: 60cbfb185ce7efdfa28a10dbf306b0a9f051df610d66e1f706e5dcf62c1e2c06
Opcode Fuzzy Hash: 077712fe51f81b2687e144e63e35fef3d76e9bbeb879690c9756a6d161c7402d
Instruction Fuzzy Hash: C0719878E04228CFCB68DF64E8546EABBB2FB49304F1045E5DA19A3784DB345E94CF50

Function 053B8CD7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6441361ba4c607e947c287343cb6eba619c5000fe6e8f60311139c454a9c17a3
Instruction ID: c838be537495efa49cfa3a5ed0876bc792d744f2a47c92171f52cc53a2593cb8
Opcode Fuzzy Hash: 6441361ba4c607e947c287343cb6eba619c5000fe6e8f60311139c454a9c17a3
Instruction Fuzzy Hash: 2041593071021ADBDF099F64D844AAEBBBBFFC4350F148429F9069B694DBB58D91CB90

Function 0539BA38 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f0107b8d31f23f06e0c125ab5732fd3131aeeb4008ef772bbf1bd56db3ef7f
Instruction ID: fa6d0bd6ca79fd78f578abc58e4b52280707e3206a5d53bf0714a18a3380334d
Opcode Fuzzy Hash: c5f0107b8d31f23f06e0c125ab5732fd3131aeeb4008ef772bbf1bd56db3ef7f
Instruction Fuzzy Hash: EE413575E05218DFCB08DFA9E850AEEBBF6FF89310F109069E405A7250DB709981CB91

Function 053B47F0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a4195e465b2f91eb70c005f431d1718b5aeed88d6f7a0d28bd895af4a1f277
Instruction ID: 8972ef92ad79be84d601b7154789a63132d7eb0b4cff60b447b992333cda8b42
Opcode Fuzzy Hash: 59a4195e465b2f91eb70c005f431d1718b5aeed88d6f7a0d28bd895af4a1f277
Instruction Fuzzy Hash: 32418674E0424ADFDF05DFA8E8806EEBBB6FB89300F009429E519A7755DB744A01CF54

Function 053B4800 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c695f8791ffea80f108254a9b2562c898e1119655965382a5f583976915d1cd
Instruction ID: 454b0f600591b085defd57c04d0080dfb2d695d73b45b9dd278ad202da801950
Opcode Fuzzy Hash: 0c695f8791ffea80f108254a9b2562c898e1119655965382a5f583976915d1cd
Instruction Fuzzy Hash: ED412574E05249DFDB05DFA8E4806EEBBBAFB88300F109429E619A7745DBB55A00CF58

Function 053B7C78 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e13cf45bcea3713984a0d542baffc0ffbbd180e32866d8a86e4470314198bd
Instruction ID: 4c22cd8bd2987e9d4ea01c910b2380dba8faee9f04a2d95229653983443f9c96
Opcode Fuzzy Hash: f7e13cf45bcea3713984a0d542baffc0ffbbd180e32866d8a86e4470314198bd
Instruction Fuzzy Hash: 8121D371A14204AFE7459B748C09BFE7FBAEFC4340F108869E605DE680DE745A418791

Function 053B4691 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ca1ec315407efe475ec5c56016692442491be593a7a4586f126f604dff02ad
Instruction ID: bdc9fd1d69d9c7123df1deac177d53f5d19a6eb8be776361a6ba1d865e0ca831
Opcode Fuzzy Hash: b1ca1ec315407efe475ec5c56016692442491be593a7a4586f126f604dff02ad
Instruction Fuzzy Hash: 89315474D04249DFDB04DFA9E4446EEBBFAFB89300F009066D915A7746DBB45A44CF90

Function 053B46A0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872318a453841d1b8fc7e8e16d3833ec578548f34d4e0be3887fbf022d9dab9a
Instruction ID: aca009ef587cfee73b4c1de200690f2e85a33eb01a27b6d87b3ba4cef14f19b1
Opcode Fuzzy Hash: 872318a453841d1b8fc7e8e16d3833ec578548f34d4e0be3887fbf022d9dab9a
Instruction Fuzzy Hash: 2B311174E04209DFDB04DFA9E4446EEBBFAFB89300F009029EA19A3745DBB45A41CF94

Function 0113D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111814248.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_113d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d4b7228704cab5554378a522ecca1c6c1ba0a8430f24361d96f372733d6f2a
Instruction ID: 062cebf3a5e25f6442f538a527500e7865df8e81ebcd6e36a7c5fb427a424ec7
Opcode Fuzzy Hash: f9d4b7228704cab5554378a522ecca1c6c1ba0a8430f24361d96f372733d6f2a
Instruction Fuzzy Hash: C1212572104244DFDF19DF54E9C4B2AFF65FBC4B64F608569E9090B24AC336D40ACBA2

Function 053B7C68 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db0cafb454a6ff3467e6a73853e10629eadd4c5a6b56b779bd6932878cb0ab1
Instruction ID: e313a3acd331032e1f2cecb1c9e05f3426d0b8e29a831c242a587f687e41b5b1
Opcode Fuzzy Hash: 7db0cafb454a6ff3467e6a73853e10629eadd4c5a6b56b779bd6932878cb0ab1
Instruction Fuzzy Hash: 0B21CF70A14204AFE7469F749C05BEE7FBAEFC5340F108869E646EB681DF345A41CBA1

Function 05390007 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc75411d7d63ca3e18db20006ca4a21161678658409a1d395a7c8daa1c179052
Instruction ID: 627d7b17c736c8735a5263a1e07d49a8da23268f0eea1ecc96d649b62056a0c7
Opcode Fuzzy Hash: bc75411d7d63ca3e18db20006ca4a21161678658409a1d395a7c8daa1c179052
Instruction Fuzzy Hash: 8721F230204781CFCB2A9739D8147567FF6AF82314F0985AED1958B262EFB89848C792

Function 0113D006 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111814248.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_113d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce53a1ef9f81bdb6937c1c2a806d2d428d8fdea66b94e01ef92998a68fe280de
Instruction ID: 5bb98a6e005beb550e7777f103c70c46701b99ab3435be54ffd80af9bfab180b
Opcode Fuzzy Hash: ce53a1ef9f81bdb6937c1c2a806d2d428d8fdea66b94e01ef92998a68fe280de
Instruction Fuzzy Hash: A4217F714083809FCB07CF54E994B16BF71EB86714F2985DAD8458B267C33AD81ACBA2

Function 053BFF08 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69619fcf9e68aa790415f5f5316ddbd47c2db7f5156bd94f643e18850eb96296
Instruction ID: 93bce63764f72c99e1bf1aba5fed4c9bac3c681a943a9562d28234a21eaa06e8
Opcode Fuzzy Hash: 69619fcf9e68aa790415f5f5316ddbd47c2db7f5156bd94f643e18850eb96296
Instruction Fuzzy Hash: FA112B75E102199FDF00DF99D844AEEFBB9FB88311F10842AE915E3640DBB49A55CBA0

Function 053B5805 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6e5dda81e65ce3a257fd1034e0ff5b27f3b0476a71f5d3a02e112294bbb9fb
Instruction ID: 8598bafc3a10cf299c32ed44f3d08e1778f790d1b3d2fca0e02482c2cba3aec0
Opcode Fuzzy Hash: 8d6e5dda81e65ce3a257fd1034e0ff5b27f3b0476a71f5d3a02e112294bbb9fb
Instruction Fuzzy Hash: D821A3B4E00229CFDB61DF18D880B99BBB6FB48305F1040D9EA09A7745DB746E94CF95

Function 053B42F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77eb0d0986b784d0be65fc92ecb77c7650c9a238ac77526a60f0597ea225d3f7
Instruction ID: 1769f1401fcbc0b1798fa24d1eb2e554332239cb81c4626a8facd21b2363440b
Opcode Fuzzy Hash: 77eb0d0986b784d0be65fc92ecb77c7650c9a238ac77526a60f0597ea225d3f7
Instruction Fuzzy Hash: 5201B771E043588BEB48DFAAD84429EBBBBABC9300F14C6298519AB659DB700855CF41

Function 053B42EF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a09a157af4cf1616b93c33e154dc3ea0ae9cc1e153448e9632f3690031552f9
Instruction ID: 3fdee4d24018a091bbfbbfe86ed458362d9fbdbea7e7c42a3f0dc062f7cb62b3
Opcode Fuzzy Hash: 5a09a157af4cf1616b93c33e154dc3ea0ae9cc1e153448e9632f3690031552f9
Instruction Fuzzy Hash: 0F11B771E043588BEB58CFAA98542EEBBBBAFC9300F14C6298519AB659DB700855CF41

Function 053B898A Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5631f380406c6c581a687c09be57ec8b545ed2d5b282434a76363909d17f4a
Instruction ID: a521a951ad7cc4094bb6afe65f477d27d335bdc49eee09e2a81077d01f2c9c6c
Opcode Fuzzy Hash: ea5631f380406c6c581a687c09be57ec8b545ed2d5b282434a76363909d17f4a
Instruction Fuzzy Hash: 9701D172B04206DFDF109FA8C8889EABFB9BB42240B010066E601DB661D2B0D514CBA1

Function 053B7C07 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41169d8e4c051d42155b50f1a3a35e14433921a1a0b2db1fb7e0026ca75a3607
Instruction ID: e468e45b2bc5c9de8f24092683354108a479ab7c718243a836d9c54763a04142
Opcode Fuzzy Hash: 41169d8e4c051d42155b50f1a3a35e14433921a1a0b2db1fb7e0026ca75a3607
Instruction Fuzzy Hash: 90F0493590820CEFCB45DF94D981AEDBBB5FB98300F1480ADA919A2211D3769A61EB81

Function 053B54B8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75591cd248e2c6be311c3aef426c8e7e7394757ff229f8b2c03b7d283a56a149
Instruction ID: d4b035e623a940a36854924421f49133d92e707732944973ed2a389f03ea14be
Opcode Fuzzy Hash: 75591cd248e2c6be311c3aef426c8e7e7394757ff229f8b2c03b7d283a56a149
Instruction Fuzzy Hash: DFF0BE75D0834ADFCB14EFA4D8045EEBBB4FF86310F12846AD618B7641D7706A46CBA2

Function 053B5418 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dae05b92c8209fa7a4f4b217eb9cc5af3db84fa1c5dd818fdb3e1a76344cf9a
Instruction ID: 2dd7b2e748b1ba9138c4d6249af598cfc715c8bb70db6e76ffadaf58aaa5bcfc
Opcode Fuzzy Hash: 4dae05b92c8209fa7a4f4b217eb9cc5af3db84fa1c5dd818fdb3e1a76344cf9a
Instruction Fuzzy Hash: B8F09A36D08208EFCB41CFA8D800AEDBBB1FB49301F05C0AAD818A3211D7719A12DF41

Function 053BED60 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070db70a4278d9d8db1881c8b5c08b4f4a2f545d3627553e9d420b0de7e18262
Instruction ID: c9190a642b56920bf3d03ef6fac2d184a626104616bb22fc11a5263c4e07cca0
Opcode Fuzzy Hash: 070db70a4278d9d8db1881c8b5c08b4f4a2f545d3627553e9d420b0de7e18262
Instruction Fuzzy Hash: 91F0D035D0520CEFCB55EFA8D404ADDBBB5FF05300F008169E95467620E7719AA4EF81

Function 02C2FEF8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112237908.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3940318787cfedbfbd79c66b590e750a8c2ef39268ec20c469f55b436e30977
Instruction ID: c78909a33520df1bae763a5d67c33f016ff972c32d5e842439cd96964d72fcea
Opcode Fuzzy Hash: a3940318787cfedbfbd79c66b590e750a8c2ef39268ec20c469f55b436e30977
Instruction Fuzzy Hash: 69E06536314258AB8F060F1598148BE7FBEEFC9261B04801AFC55C6200CF75C921DBA0

Function 02C254C1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112237908.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cac5b8851a32b3d19d1943c0267bf149014872c5ec3139e2ff5964bb25aa3d3
Instruction ID: 9700d6e51457407c2cc0b35a9ebeb9eef39207aa7afab564cd725814f25ba613
Opcode Fuzzy Hash: 5cac5b8851a32b3d19d1943c0267bf149014872c5ec3139e2ff5964bb25aa3d3
Instruction Fuzzy Hash: 9201A5799042298FC718DF24D8946E9BBB1FB49304F1045EAD61DA3385D7345E958F41

Function 0539B9BE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e93c49e61b00436e9f6bb7e4394d6a7f156cf2d23f353a602f9e8b368dea270
Instruction ID: 0a2e5616d76863a669f017d3af9f4f0dc6c331b3b28d4e51f87eafb179e8afe8
Opcode Fuzzy Hash: 7e93c49e61b00436e9f6bb7e4394d6a7f156cf2d23f353a602f9e8b368dea270
Instruction Fuzzy Hash: 6AF0B275A0526CCFCF24DFA5D8547ECBBB2FB8A312F0054EAD00AA6250DB744A85CF11

Function 02C245AE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112237908.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acde2a2f5dbebe8e91167ebe6308a8be97a74586f5fd451de306df452ceb2959
Instruction ID: bd73c017596f585241c2f4704f1227fd81686b8f62dd4f36cf06d8c10e395473
Opcode Fuzzy Hash: acde2a2f5dbebe8e91167ebe6308a8be97a74586f5fd451de306df452ceb2959
Instruction Fuzzy Hash: 2001A274D002698FDB20EB24D9856D8B7B8BF09305F8459E9D44DE2240DBB45AA8CF19

Function 05390D69 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c225f689e30a3c45f2f0536fb97c29a1a7e47015a3a27c4fccce6809cb645c7
Instruction ID: b9970382a664fcd00f8f8da7f7db41e2560758385b79405c303d02bee5f37108
Opcode Fuzzy Hash: 3c225f689e30a3c45f2f0536fb97c29a1a7e47015a3a27c4fccce6809cb645c7
Instruction Fuzzy Hash: D6F01CB4D05248EFDB48DFA8E44475CBBF4AB89300F14C2A9985893701D7356E45CB80

Function 053B7C18 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d9497880472573cbd70552b4735c582f2a8331e314b72ae8c8128344d22d12
Instruction ID: b4f8f8b0758ce4b79ad596a8643bbb8990a409ab69a97548a77f40b2d0b3ab60
Opcode Fuzzy Hash: 99d9497880472573cbd70552b4735c582f2a8331e314b72ae8c8128344d22d12
Instruction Fuzzy Hash: EBF0D43590420CEFCB45DF98D940ADDBBB5FB48300F10C1A9AD19A2210D7729A61EF80

Function 053B3BDB Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1303953403900a23fae6166b5bf29a8213d78b8ddc9c458c966815868bff169e
Instruction ID: dba4ad314506131ec0a397956ac6482a40759854855e09cb1286b10dbdbd2008
Opcode Fuzzy Hash: 1303953403900a23fae6166b5bf29a8213d78b8ddc9c458c966815868bff169e
Instruction Fuzzy Hash: 67F0F834D04248EFDB44DFA8E540B9DBBB5FB49300F10C6AA9C19A7341D7759A55DB80

Function 053B3C30 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9fcc476e58448165454b1ebbd3eca5af3de1bdeac0e2259f758cc7e3cdf415
Instruction ID: f4ae7c7b7b9ecca4d42b7103222a917e896b7c5ae588ea1bdc2f4b042db78c3e
Opcode Fuzzy Hash: 1e9fcc476e58448165454b1ebbd3eca5af3de1bdeac0e2259f758cc7e3cdf415
Instruction Fuzzy Hash: 4DE0D8F0445148AFE711DBF4A90079E7FACAB05200F110EA6D50593511DAB04B54E781

Function 053B54C8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5251ece399a96ef9454e6c5aefd3069c1a57e8c11792622f0ae75be230a76e3c
Instruction ID: e124f4908da56017a163af39aa74bea4fdf373784366946e5b4ed993c54f5393
Opcode Fuzzy Hash: 5251ece399a96ef9454e6c5aefd3069c1a57e8c11792622f0ae75be230a76e3c
Instruction Fuzzy Hash: 95F03071D0421ACBCB14EF98D8015EEF774FF85311F108519D61877201E7716A55CBE1

Function 053B5428 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843cd9a6101f571bc89fc40dcf96b3f8213f5800eed0887493dc7d0d3ddbc132
Instruction ID: 22602e4849a7110e466f69a3c0a9bfdda78ea051e11f6f73831402c0cc69aa05
Opcode Fuzzy Hash: 843cd9a6101f571bc89fc40dcf96b3f8213f5800eed0887493dc7d0d3ddbc132
Instruction Fuzzy Hash: F2F01C35D04208EFCB44DF98D840A9CBBB5FB48301F10C1A9AC1893310D7719A61DF41

Function 053B537F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9248d9d59c962f1ba0f192ce87e4cbdf75454d69301c65d7672ef4ae690e7327
Instruction ID: 7f0c93098deedd9e9b3d8d23475a754daa841d5652be8b35ba2e7d83672d415a
Opcode Fuzzy Hash: 9248d9d59c962f1ba0f192ce87e4cbdf75454d69301c65d7672ef4ae690e7327
Instruction Fuzzy Hash: 96F08C34E09388DFC741DBA4E68079DBBF0AB89300F14C5EEC859A3741D2719A45CF41

Function 053B47B0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff8b5dda7e6353ad4f694325eeae19724dda55c53487b3fa4776681af1b3430
Instruction ID: 9edf12d86211ee4f8e69429e80fe12bf4e5271a8227e8c8087e2a975a64ecc55
Opcode Fuzzy Hash: cff8b5dda7e6353ad4f694325eeae19724dda55c53487b3fa4776681af1b3430
Instruction Fuzzy Hash: 05E0DFB141A348DFC700CFB4A8053A8BBF8FB07300F0150D2D854D3682D2708E50CB44

Function 053B3BE8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902f0b1722007220c3acaeed1182aadc2a87ddc42e3b7d38304a0be910f47b7d
Instruction ID: c7f8f3a61ea91d4dd86c4bc2ff824eea39e89296c2298a4768825cbfeac1c2d9
Opcode Fuzzy Hash: 902f0b1722007220c3acaeed1182aadc2a87ddc42e3b7d38304a0be910f47b7d
Instruction Fuzzy Hash: 67F0A578D04208EFCB44DFA8D540ADCBBB5FB48300F20C5AA9819A3750D7719A55DF80

Function 053B4651 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416d714bd26d44927d3fe36249a0d93248a6aecb7514e741a08b2e7b8b3c7a72
Instruction ID: 6837c5699300e1cbc773cf29fd700de516363ceb57a187fc8a10b626cbe17d6e
Opcode Fuzzy Hash: 416d714bd26d44927d3fe36249a0d93248a6aecb7514e741a08b2e7b8b3c7a72
Instruction Fuzzy Hash: 14E0DFB180E384DFCB05CFB0A4083E8BFF5AB06200F011095D885D3652C6B00E04EB00

Function 05390D78 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b23b26697111886bba1821b8e111f216b5bc33e2733a9c99f35e7cba80a6826
Instruction ID: 794a5b344ce2bc5dd6411a79f6c4423072f8be6d26fb851d937ba926e23c60e4
Opcode Fuzzy Hash: 9b23b26697111886bba1821b8e111f216b5bc33e2733a9c99f35e7cba80a6826
Instruction Fuzzy Hash: 97E0E578E05208EFCB58DFA8D4446ACBBF4EB88300F10C1A98828A3340D771AE42CF80

Function 053B5390 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a2c83d6fb18443906240049b44142857c4f04480169838b9ad19166dacd118
Instruction ID: 7919f00f68664ef917b5cf41b141d58da089d829577576ead2eb0063cd3d327f
Opcode Fuzzy Hash: 15a2c83d6fb18443906240049b44142857c4f04480169838b9ad19166dacd118
Instruction Fuzzy Hash: C2E0ED74D04208EFC744DFA8E44069CB7F4FB48300F1082A9981993740D7B19A41CF80

Function 053B3C40 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8150f5b5ca8e33b3d485a9527628d76b2a62021fd0a12e0b69a37bfec6e8301
Instruction ID: d3b52546ec4b35b4d2e7104d3f221a426412b5cb3e88f683d0607196236ebe53
Opcode Fuzzy Hash: b8150f5b5ca8e33b3d485a9527628d76b2a62021fd0a12e0b69a37bfec6e8301
Instruction Fuzzy Hash: 56E0C2B5405108DFD711DFE194006DE77ECEB09200F200AA6C20993510EEB04A40A781

Function 053B2A50 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da0adb40ad55b81d17f8db005ab0fc91cc8dac90bcb48386a3c1f7d02ea16c4
Instruction ID: 18030a755e4c816dbc24d6aad892a6a1c76cb37440b7745ffb41779f06d510ed
Opcode Fuzzy Hash: 2da0adb40ad55b81d17f8db005ab0fc91cc8dac90bcb48386a3c1f7d02ea16c4
Instruction Fuzzy Hash: B8E0C2B2804208DFD711DFA4D8047DE7BFCEB0A200F005AA6910593610EFB04F089781

Function 053B2A4F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e104b69f4a30d8c96c83b57538bbb0384eb0b3f11c013da1b3c5c5615ec863
Instruction ID: 1c0c80b051b7e9d9e034b66c9ff34d869bb7391f4b7017e7f14e7ec238bc3f80
Opcode Fuzzy Hash: a9e104b69f4a30d8c96c83b57538bbb0384eb0b3f11c013da1b3c5c5615ec863
Instruction Fuzzy Hash: CDE0C2B2804148DFD722CFB4A4047EE7BB9EB4A300F105BA6D106A3610DFB10F08DB40

Function 0539A968 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c7b87dcdd3affb9b1826e92e5a2ab4312daf2d3b6c546c55affdfb2f82a3b5
Instruction ID: d43ad7f7c7af226bdab69064cb51bdd19582dd350a4e0df8dffdf81bd69f8999
Opcode Fuzzy Hash: 93c7b87dcdd3affb9b1826e92e5a2ab4312daf2d3b6c546c55affdfb2f82a3b5
Instruction Fuzzy Hash: F5D0226205A3CC7EE31153E43409320BF6C6302629F0E3212E808060028F90A9C4C752

Function 0539A978 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5ec90ce1136d7f29a07b3d0f3cf9dbfc144dc791ec51a59b1fecaa49aab2a3
Instruction ID: 114f5c6083ad877a254698e97d58e5e9cdd5eafb88946ead782938ce31395d4a
Opcode Fuzzy Hash: ac5ec90ce1136d7f29a07b3d0f3cf9dbfc144dc791ec51a59b1fecaa49aab2a3
Instruction Fuzzy Hash: CEB09B7105574C47D71456D86409724F75C670571AF493111E50D064504EE0ADD4C655

Non-executed Functions

Function 05397F20 Relevance: 46.9, Strings: 37, Instructions: 629COMMON

Download Yara Rule

Strings

F, xrefs: 05398500
., xrefs: 053985F4
R, xrefs: 053988AA
,, xrefs: 05398586
:j)B, xrefs: 05398835
^, xrefs: 053986E1
Q, xrefs: 0539866E
S, xrefs: 05398105
@, xrefs: 0539837A
/, xrefs: 053981A5
b, xrefs: 05398177
4, xrefs: 053986A8
<, xrefs: 053988DE
`, xrefs: 053982DD
G, xrefs: 053986FF
a, xrefs: 053981FF
4, xrefs: 0539806D
Y, xrefs: 05398729
S, xrefs: 05398873
U, xrefs: 05398481
Q, xrefs: 053986F5
;, xrefs: 05398329
', xrefs: 053980DD
/, xrefs: 053988BE
b, xrefs: 053980EC
dnEA, xrefs: 05398419
F, xrefs: 053982C3
b, xrefs: 05398713
], xrefs: 05398709
2, xrefs: 0539883F
<, xrefs: 053988C8
0, xrefs: 05398453
,, xrefs: 053984CD
#WrA, xrefs: 053984A7
6, xrefs: 0539860A
L, xrefs: 05398224
_, xrefs: 053981C9

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: #WrA$'$,$,$.$/$/$0$2$4$4$6$:j)B$;$<$<$@$F$F$G$L$Q$Q$R$S$S$U$Y$]$^$_$`$a$b$b$b$dnEA
API String ID: 0-3494415311
Opcode ID: 4b58a49cbef2228192525fbd499b88de8c567df573b13961598a1281b1b9ba7e
Instruction ID: eec45ad5f9032fed0e85bfa5b63adb0489ab54e47687cd363f55da03140a9e78
Opcode Fuzzy Hash: 4b58a49cbef2228192525fbd499b88de8c567df573b13961598a1281b1b9ba7e
Instruction Fuzzy Hash: 2B728EB5D016698FEB65DF2AC984799BBF6FB88300F1181EAD40CA7354DB755AC18F00

Function 05398D40 Relevance: 46.9, Strings: 37, Instructions: 618COMMON

Download Yara Rule

Strings

_, xrefs: 0539905A
^, xrefs: 05399572
G, xrefs: 05399590
/, xrefs: 0539974F
S, xrefs: 05398FA2
,, xrefs: 05399355
,, xrefs: 05399417
F, xrefs: 0539915A
Q, xrefs: 05399586
], xrefs: 0539959A
S, xrefs: 05399707
', xrefs: 05398F77
`, xrefs: 05399171
b, xrefs: 05399011
<, xrefs: 05399759
R, xrefs: 0539973E
#WrA, xrefs: 05399332
4, xrefs: 05398F01
F, xrefs: 0539938B
L, xrefs: 053990B5
Q, xrefs: 053994FF
@, xrefs: 05399214
4, xrefs: 05399536
6, xrefs: 0539949B
<, xrefs: 0539976F
:j)B, xrefs: 053996C3
b, xrefs: 053995A4
b, xrefs: 05398F89
;, xrefs: 053991BA
Y, xrefs: 053995BA
U, xrefs: 0539930F
., xrefs: 05399488
/, xrefs: 0539903C
2, xrefs: 053996CD
0, xrefs: 053992E4
dnEA, xrefs: 053992AD
a, xrefs: 0539908D

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID: #WrA$'$,$,$.$/$/$0$2$4$4$6$:j)B$;$<$<$@$F$F$G$L$Q$Q$R$S$S$U$Y$]$^$_$`$a$b$b$b$dnEA
API String ID: 0-3494415311
Opcode ID: e96115127bdc3ce9aac4ac359edf5a13688e17d21ff11e579154b9e288051c16
Instruction ID: aed51a33ee5803bfe0430ff4729176eacf7a6df7360641d7d422c5f50aa75364
Opcode Fuzzy Hash: e96115127bdc3ce9aac4ac359edf5a13688e17d21ff11e579154b9e288051c16
Instruction Fuzzy Hash: D27291B1D016698FEB69DF2AC984799BBF6FF88300F0581EA940CA7354DB755AC18F00

Function 05AC1B10 Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

i, xrefs: 05AC1B5B

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID:
String ID: i
API String ID: 0-3865851505
Opcode ID: 32233bb8cb9f1176128b0dab985a6a9f23724d6e1811b488ab46c158a2dd7011
Instruction ID: c51f778793686d0d56aadad18eb91c9e444cb5d1bf3caf0e8bc1c8600a6f34b2
Opcode Fuzzy Hash: 32233bb8cb9f1176128b0dab985a6a9f23724d6e1811b488ab46c158a2dd7011
Instruction Fuzzy Hash: D322A174D05228CFDB64DF69C994AD9BBB6FB48301F0095EAE40DA7260DB35AE91CF40

Function 05AC3036 Relevance: 1.6, Strings: 1, Instructions: 369COMMON

Download Yara Rule

Strings

H, xrefs: 05AC308D

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: ff8d382ec4d4b74b818e79ccbfe69ffc6f2ea7b475f1636405e7e47b2f26711e
Instruction ID: 5966059872e7af3498ac040c977472cb0b46ff708651da0b8526edc9d9198a3f
Opcode Fuzzy Hash: ff8d382ec4d4b74b818e79ccbfe69ffc6f2ea7b475f1636405e7e47b2f26711e
Instruction Fuzzy Hash: 0F12A174D05229CFDB64DF25C994AD8BBB6FB88301F1055EAE40EA7260DB35AE91CF40

Function 053B2A89 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114659089.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9234d79f1c9dd64f4656443ab2cb3846125058adb20220199f303cef5c6030
Instruction ID: 825bd56cc3f35cf15ed8b11e249ce8961755ca6287ba7845248d239eab2608d0
Opcode Fuzzy Hash: cb9234d79f1c9dd64f4656443ab2cb3846125058adb20220199f303cef5c6030
Instruction Fuzzy Hash: 45C16975E006288FDB58DF6AC944ADABBF2BF89300F14C1E9D509AB265DB315A81CF50

Function 02C28B88 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112237908.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b31aa53b503bfd7e01b49dde2bdde7cb2f05640b48a3eb7a9a358ad0cc6b02a
Instruction ID: aad781da7c2d14fb71d8b3fba100625cf00e64f7c5d63a5da1efb2bd1095d8a6
Opcode Fuzzy Hash: 2b31aa53b503bfd7e01b49dde2bdde7cb2f05640b48a3eb7a9a358ad0cc6b02a
Instruction Fuzzy Hash: 2561C971E002098FDB48EF6AE99079ABBF2FFC8304F14C929D115AB359DBB45915CB90

Function 0539A99B Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c653d7d3145b1494e37225bfbc330e4e7600ea561c53ad882c29201679e823a4
Instruction ID: 08ef87c52ef73855857525fe9144445c7961f1213c55fe3e07dd63ab8f8d6130
Opcode Fuzzy Hash: c653d7d3145b1494e37225bfbc330e4e7600ea561c53ad882c29201679e823a4
Instruction Fuzzy Hash: 3E513E70915319CFDB48DFBAE88069EBFF6BF88308F14A52AD405AB254DF745905CB50

Function 0539A9A8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029932ef67e1e3fb63fa335d3a984c242c1a696579628a6fa211f16bb9fbdf53
Instruction ID: 86237dd0254f0652a5d9cf550dff60a75c73b29e945a9d09dde8f42c0f75e53e
Opcode Fuzzy Hash: 029932ef67e1e3fb63fa335d3a984c242c1a696579628a6fa211f16bb9fbdf53
Instruction Fuzzy Hash: 2E513D70915319CFDB48DF7AE88069EBFF6BF88308F14A52AD404AB259DF745905CB90

Function 05ACD0C8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115595388.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ea990e9b21f84ac8e8b75f7799c69feb07782451240479d952a38117f36139
Instruction ID: dbfad620fbf30c67a443b591b5287f61dd787a898c875a105029be20c6cd8442
Opcode Fuzzy Hash: 26ea990e9b21f84ac8e8b75f7799c69feb07782451240479d952a38117f36139
Instruction Fuzzy Hash: 5F41CCB4D04288DFDB14CFA9D984A9EBFF1BB49310F209069E829AB254D7749885CF85

Function 02C28F80 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112237908.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71745014e278f3eaec19386ebefd9c5166ca4a815bc589557aed58c47f6bc5d
Instruction ID: 928acef38093b6ca036b4c7c3678885bd4d3ec74a166ca651944337e155b6499
Opcode Fuzzy Hash: f71745014e278f3eaec19386ebefd9c5166ca4a815bc589557aed58c47f6bc5d
Instruction Fuzzy Hash: 28413471D04A68CBEB5CCF6B8D4079AFAF3AFC9301F14C1BA884CAA254DB7009858F51

Function 0539AFF8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114631176.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503ad433fd9f7a7f55f2cba46f325373b2d7be42c13b957bf87826e1c0232237
Instruction ID: 93e2005b3032d9bc7798b041997004f9c8bd7b259f3aead8c65bd7c325572c6b
Opcode Fuzzy Hash: 503ad433fd9f7a7f55f2cba46f325373b2d7be42c13b957bf87826e1c0232237
Instruction Fuzzy Hash: D33197B1D056688BEB28CF67C9157CAFAF6BFC9304F04C1AAC40C6A255DB750A89CF51

Analysis Process: MSBuild.exePID: 6312, Parent PID: 1804COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0.7%
Signature Coverage:	13%
Total number of Nodes:	2000
Total number of Limit Nodes:	38

Executed Functions

Function 0041B050 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 507
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,0041922C), ref: 0041B06C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B083
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B09A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0B1
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0C8
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0DF
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0F6
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B10D
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B124
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B13B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B152
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B169
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B180
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B197
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1AE
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1C5
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1DC
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1F3
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B20A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B221
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B238
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B24F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B266
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B27D
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B294
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2AB
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2C2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2D9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2F0
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B307
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B31E
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B335
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B34C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B363
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B37A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B391
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3A8
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3BF
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3D6
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3ED
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B404
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B41B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B432
GetProcAddress.KERNEL32(CreateProcessA), ref: 0041B448
GetProcAddress.KERNEL32(GetThreadContext), ref: 0041B45E
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 0041B474
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 0041B48A
GetProcAddress.KERNEL32(ResumeThread), ref: 0041B4A0
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 0041B4B6
GetProcAddress.KERNEL32(SetThreadContext), ref: 0041B4CC
LoadLibraryA.KERNELBASE(?,0041922C), ref: 0041B4DD
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B4EE
LoadLibraryA.KERNELBASE(?,0041922C), ref: 0041B4FF
LoadLibraryA.KERNELBASE(?,0041922C), ref: 0041B510
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B521
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B532
LoadLibraryA.KERNELBASE(?,0041922C), ref: 0041B543
LoadLibraryA.KERNELBASE(?,0041922C), ref: 0041B554
LoadLibraryA.KERNELBASE(dbghelp.dll,?,0041922C), ref: 0041B564
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B584
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B59B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B5B2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B5C9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B5E0
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B604
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B61B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B632
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B649
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B660
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B677
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B68E
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6A5
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6C5
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6DC
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6F3
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B70A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B721
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B745
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B75C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B773
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B78A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7A1
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7B8
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7DC
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7F3
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B80A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B821
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B838
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B84F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B866
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B87D
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B894
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8B4
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8CB
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8E2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8F9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B910
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B930
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B947
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B967
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B97E
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9A2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9B9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9D0
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9E7
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9FE
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA15
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA2C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA43
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 0041BA59
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041BA6F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA8F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BAA6
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BABD
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BAD4
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BAF4
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB14
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB2B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB42
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB59
GetProcAddress.KERNEL32(SymMatchString), ref: 0041BB78

Strings

SetThreadContext, xrefs: 0041B4C1
SymMatchString, xrefs: 0041BB6D
GetThreadContext, xrefs: 0041B453
ReadProcessMemory, xrefs: 0041B469
CreateProcessA, xrefs: 0041B43D
InternetSetOptionA, xrefs: 0041BA64
VirtualAllocEx, xrefs: 0041B47F
dbghelp.dll, xrefs: 0041B55F
HttpQueryInfoA, xrefs: 0041BA4E
WriteProcessMemory, xrefs: 0041B4AB
ResumeThread, xrefs: 0041B495

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: a4580aef7196ab40cac15de4e3c6625ffa806c5fa5d16c7cc0568451c0f19aac
Instruction ID: 64df46d759b3a8e539eb425d674754a75b55508f076e1d27ec912ac7423ac894
Opcode Fuzzy Hash: a4580aef7196ab40cac15de4e3c6625ffa806c5fa5d16c7cc0568451c0f19aac
Instruction Fuzzy Hash: 9552C57D481214EFEB025F61FE19AA43FB3F70B3417197129E91289671E77648A8EF80

Function 00409FC0 Relevance: 44.5, APIs: 20, Strings: 5, Instructions: 760
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

FindFirstFileA.KERNELBASE(00000000,?,00425200,00425200,00000000,?,?,?,00428F3C,00425200), ref: 0040A045
StrCmpCA.SHLWAPI(?,00425240), ref: 0040A0A0
StrCmpCA.SHLWAPI(?,0042523C), ref: 0040A0B6
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040AB2C
FindClose.KERNEL32(000000FF), ref: 0040AB3D

Strings

Google Chrome, xrefs: 0040A834
Brave, xrefs: 0040A2F9
Preferences, xrefs: 0040A318
Opera GX, xrefs: 0040A144
\BraveWallet\Preferences, xrefs: 0040A40E

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3334442632-1189830961
Opcode ID: b6171a64cfc6ab4f13282320838a7735dbd279b900ab7de6f694e87253319736
Instruction ID: 263e58a2a74b46f478eabfba2e73a67f6604dac1ca14d90e5786d28d1d592fab
Opcode Fuzzy Hash: b6171a64cfc6ab4f13282320838a7735dbd279b900ab7de6f694e87253319736
Instruction Fuzzy Hash: 225241719002089BDF24FBB1DC56EED737DAF15304F40416AF61AA21A1EE399B88CF59

Function 004058C4 Relevance: 42.6, APIs: 20, Strings: 4, Instructions: 565
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040595F
StrCmpCA.SHLWAPI(?), ref: 00405975
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AEF
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 00405B4C
lstrlenA.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00428D7C,00000000), ref: 00405F2B
lstrlenA.KERNEL32(00000000), ref: 00405F3C
GetProcessHeap.KERNEL32(00000000,?), ref: 00405F4C
HeapAlloc.KERNEL32(00000000), ref: 00405F53
lstrlenA.KERNEL32(00000000), ref: 00405F68
memcpy.MSVCRT ref: 00405F7E
lstrlenA.KERNEL32(00000000), ref: 00405F8F
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405FA8
memcpy.MSVCRT ref: 00405FB5
lstrlenA.KERNEL32(00000000,?,?), ref: 00405FCF
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405FE2
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405FFE
InternetCloseHandle.WININET(00000000), ref: 00406061
InternetCloseHandle.WININET(00000000), ref: 0040606D
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00405B84

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

InternetCloseHandle.WININET(00000000), ref: 00406076

Strings

mode, xrefs: 00405EAB
build_id, xrefs: 00405D6A
------, xrefs: 004059F7, 00405B8A, 00405CCA, 00405E0B
", xrefs: 00405C53, 00405D92, 00405ED3

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
String ID: "$------$build_id$mode
API String ID: 487080699-3829489455
Opcode ID: 99e7d839f9470243f8a500febddaa2585a4ce8104e375d9646ee5b01df51d87c
Instruction ID: c3a436f612394fb5ea9af5c3dff246c6ebafd40c3fbf54516d0a2530dbd512cc
Opcode Fuzzy Hash: 99e7d839f9470243f8a500febddaa2585a4ce8104e375d9646ee5b01df51d87c
Instruction Fuzzy Hash: 0632EB71920118AADB15FBA1DC96FDEB379BF14305F5001AAF216B21B1DF386B88CE54

Function 227F4CF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 461fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 227F4EE1

Strings

winOpen, xrefs: 227F5110
delayed %dms for lock/sharing conflict at line %d, xrefs: 227F4FB5
exclusive, xrefs: 227F4E81
psow, xrefs: 227F51F5

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: edc2fa0ac1de3f6a03eaead7d89adb80c5f0c766760c844fc7fd72957a080e37
Instruction ID: 549bec0c850178e47fd9028000aad8024878d6f87f90f1ec0e7db80dc8718502
Opcode Fuzzy Hash: edc2fa0ac1de3f6a03eaead7d89adb80c5f0c766760c844fc7fd72957a080e37
Instruction Fuzzy Hash: C8F1D17194C3008FE7148F64CAA8B2BB7E4BB84308F450A29FE49D7399D779D945CB92

Function 004129BF Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 142comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory,00000000,?,00428E48,00000000), ref: 004129E9
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4), ref: 00412A01
CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?), ref: 00412A1D
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000), ref: 00412A65
VariantInit.OLEAUT32(?), ref: 00412AC6
VariantClear.OLEAUT32(?), ref: 00412AFC

Strings

displayName, xrefs: 00412AD6
Select * From AntiVirusProduct, xrefs: 00412A6B
Unknown, xrefs: 00412B0E, 00412B22, 00412B44
root\SecurityCenter2, xrefs: 00412A27
WQL, xrefs: 00412A81

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InitializeVariant$BlanketClearCreateInitInstanceProxySecurity
String ID: Select * From AntiVirusProduct$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 3243281124-2561087649
Opcode ID: 01e7d32d45ff0252796b17b99a1afcd933ba27ea36f00a65b271f1c55a8e973d
Instruction ID: cc2f9b12050fb50489b4dacd928ba9f1606622a753a49b6d6fc2a760caa5f7a5
Opcode Fuzzy Hash: 01e7d32d45ff0252796b17b99a1afcd933ba27ea36f00a65b271f1c55a8e973d
Instruction Fuzzy Hash: 01512971A44208AFEB10CF94DD46FEDBBB8EB08711F604116F611FA1E0C7B8A951CB69

Function 00411D31 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

GetKeyboardLayoutList.USER32(00000000,00000000,00425200), ref: 00411D59
LocalAlloc.KERNELBASE(00000040,?), ref: 00411D71
GetKeyboardLayoutList.USER32(?,00000000), ref: 00411D83
GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200), ref: 00411DD3
LocalFree.KERNEL32(00000000), ref: 00411E90

Strings

/ , xrefs: 00411DF0

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 15a7ab0f5f0475079f1a4d254d2fab6afe80d822c98d4419e6fd3bbb7ed8be85
Instruction ID: c70b1ae06e32fba280522d5ae6b93e050f7c05b062ce08c862d254046d427c6b
Opcode Fuzzy Hash: 15a7ab0f5f0475079f1a4d254d2fab6afe80d822c98d4419e6fd3bbb7ed8be85
Instruction Fuzzy Hash: 8C410E7594021CEBDB20EB90DC89BEDB3B8EB14305F2041DAE61AA61A1DB785FC5CF54

Function 004138BA Relevance: 7.6, APIs: 5, Instructions: 51processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004138F5
Process32First.KERNEL32(00429888,00000128), ref: 00413908
Process32Next.KERNEL32(00429888,00000128), ref: 0041391C
StrCmpCA.SHLWAPI(?,0042988C), ref: 00413930
FindCloseChangeNotification.KERNELBASE(00429888), ref: 00413943

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 2a4b200a08ed556fe0b76f61f99fc73be8100933646605b45de0898bc31b2ca7
Instruction ID: c76ae2ebba4cdfdbec52cc22ef4db84e697ee2aab148ee9ae3442f35c02f241c
Opcode Fuzzy Hash: 2a4b200a08ed556fe0b76f61f99fc73be8100933646605b45de0898bc31b2ca7
Instruction Fuzzy Hash: 2B11C2B5900249EFDF118F91CD09BEFBBBDFB06791F00016AE505A62A0D7B88B40CB65

Function 0041246A Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412491
Process32First.KERNEL32(00000000,00000128), ref: 004124A4
Process32Next.KERNEL32(00000000,00000128), ref: 004124B8

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

CloseHandle.KERNEL32(00000000), ref: 00412525

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 977ae0b600e9dfa5c8bb5876995a90588de119cf502625faec0d1e404a198b9a
Instruction ID: 2c0229d212547161a0eb93f3d0d5d82303ca8f07f9ab92fbeb1aaa96aca691bd
Opcode Fuzzy Hash: 977ae0b600e9dfa5c8bb5876995a90588de119cf502625faec0d1e404a198b9a
Instruction Fuzzy Hash: CC212935900118EBCB11EB60DD56AEDB379AF15309F5041EAA60AB61A0EF349FC8CF94

Function 00411CBF Relevance: 6.0, APIs: 4, Instructions: 31memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00428E48,00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000), ref: 00411CCF
HeapAlloc.KERNEL32(00000000), ref: 00411CD6
GetTimeZoneInformation.KERNELBASE(?), ref: 00411CE9
wsprintfA.USER32 ref: 00411D20

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 203e413fed742de3b00b513deca226d0cff61aa8e2789412112a4631cc96891a
Instruction ID: daf70193e9c0513ecb3072794c83a438d37f7fdfa3376bc861271b49892c1553
Opcode Fuzzy Hash: 203e413fed742de3b00b513deca226d0cff61aa8e2789412112a4631cc96891a
Instruction Fuzzy Hash: 2BF0BE70A003289FDB20AB24FC0AB9977BBBB02345F1001D5F209AA2E0D7749EC0CF02

Function 00407E41 Relevance: 4.5, APIs: 3, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00407E65
LocalAlloc.KERNEL32(00000040,00000000), ref: 00407E83
LocalFree.KERNEL32(?), ref: 00407EAB

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: ec7d2c3964d9433e1bd8db3b7e97589d228e91b9e021ed9bd7c00834a8d4e7c8
Instruction ID: c73416beba9d1fde4238afde8a7e84a4d4aa4311c1f55aef6ad3ec00fa4115b4
Opcode Fuzzy Hash: ec7d2c3964d9433e1bd8db3b7e97589d228e91b9e021ed9bd7c00834a8d4e7c8
Instruction Fuzzy Hash: 72019279900209EFCB01DF98D945A9E7BF5FB09300F0000A5F901AB2A0D774AE50DF61

Function 00411BEC Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0041A955), ref: 00411BF8
HeapAlloc.KERNEL32(00000000,?,?,?,0041A955), ref: 00411BFF
GetUserNameA.ADVAPI32(?,00000104), ref: 00411C16

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: cdb89f3b8d2170a32c4f5d9c7d109af83218dd3f9df08350fd3753d412c9dc7b
Instruction ID: 6ad48150bf72aad5a6046b0908b1c33b434ec51fc494a64bf18a9d81697ab1ea
Opcode Fuzzy Hash: cdb89f3b8d2170a32c4f5d9c7d109af83218dd3f9df08350fd3753d412c9dc7b
Instruction Fuzzy Hash: B3E04CB4A00608FFDB10DBD4DC49FADBBB8FB04749F904065F601E2160D7B45A459B64

Function 00411F21 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(00000000), ref: 00411F2E
wsprintfA.USER32 ref: 00411F43

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 2f2772df9e2289074dc65a3b003ee837af4eb9d8d63b789a1da4cf5f031d46f7
Instruction ID: 9caa33327a18f9dae679d202d2ba32c4f74d5e180e33a6cc9dfb65b88a9d38f3
Opcode Fuzzy Hash: 2f2772df9e2289074dc65a3b003ee837af4eb9d8d63b789a1da4cf5f031d46f7
Instruction Fuzzy Hash: F6D05EB180011CABCB00DBE0FC499D977BCBB09208F4408B1E614E2040E3B8EAD88BA8

Function 0041A76B Relevance: 257.6, APIs: 139, Strings: 8, Instructions: 337
sleepstringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea), ref: 0041A776
lstrlenW.KERNEL32(The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On), ref: 0041A781
lstrlenW.KERNEL32(Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l), ref: 0041A78C
lstrlenW.KERNEL32(The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia), ref: 0041A797
lstrlenW.KERNEL32(I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and), ref: 0041A7A2
LoadLibraryA.KERNEL32(kernel32.dll), ref: 0041A7AD
GetProcAddress.KERNEL32(00000000,Sleep), ref: 0041A7C4
GetProcAddress.KERNEL32(00000000,GetSystemTime), ref: 0041A7D7

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Sleep.KERNELBASE(00000014), ref: 0041A7E4
Sleep.KERNELBASE(00000014), ref: 0041A7EC
Sleep.KERNEL32(00000014), ref: 0041A7F4
Sleep.KERNEL32(00000014), ref: 0041A7FC
Sleep.KERNEL32(00000014), ref: 0041A804
Sleep.KERNEL32(00000014), ref: 0041A80C
lstrlenW.KERNEL32(Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea), ref: 0041A817
lstrlenW.KERNEL32(The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On), ref: 0041A822
lstrlenW.KERNEL32(Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l), ref: 0041A82D
lstrlenW.KERNEL32(The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia), ref: 0041A838
lstrlenW.KERNEL32(I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and), ref: 0041A843
Sleep.KERNEL32(00000014), ref: 0041A84B
Sleep.KERNEL32(00000014), ref: 0041A853
Sleep.KERNEL32(00000014), ref: 0041A85B
Sleep.KERNEL32(00000014), ref: 0041A863
Sleep.KERNEL32(00000014), ref: 0041A86B
Sleep.KERNEL32(00000014), ref: 0041A873
Sleep.KERNEL32(00000014), ref: 0041A880
Sleep.KERNEL32(00000014), ref: 0041A888
Sleep.KERNEL32(00000014), ref: 0041A890
Sleep.KERNEL32(00000014), ref: 0041A898
Sleep.KERNEL32(00000014), ref: 0041A8A0
Sleep.KERNEL32(00000014), ref: 0041A8A8
Sleep.KERNELBASE(00000014), ref: 0041A8B5
Sleep.KERNEL32(00000014), ref: 0041A8BD
Sleep.KERNEL32(00000014), ref: 0041A8C5
Sleep.KERNEL32(00000014), ref: 0041A8CD
Sleep.KERNEL32(00000014), ref: 0041A8D5
Sleep.KERNEL32(00000014), ref: 0041A8DD
Sleep.KERNEL32(00000014), ref: 0041A8E5
Sleep.KERNEL32(00000014), ref: 0041A8ED
Sleep.KERNEL32(00000014), ref: 0041A8F5
Sleep.KERNEL32(00000014), ref: 0041A8FD
Sleep.KERNEL32(00000014), ref: 0041A905
Sleep.KERNEL32(00000014), ref: 0041A90D
Sleep.KERNEL32(00000014,00425200), ref: 0041A922
Sleep.KERNEL32(00000014), ref: 0041A92A
Sleep.KERNEL32(00000014), ref: 0041A932
Sleep.KERNEL32(00000014), ref: 0041A93A
Sleep.KERNEL32(00000014), ref: 0041A942
Sleep.KERNEL32(00000014), ref: 0041A94A
Sleep.KERNELBASE(00000014,00000000,?,?,00428E5C,?,00000000), ref: 0041A9A6
Sleep.KERNEL32(00000014), ref: 0041A9AE
Sleep.KERNEL32(00000014), ref: 0041A9B6
Sleep.KERNEL32(00000014), ref: 0041A9BE
Sleep.KERNEL32(00000014), ref: 0041A9C6
Sleep.KERNEL32(00000014), ref: 0041A9CE
Sleep.KERNEL32(00000014), ref: 0041A9D6
Sleep.KERNEL32(00000014), ref: 0041A9DE
Sleep.KERNEL32(00000014), ref: 0041A9E6
Sleep.KERNEL32(00000014), ref: 0041A9EE
Sleep.KERNEL32(00000014), ref: 0041A9F6
Sleep.KERNEL32(00000014), ref: 0041A9FE
Sleep.KERNEL32(00000014), ref: 0041AA0F
Sleep.KERNEL32(00000014), ref: 0041AA17
Sleep.KERNEL32(00000014), ref: 0041AA1F
Sleep.KERNEL32(00000014), ref: 0041AA27
Sleep.KERNEL32(00000014), ref: 0041AA2F
Sleep.KERNEL32(00000014), ref: 0041AA37
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 0041AA4D
Sleep.KERNEL32(00000014), ref: 0041AA5E
Sleep.KERNEL32(00000014), ref: 0041AA66
Sleep.KERNEL32(00000014), ref: 0041AA6E
Sleep.KERNEL32(00000014), ref: 0041AA76
Sleep.KERNEL32(00000014), ref: 0041AA7E
Sleep.KERNEL32(00000014), ref: 0041AA86
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041AA9B
Sleep.KERNEL32(00000014), ref: 0041AAA6
Sleep.KERNEL32(00000014), ref: 0041AAAE
Sleep.KERNEL32(00000014), ref: 0041AAB6
Sleep.KERNEL32(00000014), ref: 0041AABE
Sleep.KERNEL32(00000014), ref: 0041AAC6
Sleep.KERNEL32(00000014), ref: 0041AACE
Sleep.KERNEL32(00000014), ref: 0041AADA
Sleep.KERNEL32(00000014), ref: 0041AAE2
Sleep.KERNEL32(00000014), ref: 0041AAEA
Sleep.KERNEL32(00000014), ref: 0041AAF2
Sleep.KERNEL32(00000014), ref: 0041AAFA
Sleep.KERNEL32(00000014), ref: 0041AB02
CloseHandle.KERNEL32(00000000), ref: 0041AB0B
Sleep.KERNEL32(00001B58), ref: 0041AB16
Sleep.KERNEL32(00000014), ref: 0041AB1E
Sleep.KERNEL32(00000014), ref: 0041AB26
Sleep.KERNEL32(00000014), ref: 0041AB2E
Sleep.KERNEL32(00000014), ref: 0041AB36
Sleep.KERNEL32(00000014), ref: 0041AB3E
Sleep.KERNEL32(00000014), ref: 0041AB46
Sleep.KERNEL32(00000014), ref: 0041AB53
Sleep.KERNEL32(00000014), ref: 0041AB5B
Sleep.KERNEL32(00000014), ref: 0041AB63
Sleep.KERNEL32(00000014), ref: 0041AB6B
Sleep.KERNEL32(00000014), ref: 0041AB73
Sleep.KERNEL32(00000014), ref: 0041AB7B
Sleep.KERNEL32(00000014), ref: 0041AB83
Sleep.KERNEL32(00000014), ref: 0041AB8B
Sleep.KERNEL32(00000014), ref: 0041AB93
Sleep.KERNEL32(00000014), ref: 0041AB9B
Sleep.KERNEL32(00000014), ref: 0041ABA3
Sleep.KERNEL32(00000014), ref: 0041ABAB
Sleep.KERNEL32(00000014), ref: 0041ABB8
Sleep.KERNEL32(00000014), ref: 0041ABC0
Sleep.KERNEL32(00000014), ref: 0041ABC8
Sleep.KERNEL32(00000014), ref: 0041ABD0
Sleep.KERNEL32(00000014), ref: 0041ABD8
Sleep.KERNEL32(00000014), ref: 0041ABE0
Sleep.KERNEL32(00000014), ref: 0041ABE8
Sleep.KERNEL32(00000014), ref: 0041ABF0
Sleep.KERNEL32(00000014), ref: 0041ABF8
Sleep.KERNEL32(00000014), ref: 0041AC00
Sleep.KERNEL32(00000014), ref: 0041AC08
Sleep.KERNEL32(00000014), ref: 0041AC10
CloseHandle.KERNEL32(?), ref: 0041AC19
Sleep.KERNEL32(00000014), ref: 0041AC21
Sleep.KERNEL32(00000014), ref: 0041AC29
Sleep.KERNEL32(00000014), ref: 0041AC31
Sleep.KERNEL32(00000014), ref: 0041AC39
Sleep.KERNEL32(00000014), ref: 0041AC41
Sleep.KERNEL32(00000014), ref: 0041AC49
Sleep.KERNEL32(00000014), ref: 0041AC51
Sleep.KERNEL32(00000014), ref: 0041AC59
Sleep.KERNEL32(00000014), ref: 0041AC61
Sleep.KERNEL32(00000014), ref: 0041AC69
Sleep.KERNEL32(00000014), ref: 0041AC71
Sleep.KERNEL32(00000014), ref: 0041AC79
Sleep.KERNEL32(00000014), ref: 0041AC81
Sleep.KERNEL32(00000014), ref: 0041AC89
Sleep.KERNEL32(00000014), ref: 0041AC91
Sleep.KERNEL32(00000014), ref: 0041AC99
Sleep.KERNEL32(00000014), ref: 0041ACA1
Sleep.KERNEL32(00000014), ref: 0041ACA9
ExitProcess.KERNEL32 ref: 0041ACB1

Strings

Sleep, xrefs: 0041A7BC
Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea, xrefs: 0041A771, 0041A812
Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l, xrefs: 0041A787, 0041A828
I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and, xrefs: 0041A79D, 0041A83E
The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On, xrefs: 0041A77C, 0041A81D
kernel32.dll, xrefs: 0041A7A8
GetSystemTime, xrefs: 0041A7CF
The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia, xrefs: 0041A792, 0041A833

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Sleep$lstrlen$AddressCloseEventHandleProclstrcpy$CreateExitLibraryLoadOpenProcesslstrcat
String ID: GetSystemTime$I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and$Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l$Sleep$Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea$The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia$The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On$kernel32.dll
API String ID: 1968030747-1157189060
Opcode ID: 54532dd25730401e9619ccf941eb7a63a5c16019b915d8d70357fc5f908c5c95
Instruction ID: d0fc9c7f70cd4d74f070b5276f1611ca398b8472acf39be3ffb0404d49fc07f7
Opcode Fuzzy Hash: 54532dd25730401e9619ccf941eb7a63a5c16019b915d8d70357fc5f908c5c95
Instruction Fuzzy Hash: 40D1AB356E121DEFDB006BE0AC2EBE87A6AAB17702F551125B30E9D0F0DAB444C19F75

Function 0041AAD6 Relevance: 105.2, APIs: 70, Instructions: 160
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000014), ref: 0041AA0F
Sleep.KERNEL32(00000014), ref: 0041AA17
Sleep.KERNEL32(00000014), ref: 0041AA1F
Sleep.KERNEL32(00000014), ref: 0041AA27
Sleep.KERNEL32(00000014), ref: 0041AA2F
Sleep.KERNEL32(00000014), ref: 0041AA37
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 0041AA4D
Sleep.KERNEL32(00000014), ref: 0041AA5E
Sleep.KERNEL32(00000014), ref: 0041AA66
Sleep.KERNEL32(00000014), ref: 0041AA6E
Sleep.KERNEL32(00000014), ref: 0041AA76
Sleep.KERNEL32(00000014), ref: 0041AA7E
Sleep.KERNEL32(00000014), ref: 0041AA86
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041AA9B
Sleep.KERNEL32(00000014), ref: 0041AAA6
Sleep.KERNEL32(00000014), ref: 0041AAAE
Sleep.KERNEL32(00000014), ref: 0041AAB6
Sleep.KERNEL32(00000014), ref: 0041AABE
Sleep.KERNEL32(00000014), ref: 0041AAC6
Sleep.KERNEL32(00000014), ref: 0041AACE
Sleep.KERNEL32(00000014), ref: 0041AADA
Sleep.KERNEL32(00000014), ref: 0041AAE2
Sleep.KERNEL32(00000014), ref: 0041AAEA
Sleep.KERNEL32(00000014), ref: 0041AAF2
Sleep.KERNEL32(00000014), ref: 0041AAFA
Sleep.KERNEL32(00000014), ref: 0041AB02
CloseHandle.KERNEL32(00000000), ref: 0041AB0B
Sleep.KERNEL32(00001B58), ref: 0041AB16
Sleep.KERNEL32(00000014), ref: 0041AB1E
Sleep.KERNEL32(00000014), ref: 0041AB26
Sleep.KERNEL32(00000014), ref: 0041AB2E
Sleep.KERNEL32(00000014), ref: 0041AB36
Sleep.KERNEL32(00000014), ref: 0041AB3E
Sleep.KERNEL32(00000014), ref: 0041AB46
Sleep.KERNEL32(00000014), ref: 0041AB53
Sleep.KERNEL32(00000014), ref: 0041AB5B
Sleep.KERNEL32(00000014), ref: 0041AB63
Sleep.KERNEL32(00000014), ref: 0041AB6B
Sleep.KERNEL32(00000014), ref: 0041AB73
Sleep.KERNEL32(00000014), ref: 0041AB7B
Sleep.KERNEL32(00000014), ref: 0041AB83
Sleep.KERNEL32(00000014), ref: 0041AB8B
Sleep.KERNEL32(00000014), ref: 0041AB93
Sleep.KERNEL32(00000014), ref: 0041AB9B
Sleep.KERNEL32(00000014), ref: 0041ABA3
Sleep.KERNEL32(00000014), ref: 0041ABAB
Sleep.KERNEL32(00000014), ref: 0041ABB8
Sleep.KERNEL32(00000014), ref: 0041ABC0
Sleep.KERNEL32(00000014), ref: 0041ABC8
Sleep.KERNEL32(00000014), ref: 0041ABD0
Sleep.KERNEL32(00000014), ref: 0041ABD8
Sleep.KERNEL32(00000014), ref: 0041ABE0
Sleep.KERNEL32(00000014), ref: 0041ABE8
Sleep.KERNEL32(00000014), ref: 0041ABF0
Sleep.KERNEL32(00000014), ref: 0041ABF8
Sleep.KERNEL32(00000014), ref: 0041AC00
Sleep.KERNEL32(00000014), ref: 0041AC08
Sleep.KERNEL32(00000014), ref: 0041AC10
CloseHandle.KERNEL32(?), ref: 0041AC19
Sleep.KERNEL32(00000014), ref: 0041AC21
Sleep.KERNEL32(00000014), ref: 0041AC29
Sleep.KERNEL32(00000014), ref: 0041AC31
Sleep.KERNEL32(00000014), ref: 0041AC39
Sleep.KERNEL32(00000014), ref: 0041AC41
Sleep.KERNEL32(00000014), ref: 0041AC49
Sleep.KERNEL32(00000014), ref: 0041AC51
Sleep.KERNEL32(00000014), ref: 0041AC59
Sleep.KERNEL32(00000014), ref: 0041AC61
Sleep.KERNEL32(00000014), ref: 0041AC69
Sleep.KERNEL32(00000014), ref: 0041AC71
Sleep.KERNEL32(00000014), ref: 0041AC79
Sleep.KERNEL32(00000014), ref: 0041AC81
Sleep.KERNEL32(00000014), ref: 0041AC89
Sleep.KERNEL32(00000014), ref: 0041AC91
Sleep.KERNEL32(00000014), ref: 0041AC99
Sleep.KERNEL32(00000014), ref: 0041ACA1
Sleep.KERNEL32(00000014), ref: 0041ACA9
ExitProcess.KERNEL32 ref: 0041ACB1

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Sleep$CloseEventHandle$CreateExitOpenProcess
String ID:
API String ID: 3990214622-0
Opcode ID: 939382f14eacfc35bc189caa75c6057b8e340a7325aef0680f6e940db5972843
Instruction ID: 010346d2f35c5d2b6dfb22c7d70376198b9011b0162d7776d674804ad5e558a3
Opcode Fuzzy Hash: 939382f14eacfc35bc189caa75c6057b8e340a7325aef0680f6e940db5972843
Instruction Fuzzy Hash: AC5157395E620DEFEB006BE09D1EBE83666AB17706F151015B30E9C0F0CA7444C59F36

Function 00404E03 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 713
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

lstrlenA.KERNEL32(00000000), ref: 00404E8B

Part of subcall function 0041302D: CryptBinaryToStringA.CRYPT32(00000000,00404E7F,40000001,00000000,00000000), ref: 0041304A

StrCmpCA.SHLWAPI(?,00425200,00425200,00425200,00425200), ref: 00404EEF
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F17
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405025
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 00405082
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004050BA

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00428D7C,00000000,?,00000000,00000000), ref: 00405579
lstrlenA.KERNEL32(00000000), ref: 0040558D
GetProcessHeap.KERNEL32(00000000,?), ref: 0040559D
HeapAlloc.KERNEL32(00000000), ref: 004055A4
lstrlenA.KERNEL32(00000000), ref: 004055B9
memcpy.MSVCRT ref: 004055CF
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 004055E6
memcpy.MSVCRT ref: 004055F3
lstrlenA.KERNEL32(00000000), ref: 00405604
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 0040561D
memcpy.MSVCRT ref: 0040562D
lstrlenA.KERNEL32(00000000,?,?), ref: 00405647
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 0040565A
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040568D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405730
StrCmpCA.SHLWAPI(00000000,block), ref: 004057A1
ExitProcess.KERNEL32 ref: 004057AD
InternetCloseHandle.WININET(00000000), ref: 00405824

Strings

build_id, xrefs: 004052A0
file_data, xrefs: 00405520
--, xrefs: 00404F69
------, xrefs: 00404F80
------, xrefs: 004050C0, 00405200, 00405341, 00405480
", xrefs: 00405189, 004052C8, 0040540A, 00405548
block, xrefs: 00405790
ERROR, xrefs: 00405697, 004057B5

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$Httpmemcpy$HeapOpenProcessRequestlstrcat$AllocBinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
String ID: ------$"$--$------$ERROR$block$build_id$file_data
API String ID: 291296625-1063948816
Opcode ID: 941268b52b4c2f1080921e961083cd3901daec87e8b66a8e899ed6db65051c96
Instruction ID: 347b2e4d89f66f0c0c6539a9aa54472735362a414d5b47530b2be4bc622c77f0
Opcode Fuzzy Hash: 941268b52b4c2f1080921e961083cd3901daec87e8b66a8e899ed6db65051c96
Instruction Fuzzy Hash: 76520E729101189ADB14FBA1EC96FDE7379AF15305F5080AAF216B21F1DF386A88CF54

Function 0041AD16 Relevance: 49.7, APIs: 33, Instructions: 151
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 0041AD54
GetProcAddress.KERNEL32 ref: 0041AD6B
GetProcAddress.KERNEL32 ref: 0041AD82
GetProcAddress.KERNEL32 ref: 0041AD99
GetProcAddress.KERNEL32 ref: 0041ADB0
GetProcAddress.KERNEL32 ref: 0041ADC7
GetProcAddress.KERNEL32 ref: 0041ADDE
GetProcAddress.KERNEL32 ref: 0041ADF5
GetProcAddress.KERNEL32 ref: 0041AE0C
GetProcAddress.KERNEL32 ref: 0041AE23
GetProcAddress.KERNEL32 ref: 0041AE3A
GetProcAddress.KERNEL32 ref: 0041AE51
GetProcAddress.KERNEL32 ref: 0041AE68
GetProcAddress.KERNEL32 ref: 0041AE7F
GetProcAddress.KERNEL32 ref: 0041AE96
GetProcAddress.KERNEL32 ref: 0041AEAD
GetProcAddress.KERNEL32 ref: 0041AEC4
GetProcAddress.KERNEL32 ref: 0041AEDB
GetProcAddress.KERNEL32 ref: 0041AEF2
GetProcAddress.KERNEL32 ref: 0041AF09
GetProcAddress.KERNEL32 ref: 0041AF20
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF31
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF42
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF53
LoadLibraryA.KERNELBASE(?,0041A8B3), ref: 0041AF64
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF75
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AF95
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AFB5
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AFCC
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AFEC
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041B00C
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041B02C
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041B043

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 8ed0b4f8c3e954e1fc1dc6971364bbe040f0f26000e4905d9b82ffd922f5bdfa
Instruction ID: e6d1e2ba0aaa9db7fee79aa5ca47b6abfb0ed3e486351d87d65decbaef8ebfc5
Opcode Fuzzy Hash: 8ed0b4f8c3e954e1fc1dc6971364bbe040f0f26000e4905d9b82ffd922f5bdfa
Instruction Fuzzy Hash: DD81C679481214EFEB026F60FE19AA43FA3F70B345715712AE90689670E77648A8EF40

Function 004151E4 Relevance: 48.1, APIs: 2, Strings: 25, Instructions: 830
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 00411C63: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,Version: ,00425200), ref: 00411C70
Part of subcall function 00411C63: HeapAlloc.KERNEL32(00000000), ref: 00411C77
Part of subcall function 00411C63: GetLocalTime.KERNEL32(?), ref: 00411C84
Part of subcall function 00411C63: wsprintfA.USER32 ref: 00411CB1

Part of subcall function 004125CA: memset.MSVCRT ref: 004125F2
Part of subcall function 004125CA: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 00412612
Part of subcall function 004125CA: RegQueryValueExA.KERNELBASE(?,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00412639
Part of subcall function 004125CA: RegCloseKey.ADVAPI32(?), ref: 00412645
Part of subcall function 004125CA: CharToOemA.USER32(00000000,?), ref: 00412659

Part of subcall function 00412667: GetCurrentHwProfileA.ADVAPI32(?), ref: 00412674

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 00411948: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00411964
Part of subcall function 00411948: GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004119A1
Part of subcall function 00411948: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411A18
Part of subcall function 00411948: HeapAlloc.KERNEL32(00000000), ref: 00411A1F

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,00428FE4,00000000,?,00000000,00000000,?,HWID: ,00000000,?,00428E48,00000000), ref: 00415497

Part of subcall function 00413563: OpenProcess.KERNEL32(00000410,00000000,004154AA), ref: 00413576
Part of subcall function 00413563: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00413596
Part of subcall function 00413563: CloseHandle.KERNEL32(00000000), ref: 0041359F

Part of subcall function 00411ADD: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411AF1
Part of subcall function 00411ADD: HeapAlloc.KERNEL32(00000000), ref: 00411AF8

Part of subcall function 004127AF: CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4), ref: 004127D9
Part of subcall function 004127AF: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00428E48,00000000,?), ref: 004127F1
Part of subcall function 004127AF: CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ), ref: 0041280D
Part of subcall function 004127AF: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000), ref: 00412855

Part of subcall function 004129BF: CoInitializeEx.OLE32(00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory,00000000,?,00428E48,00000000), ref: 004129E9
Part of subcall function 004129BF: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4), ref: 00412A01
Part of subcall function 004129BF: CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?), ref: 00412A1D
Part of subcall function 004129BF: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000), ref: 00412A65

Part of subcall function 00411C21: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00415711,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000), ref: 00411C2D
Part of subcall function 00411C21: HeapAlloc.KERNEL32(00000000,?,?,?,00415711,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000,?), ref: 00411C34
Part of subcall function 00411C21: GetComputerNameA.KERNEL32(00000000,00000104), ref: 00411C4B

Part of subcall function 00411BEC: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0041A955), ref: 00411BF8
Part of subcall function 00411BEC: HeapAlloc.KERNEL32(00000000,?,?,?,0041A955), ref: 00411BFF
Part of subcall function 00411BEC: GetUserNameA.ADVAPI32(?,00000104), ref: 00411C16

Part of subcall function 0041254A: CreateDCA.GDI32(00000000,00000000,00000000,?), ref: 0041255C
Part of subcall function 0041254A: GetDeviceCaps.GDI32(?,00000008), ref: 0041256A
Part of subcall function 0041254A: GetDeviceCaps.GDI32(?,0000000A), ref: 00412578
Part of subcall function 0041254A: ReleaseDC.USER32(00000000,?), ref: 00412586
Part of subcall function 0041254A: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00412593
Part of subcall function 0041254A: HeapAlloc.KERNEL32(00000000), ref: 0041259A
Part of subcall function 0041254A: wsprintfA.USER32 ref: 004125B1

Part of subcall function 00411D31: GetKeyboardLayoutList.USER32(00000000,00000000,00425200), ref: 00411D59
Part of subcall function 00411D31: LocalAlloc.KERNELBASE(00000040,?), ref: 00411D71
Part of subcall function 00411D31: GetKeyboardLayoutList.USER32(?,00000000), ref: 00411D83
Part of subcall function 00411D31: GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200), ref: 00411DD3
Part of subcall function 00411D31: LocalFree.KERNEL32(00000000), ref: 00411E90

Part of subcall function 00411CBF: GetProcessHeap.KERNEL32(00000000,00000104,00428E48,00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000), ref: 00411CCF
Part of subcall function 00411CBF: HeapAlloc.KERNEL32(00000000), ref: 00411CD6
Part of subcall function 00411CBF: GetTimeZoneInformation.KERNELBASE(?), ref: 00411CE9

Part of subcall function 00411EB5: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00411EC9
Part of subcall function 00411EB5: HeapAlloc.KERNEL32(00000000), ref: 00411ED0
Part of subcall function 00411EB5: RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000), ref: 00411EEF
Part of subcall function 00411EB5: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,000000FF,000000FF), ref: 00411F0D
Part of subcall function 00411EB5: RegCloseKey.ADVAPI32(00000000), ref: 00411F16

Part of subcall function 00411F54: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00411F87
Part of subcall function 00411F54: GetLastError.KERNEL32 ref: 00411F96

Part of subcall function 00411F21: GetSystemInfo.KERNELBASE(00000000), ref: 00411F2E
Part of subcall function 00411F21: wsprintfA.USER32 ref: 00411F43

Part of subcall function 00412081: GetProcessHeap.KERNEL32(00000000,00000104,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory), ref: 0041208E
Part of subcall function 00412081: HeapAlloc.KERNEL32(00000000), ref: 00412095
Part of subcall function 00412081: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004120B6
Part of subcall function 00412081: __aulldiv.LIBCMT ref: 004120CE
Part of subcall function 00412081: __aulldiv.LIBCMT ref: 004120DC
Part of subcall function 00412081: wsprintfA.USER32 ref: 004120FF

Part of subcall function 0041210D: EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000001), ref: 00412148

Part of subcall function 0041246A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412491
Part of subcall function 0041246A: Process32First.KERNEL32(00000000,00000128), ref: 004124A4
Part of subcall function 0041246A: Process32Next.KERNEL32(00000000,00000128), ref: 004124B8
Part of subcall function 0041246A: CloseHandle.KERNEL32(00000000), ref: 00412525

Part of subcall function 0041218B: RegOpenKeyExA.KERNELBASE(00000000,00000000,00020019,00000000,00425200), ref: 004121DE

Part of subcall function 0041218B: RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00412259
Part of subcall function 0041218B: wsprintfA.USER32 ref: 0041228B
Part of subcall function 0041218B: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 004122AC
Part of subcall function 0041218B: RegCloseKey.ADVAPI32(00000000), ref: 004122BC
Part of subcall function 0041218B: RegCloseKey.ADVAPI32(00000000), ref: 004122C8

lstrlenA.KERNEL32(00000000,00000000,?,00428FE4,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,00428FE4), ref: 00415DE1

Part of subcall function 00418DB9: _MSFOpenExW.MSPDB140-MSVCRT ref: 00418E6C
Part of subcall function 00418DB9: CreateThread.KERNELBASE(00000000,00000000,00418C65,?,00000000,00000000), ref: 00418E85
Part of subcall function 00418DB9: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00418E96

Strings

[Processes], xrefs: 00415C78
User Name: , xrefs: 0041575D
[Software], xrefs: 00415D04
Cores: , xrefs: 00415A81
Display Resolution: , xrefs: 004157D6
Install Date: , xrefs: 004155CC
Date: , xrefs: 00415283
Version: , xrefs: 004151FA
[Hardware], xrefs: 004159E0
Local Time: , xrefs: 004158EE
Path: , xrefs: 0041546F
HWID: , xrefs: 004153E3
MachineID: , xrefs: 004152EA
Work Dir: In memory, xrefs: 00415503
VideoCard: , xrefs: 00415BEC
Keyboard Languages: , xrefs: 00415862
AV: , xrefs: 00415658
GUID: , xrefs: 00415357
Processor: , xrefs: 00415A08
Windows: , xrefs: 00415553
Computer Name: , xrefs: 004156E4
TimeZone: , xrefs: 00415967
RAM: , xrefs: 00415B73
information.txt, xrefs: 00415DF6
Threads: , xrefs: 00415AFA

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$Createwsprintf$Initializelstrcpy$InformationLocalName$BlanketCapsCurrentDeviceEnumHandleInfoInstanceKeyboardLayoutListProcess32ProxyQuerySecurityTimeValue__aulldivlstrcatlstrlen$CharComputerDevicesDirectoryDisplayErrorFileFirstFreeGlobalLastLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 3808842183-1014693891
Opcode ID: ec29a3163d9d18987f0e179795c7a0416d16bd3ffa26116ace8d5c82db2c5aaf
Instruction ID: 98b063b3ea0cf676e7d3c9db5d6b4e855844e07ef84fbbd767ca72325addcb2a
Opcode Fuzzy Hash: ec29a3163d9d18987f0e179795c7a0416d16bd3ffa26116ace8d5c82db2c5aaf
Instruction Fuzzy Hash: BC629172900118AACB15F7A1DD96DDE7379AF14305F5042AFF226B21B1EF346B88CE58

Function 004083A6 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 265
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00412D64: GetSystemTime.KERNEL32(00000000,00425200), ref: 00412D8A

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00408450
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004084C9
RtlAllocateHeap.NTDLL(00000000), ref: 004084D0
lstrlenA.KERNEL32(00000000,00000000), ref: 0040856A
lstrcatA.KERNEL32(?), ref: 0040858F
lstrcatA.KERNEL32(?,00000000), ref: 004085A1
lstrcatA.KERNEL32(?,00428E50), ref: 004085AF
lstrcatA.KERNEL32(?,00000000), ref: 004085C1
lstrcatA.KERNEL32(?,00428E4C), ref: 004085CF
lstrcatA.KERNEL32(?), ref: 004085DE
lstrcatA.KERNEL32(?,00000000), ref: 004085F0
lstrcatA.KERNEL32(?,00428E48), ref: 004085FE
lstrcatA.KERNEL32(?), ref: 0040860D
lstrcatA.KERNEL32(?,00000000), ref: 0040861F
lstrcatA.KERNEL32(?,00428E48), ref: 0040862D
lstrcatA.KERNEL32(?), ref: 0040863C
lstrcatA.KERNEL32(?,00000000), ref: 0040864E
lstrcatA.KERNEL32(?,00428E48), ref: 0040865C
lstrcatA.KERNEL32(?,00428E48), ref: 0040866A
lstrlenA.KERNEL32(?), ref: 00408688
memset.MSVCRT ref: 004086D4
DeleteFileA.KERNELBASE(00000000), ref: 00408701

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 004135B9: memset.MSVCRT ref: 004135D4
Part of subcall function 004135B9: OpenProcess.KERNEL32(00001001,00000000,?), ref: 0041368A
Part of subcall function 004135B9: TerminateProcess.KERNEL32(00000000,00000000), ref: 004136A7
Part of subcall function 004135B9: CloseHandle.KERNEL32(00000000), ref: 004136B3

Strings

passwords.txt, xrefs: 00408697

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyDeleteHandleOpenSystemTerminateTime
String ID: passwords.txt
API String ID: 1737540870-347816968
Opcode ID: e7516f4a65ce10130fd093f07ba65f7fdb76d7e0e32bba32449652ac384407af
Instruction ID: 4868cb4a0c5d8df9b0255056c1bbdf5f8baa826a61240bfbc382e0845978a72e
Opcode Fuzzy Hash: e7516f4a65ce10130fd093f07ba65f7fdb76d7e0e32bba32449652ac384407af
Instruction Fuzzy Hash: 00A11972900108AFDF05EBA1ED5AAED7B79FF15305F60502AF112B10B1EF3A5A44CB69

Function 00418FD9 Relevance: 34.5, APIs: 4, Strings: 15, Instructions: 1237
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004138BA: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004138F5
Part of subcall function 004138BA: Process32First.KERNEL32(00429888,00000128), ref: 00413908
Part of subcall function 004138BA: Process32Next.KERNEL32(00429888,00000128), ref: 0041391C
Part of subcall function 004138BA: StrCmpCA.SHLWAPI(?,0042988C), ref: 00413930
Part of subcall function 004138BA: FindCloseChangeNotification.KERNELBASE(00429888), ref: 00413943

CreateDirectoryA.KERNELBASE(00000000,00000000,00000000,?,?,?,00425200,00000000), ref: 00419657
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041972D
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419747

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00411948: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00411964
Part of subcall function 00411948: GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004119A1
Part of subcall function 00411948: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411A18
Part of subcall function 00411948: HeapAlloc.KERNEL32(00000000), ref: 00411A1F

Part of subcall function 004043FA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404492
Part of subcall function 004043FA: StrCmpCA.SHLWAPI(?), ref: 004044B2

Part of subcall function 00414F8C: StrCmpCA.SHLWAPI(00000000,block), ref: 00414FB1
Part of subcall function 00414F8C: ExitProcess.KERNEL32 ref: 00414FBD

Part of subcall function 0040F99F: StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040F9EF
Part of subcall function 0040F99F: StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FA75

Part of subcall function 004058C4: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040595F
Part of subcall function 004058C4: StrCmpCA.SHLWAPI(?), ref: 00405975

Part of subcall function 0041497B: strtok_s.MSVCRT ref: 004149A3
Part of subcall function 0041497B: strtok_s.MSVCRT ref: 00414A94

Part of subcall function 00417B07: lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00417B40
Part of subcall function 00417B07: lstrcatA.KERNEL32(?), ref: 00417B5E

Sleep.KERNEL32(000003E8), ref: 00419AFA

Part of subcall function 00417C93: memset.MSVCRT ref: 00417CAA
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,00000000), ref: 00417CD1
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,\.azure\), ref: 00417CEE
Part of subcall function 00417C93: memset.MSVCRT ref: 00417D2E
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,00000000), ref: 00417D55
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,\.aws\), ref: 00417D72
Part of subcall function 00417C93: memset.MSVCRT ref: 00417DB2
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,00000000), ref: 00417DD9
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00417DF6

Part of subcall function 00404E03: lstrlenA.KERNEL32(00000000), ref: 00404E8B
Part of subcall function 00404E03: StrCmpCA.SHLWAPI(?,00425200,00425200,00425200,00425200), ref: 00404EEF
Part of subcall function 00404E03: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F17

Strings

org, xrefs: 0041A082
dabl, xrefs: 0041A026
tea, xrefs: 00419F9C
.exe, xrefs: 00419557, 00419EF7
2, xrefs: 004191C9
d, xrefs: 0041A217
d, xrefs: 00419188
_DEBUG.zip, xrefs: 0041A0C1
d, xrefs: 00419147
arp, xrefs: 00419FF8
d, xrefs: 00419106
http://, xrefs: 00419F6E
d, xrefs: 0041A26E
d, xrefs: 0041A1C0
2, xrefs: 0041A169

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$InternetOpenlstrcpy$lstrlenmemset$CreateDirectoryHeapProcessProcess32strtok_s$AllocChangeCloseExitFindFirstInformationNextNotificationSleepSnapshotToolhelp32VolumeWindows
String ID: .exe$2$2$_DEBUG.zip$arp$d$d$d$d$d$d$dabl$http://$org$tea
API String ID: 4021577771-4025179836
Opcode ID: d8ddd20c65dbe4accbe59cdc2a04e807221df0d548ce8610666dd4a4d36cae5e
Instruction ID: 114828df09490f9f1d13115ca2c7a84a7d1e175cc6150afb538a57f6698be508
Opcode Fuzzy Hash: d8ddd20c65dbe4accbe59cdc2a04e807221df0d548ce8610666dd4a4d36cae5e
Instruction Fuzzy Hash: 93B22F71D041289ADB14FB61DC96ADDB778AB11304F5440EAE50EA21A1DF3C6FC8CF69

Function 00408741 Relevance: 32.0, APIs: 21, Instructions: 471
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004118F6: StrCmpCA.SHLWAPI(?,?), ref: 00411913

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408A97
RtlAllocateHeap.NTDLL(00000000), ref: 00408A9E
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00408885

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

lstrcatA.KERNEL32(?,00000000,00000000,00428E58,00428E58,00000000), ref: 00408BCD
lstrcatA.KERNEL32(?,00428E54), ref: 00408BDB
lstrcatA.KERNEL32(?,00000000), ref: 00408BED
lstrcatA.KERNEL32(?,00428E54), ref: 00408BFB
lstrcatA.KERNEL32(?,00000000), ref: 00408C0D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C1B
lstrcatA.KERNEL32(?,00000000), ref: 00408C2D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C3B
lstrcatA.KERNEL32(?,00000000), ref: 00408C4D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C5B
lstrcatA.KERNEL32(?,00000000), ref: 00408C6D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C7B
lstrcatA.KERNEL32(?,00000000), ref: 00408CBD
lstrcatA.KERNEL32(?,00428E48), ref: 00408CD6
lstrlenA.KERNEL32(?), ref: 00408D14
lstrlenA.KERNEL32(?), ref: 00408D22
memset.MSVCRT ref: 00408D6D

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

DeleteFileA.KERNELBASE(00000000), ref: 00408D92

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessmemset
String ID:
API String ID: 1498849721-0
Opcode ID: 9e96b593e49dfbaf82baf5f3f7b14edd2bd44551348f714d62c2555fbf218532
Instruction ID: 75b67620860664da6d1f04eed94d7d10b36c4f27a8908ca0f5e9c5d632b00ffa
Opcode Fuzzy Hash: 9e96b593e49dfbaf82baf5f3f7b14edd2bd44551348f714d62c2555fbf218532
Instruction Fuzzy Hash: 02021D71900109AADB05FBA1ED56EEE7779EF11309F50406AF216B10F1EF395A88CB68

Function 0042095B Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 617
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

T, xrefs: 00420CE3
U, xrefs: 00420CDC

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: T$U
API String ID: 0-2115836835
Opcode ID: 10f69da23589928bea78b6bdb87915afbf723c228a04615c940d6145975852ec
Instruction ID: 4e7ab3bbaac243ee1ce136935939dafd3e3fd9ddb02e4ea4b8407d5d40478ec4
Opcode Fuzzy Hash: 10f69da23589928bea78b6bdb87915afbf723c228a04615c940d6145975852ec
Instruction Fuzzy Hash: 626218B4A042A9CFDB20CF54D884BE9B7B4AF14305F5440DBEA09A7252D7389E89CF59

Function 004043FA Relevance: 28.5, APIs: 12, Strings: 4, Instructions: 451
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404492
StrCmpCA.SHLWAPI(?), ref: 004044B2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040462C
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 00404682
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004046BA

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00425200,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 0040497C
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404998
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004049AB
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004049D5
InternetCloseHandle.WININET(00000000), ref: 00404A38
InternetCloseHandle.WININET(00000000), ref: 00404A4F
InternetCloseHandle.WININET(00000000), ref: 00404A58

Strings

hwid, xrefs: 00404760
build_id, xrefs: 0040489F
------, xrefs: 00404534, 004046C0, 004047FF
", xrefs: 00404788, 004048C7

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$------$build_id$hwid
API String ID: 3006978581-50533134
Opcode ID: cceb3a196459d883b403675918582489495ab2fed22875715751cb834377af79
Instruction ID: 067cb1f7702ceabbac9578a1173a021fc80b9e748851ef74f8b32e742b117f95
Opcode Fuzzy Hash: cceb3a196459d883b403675918582489495ab2fed22875715751cb834377af79
Instruction Fuzzy Hash: 22124E71900218AADB15EBA1DD92FDEB379BF15305F5000AAF216B21E1DF386B88CF54

Function 004127AF Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 172
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4), ref: 004127D9
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00428E48,00000000,?), ref: 004127F1
CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ), ref: 0041280D
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000), ref: 00412855
VariantInit.OLEAUT32(?), ref: 004128C1
FileTimeToSystemTime.KERNEL32(?,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000), ref: 004128FA
GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000), ref: 00412907
HeapAlloc.KERNEL32(00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000), ref: 0041290E
wsprintfA.USER32 ref: 0041293D
VariantClear.OLEAUT32(?), ref: 00412955

Strings

ROOT\CIMV2, xrefs: 00412817
%d/%d/%d %d:%d:%d, xrefs: 00412935
Unknown, xrefs: 0041296A, 0041297E, 004129A0
Select * From Win32_OperatingSystem, xrefs: 0041285F
InstallDate, xrefs: 004128D1
WQL, xrefs: 00412871

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: HeapInitializeTimeVariant$AllocBlanketClearCreateFileInitInstanceProcessProxySecuritySystemwsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$WQL
API String ID: 1977436990-271508173
Opcode ID: ba33cfd2da918b761e9130eb7da6f96fb9872cbbfcfe80a5cabb4ca5af105773
Instruction ID: b87b7ae96d8d1a7714e06012ec36ed585f0f60198b44980e8310200412a3d949
Opcode Fuzzy Hash: ba33cfd2da918b761e9130eb7da6f96fb9872cbbfcfe80a5cabb4ca5af105773
Instruction Fuzzy Hash: B561F671A40218BFDB10DB94DD46FEDBBB8BB08B11F604116F611FA1D0C7B8A991CB69

Function 00404239 Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000040,?,?,?,?,?,0040234D,004257D0,AVAI4Z1EK55HX1Z,0000000F,?,0041A87E), ref: 00404246
wcslen.MSVCRT ref: 00404272
wcslen.MSVCRT ref: 0040427D
wcslen.MSVCRT ref: 00404288
wcslen.MSVCRT ref: 00404293
strlen.MSVCRT ref: 004042A5
wcslen.MSVCRT ref: 004042CA
wcslen.MSVCRT ref: 004042D5
wcslen.MSVCRT ref: 004042E2
wcslen.MSVCRT ref: 004042ED
wcslen.MSVCRT ref: 004042F8
wcslen.MSVCRT ref: 00404303

Strings

Chrysorabdia bivitta is a moth of the subfamily Arctiinae first described by Francis Walker in 1856., xrefs: 0040426D, 004042DD
GAS5 noncoding RNA, which accumulates in growth arrested cells, acts as a decoy hormone response element for the glucocorticoid re, xrefs: 004042D0
Niedert is an Ortsgemeinde , xrefs: 00404283, 004042F3
The KLW SE10B is a low-emissions diesel switcher locomotive built by Knoxville Locomotive Works. It is powered by a single MTU Ser, xrefs: 004042C5
Organ perforation is a complete penetration of the wall of a hollow organ in the body, such as the gastrointestinal tract in the c, xrefs: 00404278, 004042E8
Ici Radio-Canada Tl (stylized as ICI Radio-Canada Tl, and sometimes abbreviated as Ici Tl) is a Canadian French-language fre, xrefs: 0040428E, 004042FE

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: wcslen$AllocLocalstrlen
String ID: Chrysorabdia bivitta is a moth of the subfamily Arctiinae first described by Francis Walker in 1856.$GAS5 noncoding RNA, which accumulates in growth arrested cells, acts as a decoy hormone response element for the glucocorticoid re$Ici Radio-Canada Tl (stylized as ICI Radio-Canada Tl, and sometimes abbreviated as Ici Tl) is a Canadian French-language fre$Niedert is an Ortsgemeinde $Organ perforation is a complete penetration of the wall of a hollow organ in the body, such as the gastrointestinal tract in the c$The KLW SE10B is a low-emissions diesel switcher locomotive built by Knoxville Locomotive Works. It is powered by a single MTU Ser
API String ID: 224765317-2971033767
Opcode ID: b2908c616810051979d5b7c1935cb1d71aeefb77bac9279ab48edbe17b9693c0
Instruction ID: 15c8a1cfb45bc9c132fd9fd4faededd5fc4f4c62c30039555f1f88a1b54c1e58
Opcode Fuzzy Hash: b2908c616810051979d5b7c1935cb1d71aeefb77bac9279ab48edbe17b9693c0
Instruction Fuzzy Hash: 9A213071785268AFDB04EBE9F8C7B5CBBE4EFD4714FA0006FF40496191DEB869408619

Function 00404AD5 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 197networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404B22
RtlAllocateHeap.NTDLL(00000000), ref: 00404B29
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404B54
StrCmpCA.SHLWAPI(?), ref: 00404B6D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404BA1
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 00404C00
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00404C38
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404C49
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00404C74
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404D05
InternetCloseHandle.WININET(00000000), ref: 00404D9B
InternetCloseHandle.WININET(00000000), ref: 00404DA7
InternetCloseHandle.WININET(00000000), ref: 00404DC5

Strings

GET, xrefs: 00404BF5

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 442264750-1805413626
Opcode ID: f16c31e6c77223db1b221cad6f523a7c8a9ce9fa98b564ab69779ee6bb960051
Instruction ID: d037288fe89579f4ab5843d1a5928f681561e61fb867290b5a494df79b11f7d7
Opcode Fuzzy Hash: f16c31e6c77223db1b221cad6f523a7c8a9ce9fa98b564ab69779ee6bb960051
Instruction Fuzzy Hash: 769115B4900228AFDF20DF50DC45BEEB7B5BB45306F1040EAE609B6291DB796AC4DF49

Function 0041218B Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 164registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

RegOpenKeyExA.KERNELBASE(00000000,00000000,00020019,00000000,00425200), ref: 004121DE
RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00412259
wsprintfA.USER32 ref: 0041228B
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 004122AC
RegCloseKey.ADVAPI32(00000000), ref: 004122BC
RegCloseKey.ADVAPI32(00000000), ref: 004122C8

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Strings

%s\%s, xrefs: 0041227F
- , xrefs: 004123D0
?, xrefs: 004121B9

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: db84e063afdd8ab9a369cff0a91b897787bc4edace59e265c4489125e3bbefbc
Instruction ID: 317e1264205bd673c815d3a78023c7176152d2c53d3ea0851a7731e254f809d5
Opcode Fuzzy Hash: db84e063afdd8ab9a369cff0a91b897787bc4edace59e265c4489125e3bbefbc
Instruction Fuzzy Hash: 1C71F47290012CABEB64EB50DD45FD973B9BF04305F5086EAE209A20A1DF746BC9CF94

Function 00406312 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406373
StrCmpCA.SHLWAPI(?), ref: 00406390
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004063BE
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 0040640A
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406442
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406453
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040647E
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064F3
InternetCloseHandle.WININET(00000000), ref: 0040657C
InternetCloseHandle.WININET(00000000), ref: 00406585
InternetCloseHandle.WININET(00000000), ref: 0040658E

Strings

GET, xrefs: 00406402
ERROR, xrefs: 00406488, 0040654F

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$GET
API String ID: 3749127164-3591763792
Opcode ID: 963ac1e056751af433d780a8216807e69140fad55e256c3b4c315ddae2ff65c2
Instruction ID: 51cd531d8c454c4eabdc451ce72ca3cccbe2bef7883915b0542a7032e80e54d3
Opcode Fuzzy Hash: 963ac1e056751af433d780a8216807e69140fad55e256c3b4c315ddae2ff65c2
Instruction Fuzzy Hash: 9E710871900218EFDF21EFA0DC45BDD7B75AB05305F6040AAF606BA1E0DBB96A94CF49

Function 00418167 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 749COMMON

Download Yara Rule

APIs

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004182BD
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418321

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00417E48: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00417E8B

Part of subcall function 00417F35: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00417F96
Part of subcall function 00417F35: lstrlenA.KERNEL32(00000000), ref: 00417FAD
Part of subcall function 00417F35: StrStrA.SHLWAPI(00000000,00000000), ref: 00417FDD
Part of subcall function 00417F35: lstrlenA.KERNEL32(00000000), ref: 00417FF9
Part of subcall function 00417F35: lstrlenA.KERNEL32(00000000), ref: 0041801F

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041840E
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418519
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00418606
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418711
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004187FE
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418909
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418B01

Strings

ERROR, xrefs: 004182AF, 00418313, 00418400, 0041850B, 004185F8, 00418703, 004187F0, 004188FB, 004189E8, 00418AF3

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID: ERROR
API String ID: 2001356338-2861137601
Opcode ID: 601a58bd0b0876066a53ea39e9bf7ef070bc13c226733b0f19d5a4e6bce83ed6
Instruction ID: 2f695ca300a8a73312befe9c8800e9116e76318d555d5372ca32ba18f7f60556
Opcode Fuzzy Hash: 601a58bd0b0876066a53ea39e9bf7ef070bc13c226733b0f19d5a4e6bce83ed6
Instruction Fuzzy Hash: 2D4232719001085ACB14FBF1ED5B9EE7378AF10305F90416FF516A61E2EF7C9A88CA99

Function 00411948 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 116memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00411964
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004119A1
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411A18
HeapAlloc.KERNEL32(00000000), ref: 00411A1F
wsprintfA.USER32 ref: 00411A54
lstrcatA.KERNEL32(00000000,00429270), ref: 00411A65

Part of subcall function 00412667: GetCurrentHwProfileA.ADVAPI32(?), ref: 00412674

lstrlenA.KERNEL32(00000000), ref: 00411A7E

Part of subcall function 004136CE: malloc.MSVCRT ref: 004136D5
Part of subcall function 004136CE: strncpy.MSVCRT ref: 004136EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00411AAC

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Strings

:, xrefs: 0041197E
\, xrefs: 00411982
C, xrefs: 0041196E

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :$C$\
API String ID: 2389002695-3809124531
Opcode ID: 23f1d57f010f06b3a3b0b73a3a18805c0e588e37821cf8b5f81c9e51efc94560
Instruction ID: b4310f208fa9535f9906633d23b413fd942b8933ce9b069d1c57af1ba558f1c2
Opcode Fuzzy Hash: 23f1d57f010f06b3a3b0b73a3a18805c0e588e37821cf8b5f81c9e51efc94560
Instruction Fuzzy Hash: EC417E71D0024CAFDF10EBA0DD59BED7BB8AF05305F10009AF219A61A1DB799BC4CB68

Function 0040613F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 130networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004061A8
StrCmpCA.SHLWAPI(?,?,?,?,?,?,?,?), ref: 004061E6
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00406229
CreateFileA.KERNELBASE(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?), ref: 0040624D
InternetReadFile.WININET(8cA,?,00000400,?), ref: 00406271
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 0040629D
CloseHandle.KERNEL32(?,?,00000400,?,?,?,?,?,?,?), ref: 004062DB
InternetCloseHandle.WININET(8cA), ref: 004062E4
InternetCloseHandle.WININET(?), ref: 004062F0

Strings

8cA, xrefs: 004062E1, 0040626E

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: 8cA
API String ID: 2507841554-2586977368
Opcode ID: 23bbd80859a5ae626456c0e29d0c535548952ba2e1dd46435b22cc47d41a132e
Instruction ID: 322e9e665ac9740ae3a6c79426317fb00e7d6d1b0345a24b3972b26df0cd3c85
Opcode Fuzzy Hash: 23bbd80859a5ae626456c0e29d0c535548952ba2e1dd46435b22cc47d41a132e
Instruction Fuzzy Hash: BC515CB190021CABDF20EF60DC45BED7779FB01305F1050AAE616BA1E1DB786A99CF58

Function 0040F99F Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 360COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040F9EF
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FA75
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FB84

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

StrCmpCA.SHLWAPI(00000000), ref: 0040FC57
StrCmpCA.SHLWAPI(00000000), ref: 0040FCDD

Strings

firefox, xrefs: 0040FDE2
Stable\, xrefs: 0040FA90, 0040FCF8

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$firefox
API String ID: 3722407311-3160656979
Opcode ID: 4574c3fe41a2655a61f88f0eef0b3d3de2eb2ac0277edcd828de38c39bfa1635
Instruction ID: 87d147e04e3a24980a39275aa9b0abb6dd5f2e96552c08bd51d602dc9e077d04
Opcode Fuzzy Hash: 4574c3fe41a2655a61f88f0eef0b3d3de2eb2ac0277edcd828de38c39bfa1635
Instruction Fuzzy Hash: 18D16772A001099BCF24FBB5DD96FDD77B9BB50304F10402AE906EB1A1EE35DA48C795

Function 00412081 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory), ref: 0041208E
HeapAlloc.KERNEL32(00000000), ref: 00412095
GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004120B6
__aulldiv.LIBCMT ref: 004120CE
__aulldiv.LIBCMT ref: 004120DC
wsprintfA.USER32 ref: 004120FF

Strings

%d MB, xrefs: 004120F7
@, xrefs: 004120AB

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: e44640eb945edcdb330fccb508c3ea3b329ff7572ab2c3ac08101b3669067511
Instruction ID: da943534dc948d73dd967abc6d37c718adf03b454bdf056c0f5a7879574b1967
Opcode Fuzzy Hash: e44640eb945edcdb330fccb508c3ea3b329ff7572ab2c3ac08101b3669067511
Instruction Fuzzy Hash: 71015EB0E40218BFEF00AFE0DC0ABADBBB9FB05749F104409F314B9090C7B866519B58

Function 0040430F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00404373
??_U@YAPAXI@Z.MSVCRT ref: 00404387
??_U@YAPAXI@Z.MSVCRT ref: 0040439B
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Strings

<, xrefs: 0040431A
<, xrefs: 0040435B

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <$<
API String ID: 1274457161-213342407
Opcode ID: 94d81e5e955a971915de60a229a9877af64f0f003ab4a34939c35b93bd59b886
Instruction ID: 01f5d62e614e23a6b162f059a70a9e0953d43a02f97c16b9683ed6508c4b1ff7
Opcode Fuzzy Hash: 94d81e5e955a971915de60a229a9877af64f0f003ab4a34939c35b93bd59b886
Instruction Fuzzy Hash: 48214771D00218AFDB10DFA9E881BCDBBB4BB04324F10815AE669F72A0DB345A85CF10

Function 004125CA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004125F2
RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 00412612
RegQueryValueExA.KERNELBASE(?,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00412639
RegCloseKey.ADVAPI32(?), ref: 00412645
CharToOemA.USER32(00000000,?), ref: 00412659

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00412608
MachineGuid, xrefs: 0041262E

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValuememset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2391366103-1211650757
Opcode ID: 195b74b0a96cc35dac2f772ac61cfb819d8275be74710b7e5bc2e41235a95a6e
Instruction ID: 19f088c07c09de6674c761c0d1b751acc79a05fefe0ca058460f00b60f9401a7
Opcode Fuzzy Hash: 195b74b0a96cc35dac2f772ac61cfb819d8275be74710b7e5bc2e41235a95a6e
Instruction Fuzzy Hash: 1B016275A4022DBBDB209B50DD4AFDA777CEB14704F5001E1B688F6091DBF46AC48F54

Function 00417F35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00406312: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406373
Part of subcall function 00406312: StrCmpCA.SHLWAPI(?), ref: 00406390
Part of subcall function 00406312: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004063BE
Part of subcall function 00406312: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 0040640A
Part of subcall function 00406312: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406442
Part of subcall function 00406312: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406453

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00417F96
lstrlenA.KERNEL32(00000000), ref: 00417FAD

Part of subcall function 00412FD6: LocalAlloc.KERNELBASE(00000040,00000001), ref: 00412FF2

StrStrA.SHLWAPI(00000000,00000000), ref: 00417FDD
lstrlenA.KERNEL32(00000000), ref: 00417FF9
lstrlenA.KERNEL32(00000000), ref: 0041801F

Strings

ERROR, xrefs: 00417F88, 0041802A, 0041809C, 004180D6, 0041810D

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
String ID: ERROR
API String ID: 3240024479-2861137601
Opcode ID: e56dbd6892063ce075c71f30584f65b6369d35785078b77fb4a32cfd08f74c49
Instruction ID: 82a00ccf74cc6928f093117e63f16261f372f6c033bbdc91f1bb176def9d3ff2
Opcode Fuzzy Hash: e56dbd6892063ce075c71f30584f65b6369d35785078b77fb4a32cfd08f74c49
Instruction Fuzzy Hash: 24511A71910108ABCB04FFA1D956AED7774BF11309F60402EF916A61F2DF39AA89CA48

Function 00412213 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00412259
wsprintfA.USER32 ref: 0041228B
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 004122AC
RegCloseKey.ADVAPI32(00000000), ref: 004122BC
RegCloseKey.ADVAPI32(00000000), ref: 004122C8

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

RegQueryValueExA.KERNELBASE(00000000,00000000,000F003F,?,00000400), ref: 0041231A
lstrlenA.KERNEL32(?), ref: 0041232F
RegQueryValueExA.KERNELBASE(00000000,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00428E48), ref: 004123C6
RegCloseKey.ADVAPI32(00000000), ref: 00412434
RegCloseKey.ADVAPI32(00000000), ref: 00412445

Strings

%s\%s, xrefs: 0041227F

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: c05b9aeffa2524c3aa9bcda23acaed7832a6b4e564aa8b15d5e8c89861718145
Instruction ID: d7cee1983acf12d4360d724bf4cc3a4c29cf8c0d886bd7a19f0679c37ebee969
Opcode Fuzzy Hash: c05b9aeffa2524c3aa9bcda23acaed7832a6b4e564aa8b15d5e8c89861718145
Instruction Fuzzy Hash: 1721F27590012CAFEB609B50DD45BD9B7B9FF08304F4094E5E649A60A0CF749AD98F94

Function 00411ADD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411AF1
HeapAlloc.KERNEL32(00000000), ref: 00411AF8
RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000), ref: 00411B29
RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,?,000000FF), ref: 00411B47
RegCloseKey.ADVAPI32(00000000), ref: 00411B50

Strings

Windows 11, xrefs: 00411B0A

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 346f3f4664875a4ea084d75b8818ec132410f9d5b334d0546c756ba2ab9ffa29
Instruction ID: 3f27d459ef3b4295677ace20887899c1ffae7c715c4ca525cf07eb428eb26eef
Opcode Fuzzy Hash: 346f3f4664875a4ea084d75b8818ec132410f9d5b334d0546c756ba2ab9ffa29
Instruction Fuzzy Hash: 84013C34A44208FBEB10ABE0EC0AB9D7B7AFB06744F1050A5F701AA1A1E7749A94DB14

Function 00411B5B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411B6F
HeapAlloc.KERNEL32(00000000), ref: 00411B76
RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00411B06), ref: 00411B95
RegQueryValueExA.KERNELBASE(00411B06,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00411BB2
RegCloseKey.ADVAPI32(00411B06), ref: 00411BBB

Strings

CurrentBuildNumber, xrefs: 00411BAA

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 6763c454cfa2fbe29bba7aff6e2c919a48f957ef8388f20bd06a009583ecdfc3
Instruction ID: 29d7a5e80dbd030fd5711505aedc04f660bf528dc6b38352957baa02463c1007
Opcode Fuzzy Hash: 6763c454cfa2fbe29bba7aff6e2c919a48f957ef8388f20bd06a009583ecdfc3
Instruction Fuzzy Hash: 42F04F75A40209FFEB00AFE0EC0AFEDBBB9FB05704F101095F200A90A1D7B05690DB54

Function 00407CDF Relevance: 9.1, APIs: 6, Instructions: 74filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407D05
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00407D29
LocalAlloc.KERNEL32(00000040,?), ref: 00407D48
ReadFile.KERNELBASE(000000FF,00000000,?,0040F582,00000000), ref: 00407D6E
LocalFree.KERNEL32(00000000), ref: 00407DA0
CloseHandle.KERNEL32(000000FF), ref: 00407DA9

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: b0c26b6f574b650b3bbe433578a167a4ae74d057130e38fdececdba59a5ca05d
Instruction ID: 20c10e672a0f3402bfbef9d3d1be989891e350540804f4a5b6ad44830b3c41ef
Opcode Fuzzy Hash: b0c26b6f574b650b3bbe433578a167a4ae74d057130e38fdececdba59a5ca05d
Instruction Fuzzy Hash: 6C31F174E00209EFDF11DFA4D849BEE7BB5BF0A301F104065E911AB2A0D778AA91CF55

Function 0041FD2C Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 0041FD9F

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 28e4449246bdff4538dfa03a6f885fd424cd5e53fb953e1d424f3e4a8a48cfb0
Instruction ID: 5f3c8af357893ed153ccb181933e0c92fd25f58187f5847643f7a6c701f82d74
Opcode Fuzzy Hash: 28e4449246bdff4538dfa03a6f885fd424cd5e53fb953e1d424f3e4a8a48cfb0
Instruction Fuzzy Hash: D561CE70A00209DFDB10CF54D948BAEB7F1BB04725F258166E515AB391C3B4DE86CB6A

Function 00407F8E Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00407CDF: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407D05
Part of subcall function 00407CDF: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00407D29
Part of subcall function 00407CDF: LocalAlloc.KERNEL32(00000040,?), ref: 00407D48
Part of subcall function 00407CDF: ReadFile.KERNELBASE(000000FF,00000000,?,0040F582,00000000), ref: 00407D6E
Part of subcall function 00407CDF: LocalFree.KERNEL32(00000000), ref: 00407DA0
Part of subcall function 00407CDF: CloseHandle.KERNEL32(000000FF), ref: 00407DA9

Part of subcall function 00412FD6: LocalAlloc.KERNELBASE(00000040,00000001), ref: 00412FF2

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00407FDF

Part of subcall function 00407DC2: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00406095,00000000,00000000), ref: 00407DE6
Part of subcall function 00407DC2: LocalAlloc.KERNEL32(00000040,00406095,?,?,00406095,00000000,?), ref: 00407DF7
Part of subcall function 00407DC2: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00406095,00000000,00000000), ref: 00407E1D
Part of subcall function 00407DC2: LocalFree.KERNEL32(00000000,?,?,00406095,00000000,?), ref: 00407E31

memcmp.MSVCRT ref: 00408034

Part of subcall function 00407E41: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00407E65
Part of subcall function 00407E41: LocalAlloc.KERNEL32(00000040,00000000), ref: 00407E83
Part of subcall function 00407E41: LocalFree.KERNEL32(?), ref: 00407EAB

Strings

, xrefs: 00408062
DPAPI, xrefs: 0040802C
"encrypted_key":", xrefs: 00407FD7

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 1204593910-738592651
Opcode ID: cb5a7b3697549c6f230e63b8f069386ffd445f3a9418a1f9903da71664ec03a3
Instruction ID: 8d589a117900b415cc4759a7c5c28772ff61d9ce457947e60a2fc3858aeb04fe
Opcode Fuzzy Hash: cb5a7b3697549c6f230e63b8f069386ffd445f3a9418a1f9903da71664ec03a3
Instruction Fuzzy Hash: 74310E71D0010DABDF11DBA5DD45BEEBBB8AF04304F14012AE840B2291EB799A58DB99

Function 004126A3 Relevance: 7.6, APIs: 5, Instructions: 84commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0042AC28,00000000,00000001,004292EC,00000000,?,?,?,?,004128EF), ref: 004126EA
SysAllocString.OLEAUT32(?), ref: 00412700
_wtoi64.MSVCRT ref: 0041274D
SysFreeString.OLEAUT32(?), ref: 00412771
SysFreeString.OLEAUT32(00000000), ref: 0041277A

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateInstance_wtoi64
String ID:
API String ID: 1817501562-0
Opcode ID: f48b06c7123509e446c0da83949f76becdf3deb21f21affda6d357694f029a8c
Instruction ID: 58adf380e0662d1b76d21edb75c8d821cdd3313fccb4f2387b68fcf25dfbec8a
Opcode Fuzzy Hash: f48b06c7123509e446c0da83949f76becdf3deb21f21affda6d357694f029a8c
Instruction Fuzzy Hash: 2E310575E04219EFCB05DFA9D849BEEBBB4FB08315F00416AE911E32A0C7795951CFA4

Function 00411EB5 Relevance: 7.5, APIs: 5, Instructions: 32registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00411EC9
HeapAlloc.KERNEL32(00000000), ref: 00411ED0
RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000), ref: 00411EEF
RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,000000FF,000000FF), ref: 00411F0D
RegCloseKey.ADVAPI32(00000000), ref: 00411F16

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: dd008c8d00355dc8994383d20b0c3b1a5372c3a3245a183f1dace59f39d50ce9
Instruction ID: 2ba135963ef3e1c949db86b07d2e2a79437377d0b90cfecc595d9e25d7200812
Opcode Fuzzy Hash: dd008c8d00355dc8994383d20b0c3b1a5372c3a3245a183f1dace59f39d50ce9
Instruction Fuzzy Hash: C2F03A79A40208FFEB10AFE0EC0AF9DBBBAFB06745F105064F701A91A0D77156949F40

Function 0040F9BD Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040F9EF
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FA75
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FB84

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

StrCmpCA.SHLWAPI(00000000), ref: 0040FC57
StrCmpCA.SHLWAPI(00000000), ref: 0040FCDD

Strings

Stable\, xrefs: 0040FA90

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\
API String ID: 3722407311-272486606
Opcode ID: b1a1266439bdf2a0e8ec9dc9193cdc2636f5054d60504534493cfb04d58e2737
Instruction ID: 7cd2c182165b9fee31fd49b72ff1b8ad9c7a36b01791bf89c52de0b726780448
Opcode Fuzzy Hash: b1a1266439bdf2a0e8ec9dc9193cdc2636f5054d60504534493cfb04d58e2737
Instruction Fuzzy Hash: CD511271A00109ABCF14FBB5DD96BDD77B9BB60304F10402AE906EB1A1EE35DB49CB85

Function 227EFD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,?), ref: 227EFE03

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 227EFE78
winRead, xrefs: 227EFE3D

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: 1731fa57d13008f549d18131db252c4b9a2c9e87d6c639e56eeebb9824e1e39c
Instruction ID: 0845cac6d0743604bffaf43c6bcaf5db7c11f19be48943bd604e05cfff7e7f31
Opcode Fuzzy Hash: 1731fa57d13008f549d18131db252c4b9a2c9e87d6c639e56eeebb9824e1e39c
Instruction Fuzzy Hash: 4D4106B26083056BC300DF65CD94A6BBBE8FFC4314F84092DF949C7A41EB75E91887A2

Function 00408203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF), ref: 00408220
LoadLibraryA.KERNELBASE ref: 004082A8

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,00428E34,?,?,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00425200), ref: 00408294

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00408215, 00408229, 0040823F

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-1193256905
Opcode ID: 33191907c34fe30b91932b9d02352948c94fa74ece7802ec8efd6249ff31ed7f
Instruction ID: 84292c169819be5b53b0aa043c90a357ac7ef937680942749e622d56a9f64c6e
Opcode Fuzzy Hash: 33191907c34fe30b91932b9d02352948c94fa74ece7802ec8efd6249ff31ed7f
Instruction Fuzzy Hash: 91413931905245DFEB05EBA1FD66AE937B6FB04305F20612EE901A12F1DF395988CF98

Function 004073D6 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(;q@,;q@,00003000,00000040), ref: 00407474
VirtualAlloc.KERNELBASE(00000000,;q@,00003000,00000040), ref: 004074BF

Strings

;q@, xrefs: 00407466, 00407470, 004074B9, 004074D7, 0040742C, 00407469, 00407473, 004074BC
;q@, xrefs: 004073DC

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ;q@$;q@
API String ID: 4275171209-3893597124
Opcode ID: ce50d067a10a9d200ba21eaef60b552f8d4fc485bf38c75f1e0756368e75d6fe
Instruction ID: d3bad8f71399132065eca503ffa06903ce5ef1b7e5e995e1b9bcc650a41b767e
Opcode Fuzzy Hash: ce50d067a10a9d200ba21eaef60b552f8d4fc485bf38c75f1e0756368e75d6fe
Instruction Fuzzy Hash: D941B535A04209EFCB50CF98C485FADBBF0EB08364F1484A5E959EB391D734EA81CB45

Function 00418DB9 Relevance: 6.1, APIs: 4, Instructions: 85synchronizationthreadCOMMON

Download Yara Rule

APIs

_MSFOpenExW.MSPDB140-MSVCRT ref: 00418E6C
CreateThread.KERNELBASE(00000000,00000000,00418C65,?,00000000,00000000), ref: 00418E85
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00418E96

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateObjectOpenSingleThreadWait
String ID:
API String ID: 4234577939-0
Opcode ID: f43b621d675ccc337efc39be0cc282dc91ce5b12264d272aea3fd1cbd3d3afdf
Instruction ID: 4c5e3d0133d6e9f2eae60e2625ec9d3b543f1cf41f80d31bea27500df29b833e
Opcode Fuzzy Hash: f43b621d675ccc337efc39be0cc282dc91ce5b12264d272aea3fd1cbd3d3afdf
Instruction Fuzzy Hash: 4F315C75900208AFDB10EF61DC45BED3BB5BF15305F54412AF9159A1A1EF349A86CF88

Function 004070D4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

ez@, xrefs: 004072B1

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: ez@
API String ID: 0-307298357
Opcode ID: 3bbf64017ccec70b43ef0a4a85a6baf18d8732ef2f27285e686f093308f930eb
Instruction ID: a860d7bb49b00275ae4f9f6a4a51eaec01057512aeaaa0d5d6857e8719e4b74b
Opcode Fuzzy Hash: 3bbf64017ccec70b43ef0a4a85a6baf18d8732ef2f27285e686f093308f930eb
Instruction Fuzzy Hash: FA61D270C08209EFCF14DF94D948BEEB7B0AB04315F2044AAE405B7291D779AE94DF6A

Function 00418C65 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000), ref: 00418C99
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00418D4B

Strings

ERROR, xrefs: 00418D3D

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: ERROR
API String ID: 1659193697-2861137601
Opcode ID: 63e6eed9abdabe16e44a68f7f9864da067214aca1ca454f7c695c55e2f80d023
Instruction ID: 4cb9426ee5e73f282c12afd8d592c338adc4812851f741afb7acd22160182d69
Opcode Fuzzy Hash: 63e6eed9abdabe16e44a68f7f9864da067214aca1ca454f7c695c55e2f80d023
Instruction Fuzzy Hash: 6B3184B1E10204ABCF00EBA5DD46AEE7778FB15318F10051AF502E73A1DB389940CBA9

Function 00418E9E Relevance: 4.5, APIs: 3, Instructions: 45sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

_MSFOpenExW.MSPDB140-MSVCRT ref: 00418E6C
CreateThread.KERNELBASE(00000000,00000000,00418C65,?,00000000,00000000), ref: 00418E85
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00418E96
Sleep.KERNEL32(000003E8,?,00000000,?,?), ref: 00418EA5

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateObjectOpenSingleSleepThreadWait
String ID:
API String ID: 1990444757-0
Opcode ID: db982492dfe86fd64df0525366e688e2b4b5a29edeeaa01de3fa1648289cf0de
Instruction ID: 5657c23587d86dbe871ff5d5566c82c5f00d4f8eb17df63da99cc315ca23b86c
Opcode Fuzzy Hash: db982492dfe86fd64df0525366e688e2b4b5a29edeeaa01de3fa1648289cf0de
Instruction Fuzzy Hash: 52011774640204EBDB21EF21DC46BEC3B65BB11709F54412AF9169A1B1DB399A82CF89

Function 00413563 Relevance: 4.5, APIs: 3, Instructions: 25COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,004154AA), ref: 00413576
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00413596
CloseHandle.KERNEL32(00000000), ref: 0041359F

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 424327ca4c3cbaa72694fe0256f2ae6f23efaf6e2f470c7a486978a51854163c
Instruction ID: 648301d2c24216510959a40647cebe15a857575c5a4660e0673f59272e1cdbeb
Opcode Fuzzy Hash: 424327ca4c3cbaa72694fe0256f2ae6f23efaf6e2f470c7a486978a51854163c
Instruction Fuzzy Hash: 68F0F27890120CFFDB11EFA0DC0AFDC7BB9AB09709F1444A5B615AA1A0D7B1ABD4DB44

Function 0040D1C6 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

StrCmpCA.SHLWAPI(00000000,Opera GX,00425200,00425200,?,?), ref: 0040D201

Part of subcall function 00412F92: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00412FBC

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00412F4C: GetFileAttributesA.KERNELBASE(00000000,?,0040E526,?,00425200,?,?), ref: 00412F5B

Part of subcall function 00407F8E: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00407FDF
Part of subcall function 00407F8E: memcmp.MSVCRT ref: 00408034

Strings

Opera GX, xrefs: 0040D1F3

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID: Opera GX
API String ID: 1439182418-3280151751
Opcode ID: 0fb77b7b81ea3809c0307192b11be850f65fcb2790e200c338288ed7b6fd4c59
Instruction ID: fb3989cb2523bfc062273a9d11041c6471dda5227b0977fe00502919fff50608
Opcode Fuzzy Hash: 0fb77b7b81ea3809c0307192b11be850f65fcb2790e200c338288ed7b6fd4c59
Instruction Fuzzy Hash: 4BD113729001089ADF14FBF1DD56EEE737CAF14305F50412BF616A21E1EE39AB88CA59

Function 00407902 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00EBE9FC,458B0874,00000002,00000002), ref: 004079D0

Strings

@, xrefs: 004079AC

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 287ad8346a7fe6e5c9c93bd88e2f49757a3d10b5b68bd008e028ca123d1bf971
Instruction ID: 108c03afaf6488205a77675aa431fcd5872e35c29fe2ccaab908e516a6f44892
Opcode Fuzzy Hash: 287ad8346a7fe6e5c9c93bd88e2f49757a3d10b5b68bd008e028ca123d1bf971
Instruction Fuzzy Hash: 2D31CBB5D08209EFEB10CF98C545BADBBF1FB04304F1485A6D455AB391D378AA81DF46

Function 00417E48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00406312: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406373
Part of subcall function 00406312: StrCmpCA.SHLWAPI(?), ref: 00406390
Part of subcall function 00406312: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004063BE
Part of subcall function 00406312: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 0040640A
Part of subcall function 00406312: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406442
Part of subcall function 00406312: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406453

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00417E8B

Strings

ERROR, xrefs: 00417E7D, 00417EDB

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR
API String ID: 3287882509-2861137601
Opcode ID: bb33d87117d8667f9c5c7158566ed321b33361f7c494144e9eddfb2cb9a39704
Instruction ID: b6725acd924a18acdeaf76a85a33531c260c99ef83c6fe063ac976ef0ea738d9
Opcode Fuzzy Hash: bb33d87117d8667f9c5c7158566ed321b33361f7c494144e9eddfb2cb9a39704
Instruction Fuzzy Hash: 4B11D0319101089BCB14FFA2E8569DD7378AF50309F50412EF916971F2EF39AB48C788

Function 00412F4C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000000,?,0040E526,?,00425200,?,?), ref: 00412F5B

Strings

&@, xrefs: 00412F52

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: &@
API String ID: 3188754299-4010431647
Opcode ID: c554d616c374e849fdf741f0e5d4d7b9930fb9937f03e0365571ee75c380a818
Instruction ID: 5a9ed636e313f6a7dd176774e2c6308ea72efcd30315a16af32adb4bfda7ee87
Opcode Fuzzy Hash: c554d616c374e849fdf741f0e5d4d7b9930fb9937f03e0365571ee75c380a818
Instruction Fuzzy Hash: 4CF0C074C1020CEBCB00DFA5D5456DDB774AB11359F108156E522E72A0E7789B96DF44

Function 00412667 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00412674

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Strings

Unknown, xrefs: 00412691

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CurrentProfilelstrcpy
String ID: Unknown
API String ID: 2831436455-1654365787
Opcode ID: 6f65f47d843f5c38b1e0a66190c485fb9fc1308ec2868120a4b7116f04a99c60
Instruction ID: 79ae12f52d30196ee2c5170817a78a3de43ea3cd72a751e4cea9930dc4e20eb0
Opcode Fuzzy Hash: 6f65f47d843f5c38b1e0a66190c485fb9fc1308ec2868120a4b7116f04a99c60
Instruction Fuzzy Hash: 0CE04F30600108EFCF10EF65D881EDD37ACBB04788F50402AF905D7190DB74E995CB98

Function 228104D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 228104E7

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: 471e1eb4650c007f25b289e82f7bc4d37e597cd72816859cd08c3c260ed7e55b
Instruction ID: 6cf40c342dbf982cf8ce1db260ef0f22b72ec172a1e0d9f5fd8133c862ed6ce1
Opcode Fuzzy Hash: 471e1eb4650c007f25b289e82f7bc4d37e597cd72816859cd08c3c260ed7e55b
Instruction Fuzzy Hash: B5C01222E8C32163DA521194EC42B897A414BA0791F058034FD4D6A374D5699D5143D2

Function 00412F92 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00412FBC

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 47392e84d6d6294a81bee49d13ce944e3ea666f2a03f2c076f629e9461e68349
Instruction ID: aa325d3f94b7a9653be548765aa3873853a6de89a1716966dfff1a03a5bef2b1
Opcode Fuzzy Hash: 47392e84d6d6294a81bee49d13ce944e3ea666f2a03f2c076f629e9461e68349
Instruction Fuzzy Hash: 7DE04F3094034DBBDB51EF50CC92FCD376C9B04B05F404191B60CAA0D0DA70EB858B54

Function 00412FD6 Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000040,00000001), ref: 00412FF2

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 23ddd831960a07a4baf59c42516714ef093421010defdf0cacab57d0b5a2c2c6
Instruction ID: d6433807a1b8db94d6cb6db165d9c0c75de4d80c94e6a7adbc32009b6d90f099
Opcode Fuzzy Hash: 23ddd831960a07a4baf59c42516714ef093421010defdf0cacab57d0b5a2c2c6
Instruction Fuzzy Hash: 2F019274900208FFDB05CF98C585BED7FF4EB0931AF248089E505AB294C279AF84DB15

Function 00412B6B Relevance: 1.3, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00412B72

Memory Dump Source

Source File: 00000004.00000002.3352878258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3352878258.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3352878258.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e9ef69333db613a216edd2c8bf2b23955e04f01125ce089b17a326d4bede4d29
Instruction ID: 52e30e3b9de2c83f9cf9caa13978d237713c2858ae44fde087075dd4632ce1ce
Opcode Fuzzy Hash: e9ef69333db613a216edd2c8bf2b23955e04f01125ce089b17a326d4bede4d29
Instruction Fuzzy Hash: ABC04C70A1411DBB8B04EB59E94284DBBE89A04298B504069F40896151D671AE419658

Non-executed Functions

Function 228C4140 Relevance: 47.7, APIs: 14, Strings: 13, Instructions: 461COMMON

Download Yara Rule

Strings

Node %lld is too small for cell count of %d (%d bytes), xrefs: 228C432B
Mapping (%lld -> %lld) missing from %s table, xrefs: 228C44E6, 228C45C2
Rtree depth out of range (%d), xrefs: 228C428E
Dimension %d of cell %d on node %lld is corrupt, xrefs: 228C43D7
SELECT nodeno FROM %Q.'%q_rowid' WHERE rowid=?1, xrefs: 228C4574
Found (%lld -> %lld) in %s table, expected (%lld -> %lld), xrefs: 228C4527, 228C4603
%_rowid, xrefs: 228C45B0, 228C45FA
Node %lld missing from database, xrefs: 228C4230
SELECT parentnode FROM %Q.'%q_parent' WHERE nodeno=?1, xrefs: 228C4498
%_parent, xrefs: 228C44D4, 228C451E
Node %lld is too small (%d bytes), xrefs: 228C425A
Dimension %d of cell %d on node %lld is corrupt relative to parent, xrefs: 228C444D
SELECT data FROM %Q.'%q_node' WHERE nodeno=?, xrefs: 228C4166

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %_parent$%_rowid$Dimension %d of cell %d on node %lld is corrupt$Dimension %d of cell %d on node %lld is corrupt relative to parent$Found (%lld -> %lld) in %s table, expected (%lld -> %lld)$Mapping (%lld -> %lld) missing from %s table$Node %lld is too small (%d bytes)$Node %lld is too small for cell count of %d (%d bytes)$Node %lld missing from database$Rtree depth out of range (%d)$SELECT data FROM %Q.'%q_node' WHERE nodeno=?$SELECT nodeno FROM %Q.'%q_rowid' WHERE rowid=?1$SELECT parentnode FROM %Q.'%q_parent' WHERE nodeno=?1
API String ID: 0-1352829109
Opcode ID: 6b6f4190aea3ee352b27641c52c9a3f3c1605fdcc9b090d3c3d02677601be492
Instruction ID: 23f58054af847c6fa1cf5d7bbd84c06eb7c2cbddf5a41470411cd52b90adb591
Opcode Fuzzy Hash: 6b6f4190aea3ee352b27641c52c9a3f3c1605fdcc9b090d3c3d02677601be492
Instruction Fuzzy Hash: 3EF14475904300EBD7099F64DD84E2BBBA8FF84304F05492CFD499B21AE775DA91CBA2

Function 22920480 Relevance: 30.2, APIs: 8, Strings: 9, Instructions: 476COMMON

Download Yara Rule

Strings

%s mode not allowed: %s, xrefs: 229209EC
mode, xrefs: 22920867
file, xrefs: 229204DA
no such %s mode: %s, xrefs: 22920922
no such vfs: %s, xrefs: 2292099A
cach, xrefs: 2292082B
loca, xrefs: 22920598
invalid uri authority: %.*s, xrefs: 229205C2
lhos, xrefs: 229205A1

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s mode not allowed: %s$cach$file$invalid uri authority: %.*s$lhos$loca$mode$no such %s mode: %s$no such vfs: %s
API String ID: 0-1127695371
Opcode ID: 36fa0bb4eb0faaa35f29fbf2ec764fd3c15a82b9f8287599c3835369dd512e25
Instruction ID: 9616726e77cee99776f6ed3fdd551b6435a22c7c2272db88c7644fac340c9865
Opcode Fuzzy Hash: 36fa0bb4eb0faaa35f29fbf2ec764fd3c15a82b9f8287599c3835369dd512e25
Instruction Fuzzy Hash: 82F16674508B414FE3118F24C69076A7BEAAFA6318F4447DCE8D61B29FD736D609CB82

Function 22808680 Relevance: 28.6, APIs: 9, Strings: 7, Instructions: 550COMMON

Download Yara Rule

Strings

recursively defined fts5 content table, xrefs: 228086C5
ASC, xrefs: 228098BA
parse error in rank function: %s, xrefs: 228097FF
, xrefs: 22809848
DESC, xrefs: 228098C2, 228098D6
%s: table does not support scanning, xrefs: 22809979
SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %s, xrefs: 228098F1

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $%s: table does not support scanning$ASC$DESC$SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %s$parse error in rank function: %s$recursively defined fts5 content table
API String ID: 0-2381147695
Opcode ID: a4fc958d3d720cf9912253401861268a4cc063fb363739c3e2679687ab06aea4
Instruction ID: 25d5620e87360bc8d9f27ca11d448bac593942ca40593457552bbd9792f57629
Opcode Fuzzy Hash: a4fc958d3d720cf9912253401861268a4cc063fb363739c3e2679687ab06aea4
Instruction Fuzzy Hash: DD22ECB5904305DFCB20CF25CC80B6ABBF4BFA8704F054A29F9599B251E735EA52CB91

Function 227F66C0 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

_shape does not contain a valid polygon, xrefs: 227F6816

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: _shape does not contain a valid polygon
API String ID: 0-1814939628
Opcode ID: d8ce64b3ff0d2c432b6182152f0d53323a5ed17ca077cb75474780f64a250655
Instruction ID: 7693cbdc40d02712fd042927c2e3f8cde73ec869cbabe10cc0ffebb100fc1eaa
Opcode Fuzzy Hash: d8ce64b3ff0d2c432b6182152f0d53323a5ed17ca077cb75474780f64a250655
Instruction Fuzzy Hash: 03E1AEB580C3009FC311DF28CA40A1BBBE5EF94714F544A2DF9A997312E736DA45CBA6

Function 22810FB0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

e, xrefs: 2281115A

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 36bf8875baaf085edaede92fcfbfd96a80b42455c8294c9340591cc07f665f1e
Instruction ID: f86c9fbf9696e164d28a3b4a9123c50cb7cbea3a669eb5050e167e27b746a453
Opcode Fuzzy Hash: 36bf8875baaf085edaede92fcfbfd96a80b42455c8294c9340591cc07f665f1e
Instruction Fuzzy Hash: 81513476608341DFD705CE28CC84A7BBBE0EF95311F10056EF88A976A1E732E954CBA1

Function 228C4D40 Relevance: 14.0, APIs: 9, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8633a689ee5cc1634db8dfe92cfa10fa77f32d1155f329a8ea3c4cd20389fb
Instruction ID: fb0ef18efca386765ac95924a93853922ae6c74970aae781efaf6ce4e768cc90
Opcode Fuzzy Hash: 5d8633a689ee5cc1634db8dfe92cfa10fa77f32d1155f329a8ea3c4cd20389fb
Instruction Fuzzy Hash: 50F113B4504301DFC7149FA5CD88A2BB7F8EF91319F040A2DFD1982645E779EA45CBA2

Function 22858200 Relevance: 14.0, APIs: 9, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20e98fd59efd29085b4df111b73e7ee67b97f4135d43bdc8d31f9fd5370989e
Instruction ID: 78b08d257b80db7cb059f3177a90a8f65b1039a8ea78538b781d63c458806fc8
Opcode Fuzzy Hash: c20e98fd59efd29085b4df111b73e7ee67b97f4135d43bdc8d31f9fd5370989e
Instruction Fuzzy Hash: 6202F276904300EFC7118F64C940B6BB7E9FF84354F864A2AFE8993210E775D9A4CB92

Function 22844760 Relevance: 9.4, APIs: 6, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70cb9e3d1f8c57093b83a29492cf3c9fa1ed24cdeebbd1c23630b3277327412
Instruction ID: a878e095de77c83aadf9ef065fb3fd8dfc229beb636d0578b2f274416a92f954
Opcode Fuzzy Hash: f70cb9e3d1f8c57093b83a29492cf3c9fa1ed24cdeebbd1c23630b3277327412
Instruction Fuzzy Hash: E2F1C074908349DFD300CF68C944A2BBBE4FF84308F454A2DF99997211EB75EA55CBA2

Function 227F4820 Relevance: 9.3, APIs: 6, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2596792877f874c12a32b6b2e66d5b6d39dfe52750a2683866ef2e1696e27640
Instruction ID: 15b84f931cf94416cbde497c8bcc4713a259bd08dd940cf6d23dbc926e2ff2bd
Opcode Fuzzy Hash: 2596792877f874c12a32b6b2e66d5b6d39dfe52750a2683866ef2e1696e27640
Instruction Fuzzy Hash: 1AB1AFB4908701AFD700CF25C854B1BB7F8BF99308F008B29FA5997641E779E994CB96

Function 22879090 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f98678b892ca75055ade1d91bf54dbeb9f555b4d3465ecdd5a7552a6aa34c53
Instruction ID: 9034bf764ad3e0ffa835752baec068500afad0e733b124f19d283133a0daaf7e
Opcode Fuzzy Hash: 0f98678b892ca75055ade1d91bf54dbeb9f555b4d3465ecdd5a7552a6aa34c53
Instruction Fuzzy Hash: CB31D139210300DFD325CF28D985E26B3F5FF84329B0545B9E94A8B262D722EC61CB60

Function 2284E200 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bf77fd582b7ed00d7befee039d047949ab74edd0f0fec976e9e75a121bf2e8
Instruction ID: 62b629088e23a0e352c9de65a00399475b69728eadbbf7816441e5a044176f8d
Opcode Fuzzy Hash: 92bf77fd582b7ed00d7befee039d047949ab74edd0f0fec976e9e75a121bf2e8
Instruction Fuzzy Hash: F311E473609318AFE3055B64DC81FABB7DDEF69325F10042AFA0A92151EBB6D91183A1

Function 228306E0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

VUUU, xrefs: 2283083A

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: VUUU
API String ID: 0-2040033107
Opcode ID: fadcdd6c1156ccf51dfd2a9b3263983c92da2ccead5054a13e7fa0191c582966
Instruction ID: c904bfdcdc883763e8e7500a04adb3acfeac5fd798371d5da4d960205943ad64
Opcode Fuzzy Hash: fadcdd6c1156ccf51dfd2a9b3263983c92da2ccead5054a13e7fa0191c582966
Instruction Fuzzy Hash: 6981BEB59083458FC715DF29C890A2BFBE8EF99311F044A6DE98D87242E771E944CBE1

Function 2285A6F0 Relevance: 7.6, APIs: 5, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbecafdbf1e9294c9b8e6cb18f4fd1601cafc276b448afdf80ac2e1bb389229e
Instruction ID: efdf53e4e0d8018f6c6f1fea014257bd53dd98a5db83329a5819d566ad068ecd
Opcode Fuzzy Hash: bbecafdbf1e9294c9b8e6cb18f4fd1601cafc276b448afdf80ac2e1bb389229e
Instruction Fuzzy Hash: 3D6137B4508385CFC328CF55EAC0B9BBBF1BB85340F814A9CE5985BA20D7359619CF92

Function 22838550 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3966a2d936edd45f59b6e0deb058351046a11c26772725d757917f5ea545eae4
Instruction ID: 32c1291d39402123748a81cba5018db5d91a54792c333733d672befe65c995be
Opcode Fuzzy Hash: 3966a2d936edd45f59b6e0deb058351046a11c26772725d757917f5ea545eae4
Instruction Fuzzy Hash: 460126B5504300BBDB165F14ED02B5A77A5AFE0714F10046CF50967210C332EC28C7B2

Function 227E298C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 384COMMON

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 229D2A1F
IsValidCodePage.KERNEL32(00000000), ref: 229D2A56
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 229D2C3A

Strings

utf8, xrefs: 229D2B28

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: CodeInfoLocalePageValid
String ID: utf8
API String ID: 790303815-905460609
Opcode ID: 1190edf75aebec17f8204fac9470b567875373eb4e71dd6b24434208eaf45851
Instruction ID: f219f9537e8e40ae64b9263b5bf972cabb93f6a394478989c77c8fb7485670ef
Opcode Fuzzy Hash: 1190edf75aebec17f8204fac9470b567875373eb4e71dd6b24434208eaf45851
Instruction Fuzzy Hash: 33713733E00302AAE715BF74CD45FA673ACEF55314F1084A9EA09DB182EBF4E941E660

Function 2284E090 Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48bb20c3d569f823ec65f0db8e9c0b57df219b061c5e5d776b8d68918c5ea8c
Instruction ID: 5bc07cfb0dc07e576a37d4c05b070a212093c0c0a8e77c5304a041684110521d
Opcode Fuzzy Hash: a48bb20c3d569f823ec65f0db8e9c0b57df219b061c5e5d776b8d68918c5ea8c
Instruction Fuzzy Hash: 3431BF76900304DFD725CF18D980A77B7E5FB85315F01849AF8498F252EB36E896CBA1

Function 227E2C8E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 229848A7
IsDebuggerPresent.KERNEL32 ref: 22984973
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 22984993
UnhandledExceptionFilter.KERNEL32(?), ref: 2298499D

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 02be8352157e97584d2181feb9c6a7f0f4d47b8cd47342bde39bf10fa252bbde
Instruction ID: 9afe19cda4c46aa749516559fa74a8e6a6f528355a75534ae7cd81da983143c7
Opcode Fuzzy Hash: 02be8352157e97584d2181feb9c6a7f0f4d47b8cd47342bde39bf10fa252bbde
Instruction Fuzzy Hash: 033118B5D453289BDB11DFA4C989BCCBBB8BF18304F1041EAE40DAB240EB759A858F15

Function 2283EF30 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf41f3b5669224c1154e9b2a92fe1b82126ef762f8275621b626f57154db146f
Instruction ID: 246ccdae21f373802b699411a3c9e5eab97c82602ec8f6725f679d41ab022f93
Opcode Fuzzy Hash: bf41f3b5669224c1154e9b2a92fe1b82126ef762f8275621b626f57154db146f
Instruction Fuzzy Hash: DE110432908712ABD7238B29D944B56F7A0BF54324F0546A8F84DDBF61D3A1F860CBD1

Function 22818970 Relevance: 4.6, APIs: 3, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6b3636553fc9e52caff880320a0ccde016ecd336dcc966fae48a83c70f64f5
Instruction ID: da104ee908456bceda337cb3006fcb782bee91ad3b79c073eda31fb9c3637eef
Opcode Fuzzy Hash: 1b6b3636553fc9e52caff880320a0ccde016ecd336dcc966fae48a83c70f64f5
Instruction Fuzzy Hash: B2412876508310AFD7019F28EC00D6BB7E5EF94324F044668F9488B2A5D723DD63DBA2

Function 2289D3B0 Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cb9f5efe2971c4d2e8619e0387e47e5fac77331413a5c32c3a9f3da7369668
Instruction ID: e07ac29a80a4bf924418a32126418f3f7c66d9979f1a96a7c3551861340354ba
Opcode Fuzzy Hash: 11cb9f5efe2971c4d2e8619e0387e47e5fac77331413a5c32c3a9f3da7369668
Instruction Fuzzy Hash: 513168B4600300ABE704AF69DD84F66B3E9BF59318F008628FA49D3341E775F910CAA5

Function 2285E170 Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df5cfe6a8baaaaf0736dbe7acf5f26cdc4db84434127bfb37ca62913fa09b50
Instruction ID: bd3e1981c9a18c6c1db73efaab9f140e50dc943dea78e1d089322fd23d3e207d
Opcode Fuzzy Hash: 2df5cfe6a8baaaaf0736dbe7acf5f26cdc4db84434127bfb37ca62913fa09b50
Instruction Fuzzy Hash: FA11E77A600300ABE601AF28CD45F6B77EEEF94754F050818F949D3255E776D921C7A2

Function 227E2112 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

GetEnabledXStateFeatures, xrefs: 229C0C61

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: GetEnabledXStateFeatures
API String ID: 0-1068256093
Opcode ID: 7c6e270d073bc419de3955bf71d5acbfca1d73fc40b1df5b2e7d9dd70b6e56a5
Instruction ID: 797f54af6c42ed1170d8ca34eae0c9a42bcc46bd348ea0aee91a1d862a55b9cf
Opcode Fuzzy Hash: 7c6e270d073bc419de3955bf71d5acbfca1d73fc40b1df5b2e7d9dd70b6e56a5
Instruction Fuzzy Hash: E1F0F63154132977DB122F60DD08FAE3E06BF54B20F020520FE0926758DB798926D6D6

Function 22818CB0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982c4b3f9799cc926f5c3f0f6b4f4e81de4bc617557cf9febfa298763dd126cd
Instruction ID: 67ad50932b599ee01bdbc494533efca844239f6775f775aa7dc47b0bb89f9b34
Opcode Fuzzy Hash: 982c4b3f9799cc926f5c3f0f6b4f4e81de4bc617557cf9febfa298763dd126cd
Instruction Fuzzy Hash: 1B01B1B9605301DBF744CF28E945E1677DAAFA4204F500428E548D3392EA21EC05C762

Function 22818430 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875602c2f73a52c0c9a6f148e04de174215d237d3759911a04e6fd69f05410ec
Instruction ID: 3eb627d42c3faba15c484c3d8a9dcb914ea080c54e9750afa6b466446aaee19e
Opcode Fuzzy Hash: 875602c2f73a52c0c9a6f148e04de174215d237d3759911a04e6fd69f05410ec
Instruction Fuzzy Hash: 06B04CB1408741BF97419A14CC0187A76AAFBD0210F844C48B56441030D33188185612

Function 227E42AF Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00004214), ref: 22984A98

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b0e588f5ff1b17082fa8a5aa93f3a3197cc976ef26a14cd8819ed0f6ac3db00f
Instruction ID: 29173dc542e383e1316145addc71ffc9a071ba4e1d64bbd9e43ff4c0087d7b30
Opcode Fuzzy Hash: b0e588f5ff1b17082fa8a5aa93f3a3197cc976ef26a14cd8819ed0f6ac3db00f
Instruction Fuzzy Hash: 3B9002A4A843125AAD0096A2DA6A9156E345A4A7113051671641F5890D452C4106D637

Function 2280CC80 Relevance: 47.7, APIs: 15, Strings: 12, Instructions: 470COMMON

Download Yara Rule

Strings

%04d, xrefs: 2280D1CE
%06.3f, xrefs: 2280CE5F
%02d, xrefs: 2280CE2C, 2280CE34, 2280CF27, 2280CF6F, 2280CFCE, 2280CFE9, 2280D10A
%.3f, xrefs: 2280D0BF
%02d:%02d, xrefs: 2280D080
%lld, xrefs: 2280D0EE
%03d, xrefs: 2280CF81, 2280CF8B
%.16g, xrefs: 2280CFB3
u, xrefs: 2280D16D
%04d-%02d-%02d, xrefs: 2280CE82
%2d, xrefs: 2280CE27
%02d:%02d:%02d, xrefs: 2280D12E

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %.16g$%.3f$%02d$%02d:%02d$%02d:%02d:%02d$%03d$%04d$%04d-%02d-%02d$%06.3f$%2d$%lld$u
API String ID: 0-1613945299
Opcode ID: 63cf57228d44a1c03b3c2dafd1ad421a711c03dd46a34d6c4663b503d7cc22a9
Instruction ID: b2804206560b32ee27cd460983dc0ddf65edb750aec723cf0134ced878e7646d
Opcode Fuzzy Hash: 63cf57228d44a1c03b3c2dafd1ad421a711c03dd46a34d6c4663b503d7cc22a9
Instruction Fuzzy Hash: 0CF1E575A08304EBE3058F64CC45F6BB7EAFF99304F044A1DF98997151F63AEA488752

Function 2293B050 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 251COMMON

Download Yara Rule

Strings

,%s%s%s, xrefs: 2293B137
vtab:%p, xrefs: 2293B283
%lld, xrefs: 2293B1DA, 2293B24C
%.18s-%s, xrefs: 2293B192
BINARY, xrefs: 2293B0D3
%.16g, xrefs: 2293B217
NULL, xrefs: 2293B267, 2293B324, 2293B325
(blob), xrefs: 2293B26C
program, xrefs: 2293B2FB
%s(%d), xrefs: 2293B1B3
%c%u, xrefs: 2293B2C3
k(%d, xrefs: 2293B0A5

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %.16g$%.18s-%s$%c%u$%lld$%s(%d)$(blob)$,%s%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 0-900822179
Opcode ID: 12212603d850dd06eebfd98069d836b7d9f7683352ae5a2d0b9ceb4e17e185d4
Instruction ID: 9cb79f9603eb90f157ba959bd0666960bb58fafd775cf9a551ca4e19af3e4ecb
Opcode Fuzzy Hash: 12212603d850dd06eebfd98069d836b7d9f7683352ae5a2d0b9ceb4e17e185d4
Instruction Fuzzy Hash: 879113716083069BDB06EF14C9A4F6B77E9BF95308F04498DF9898B253D336D906C7A2

Function 22802BE0 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 346COMMON

Download Yara Rule

Strings

misuse, xrefs: 22802E73
%s at line %d of [%.10s], xrefs: 22802E78
ORDER BY name, xrefs: 22802DCC
unopened, xrefs: 22802E55
API call with %s database connection pointer, xrefs: 22802E5A
SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0), xrefs: 22802DA4
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22802E69
invalid, xrefs: 22802E4E
NULL, xrefs: 22802E38
WHERE name=%Q, xrefs: 22802DB7

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: ORDER BY name$%s at line %d of [%.10s]$API call with %s database connection pointer$NULL$SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0)$WHERE name=%Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-1179878930
Opcode ID: 83621ca18d837a458997770bb1ab66764c6b837ddf2519e8fc4cf691b1d3bcf0
Instruction ID: 98ce451df9eb3dd16071a95d1a65c7150b77a2156e7e2c7b44f10d010c4c2b3c
Opcode Fuzzy Hash: 83621ca18d837a458997770bb1ab66764c6b837ddf2519e8fc4cf691b1d3bcf0
Instruction Fuzzy Hash: E4C12278504304DBE7118F14CD84B7B77A4AF50388F044629ED599B64AE3F9EB4AC7A3

Function 22946230 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 374COMMON

Download Yara Rule

Strings

%lld, xrefs: 2294649B
'%.*q', xrefs: 22946562
NULL, xrefs: 22946481
-- , xrefs: 229462B0, 229462C0
zeroblob(%d), xrefs: 229465AF
NULL, xrefs: 22946466
%02x, xrefs: 2294660C
%!.15g, xrefs: 229464C2

Memory Dump Source

Source File: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %!.15g$%02x$%lld$'%.*q'$-- $NULL$NULL$zeroblob(%d)
API String ID: 0-3665355275
Opcode ID: 8da2032571f973513fc21ee2d18428149721e66d5824974fe10dfd36884c7ab9
Instruction ID: 770576b1ccde1915255352ac6bfbf5e792ffede3f7e69ff69f874f95f02fb6d4
Opcode Fuzzy Hash: 8da2032571f973513fc21ee2d18428149721e66d5824974fe10dfd36884c7ab9
Instruction Fuzzy Hash: B1D1E1B1D08340AFD704CF24C984E6BBBE8AF99348F044A5DF99997251EB31DA48CB52

Function 2290A150 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 226COMMON

Download Yara Rule

Strings

data, xrefs: 2290A1E4
%s_data, xrefs: 2290A1BC
idx, xrefs: 2290A200
id INTEGER PRIMARY KEY, block BLOB, xrefs: 2290A1DF
segid, term, pgno, PRIMARY KEY(segid, term), xrefs: 2290A1FB

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s_data$data$id INTEGER PRIMARY KEY, block BLOB$idx$segid, term, pgno, PRIMARY KEY(segid, term)
API String ID: 0-1009905541
Opcode ID: 4097001f36e6d3ac68d39c03ea908be65811e45b15853adb40f7a94a20b3fdf0
Instruction ID: f9a28069a84dadc53e5f41ee89a18a660cca07ad8aeac65c646a044e7d56f072
Opcode Fuzzy Hash: 4097001f36e6d3ac68d39c03ea908be65811e45b15853adb40f7a94a20b3fdf0
Instruction Fuzzy Hash: 1371DC705443049FD7109FA8CD58B2B77ACAF14349F020A34FE0A97A59DB7DEA46CBA1

Function 2290F370 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

k PRIMARY KEY, v, xrefs: 2290F544
docsize, xrefs: 2290F52D
id INTEGER PRIMARY KEY, xrefs: 2290F43E
config, xrefs: 2290F549
content, xrefs: 2290F49D
, c%d, xrefs: 2290F469
id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER, xrefs: 2290F51C
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 2290F524, 2290F52C
version, xrefs: 2290F560

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: , c%d$config$content$docsize$id INTEGER PRIMARY KEY$id INTEGER PRIMARY KEY, sz BLOB$id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER$k PRIMARY KEY, v$version
API String ID: 0-3918257174
Opcode ID: 3d908a857d3bcff06bf00e67d39f87677f07653ee32b1c304682ad1f85aaf30f
Instruction ID: e0913ddf5e52580e81290447fd79bda70ac168eeda306601f6322ea63447ebdb
Opcode Fuzzy Hash: 3d908a857d3bcff06bf00e67d39f87677f07653ee32b1c304682ad1f85aaf30f
Instruction Fuzzy Hash: AE5103729003189BD3109F24DC44B6AB7A8FF847A5F050669FD499B245DB39EB0ACBA1

Function 227EA6C0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

%s, xrefs: 227EA82E
%c%g,%g, xrefs: 227EA78E
<polyline points=, xrefs: 227EA74B
%g,%g', xrefs: 227EA7D1
></polyline>, xrefs: 227EA845

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %g,%g'$ %s$%c%g,%g$<polyline points=$></polyline>
API String ID: 0-3443809342
Opcode ID: 63033d377315965f1db9842b69f6d61ed5a6188982f467a0b3800effd484fd09
Instruction ID: 88b988311cf8dd6f41b7a40ffb005c7df8436304030ef72891e9f787280de670
Opcode Fuzzy Hash: 63033d377315965f1db9842b69f6d61ed5a6188982f467a0b3800effd484fd09
Instruction Fuzzy Hash: BE6135709087019BD7028F24CD96B6673A5AF62304F054628EC1E6B241E77DEE86C7F2

Function 22928F40 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 177COMMON

Download Yara Rule

Strings

%!.20e, xrefs: 22928FF1
%lld, xrefs: 2292900C
NULL, xrefs: 22929148
NULL, xrefs: 2292912E
%!.15g, xrefs: 22928F83

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %!.15g$%!.20e$%lld$NULL$NULL
API String ID: 0-2115304644
Opcode ID: d9884820b48151eb13b3d8454ff3781e3f68af53bd7d6df164874557755f4867
Instruction ID: 7200556859d9f2bdd2a810112bf149943ce921300039c76d317ec4fdd2c9d022
Opcode Fuzzy Hash: d9884820b48151eb13b3d8454ff3781e3f68af53bd7d6df164874557755f4867
Instruction Fuzzy Hash: C5517B71904B245FE725DF18C841AABB7E4FF95308F044A9CF89967212E335DA05C7E2

Function 2287EF60 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

,origin, xrefs: 2287F0D6, 2287F0DE

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: ,origin
API String ID: 0-4198660907
Opcode ID: 3157fa72f74f45f7acc4bcd22f2fc000a5ceb4a4346bb82d7a9f111bbd7bb376
Instruction ID: 2d0c8444d47105eb106aa9dc193bd6409af243133a05987e9c8c6cf7e839358a
Opcode Fuzzy Hash: 3157fa72f74f45f7acc4bcd22f2fc000a5ceb4a4346bb82d7a9f111bbd7bb376
Instruction Fuzzy Hash: 4F71A179408300DFC7129F65D984A2AB7F5FFA4304F104E2DF99A87620DB32E951CB62

Function 228C4B10 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 156COMMON

Download Yara Rule

Strings

SELECT * FROM %Q.%Q, xrefs: 228C4B25
misuse, xrefs: 228C4C34
%s at line %d of [%.10s], xrefs: 228C4C39
UNIQUE constraint failed: %s.%s, xrefs: 228C4BC9
rtree constraint failed: %s.(%s<=%s), xrefs: 228C4BF9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228C4C2A
API called with finalized prepared statement, xrefs: 228C4C1E

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT * FROM %Q.%Q$UNIQUE constraint failed: %s.%s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$rtree constraint failed: %s.(%s<=%s)
API String ID: 0-2013246442
Opcode ID: ac44c53063cb808d4ee2078711b2c8599062d7372973651580cefcc122f6cbd8
Instruction ID: 914824272d50d913cd3ec527a6f60a802d3d20d15807f47cbbfd9b6d6de6e522
Opcode Fuzzy Hash: ac44c53063cb808d4ee2078711b2c8599062d7372973651580cefcc122f6cbd8
Instruction Fuzzy Hash: 0D412675904304EFF7015FA5DD84FAB37A8EFA0318F000628FD0996249EB75EA85C6B6

Function 228C4920 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 132COMMON

Download Yara Rule

Strings

SELECT * FROM %Q.%Q, xrefs: 228C49AA
_rowid, xrefs: 228C4A57
SELECT * FROM %Q.'%q_rowid', xrefs: 228C496D
Schema corrupt or not an rtree, xrefs: 228C49DC
_parent, xrefs: 228C4A6D

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: SELECT * FROM %Q.%Q$SELECT * FROM %Q.'%q_rowid'$Schema corrupt or not an rtree$_parent$_rowid
API String ID: 0-2087119806
Opcode ID: bd922ba66e21d65a888f0eafe6d5e5ac88353f193d8e29bcb4db4813b54eda65
Instruction ID: 16797a17c5d0947a6a1acce51b73114b317adee5fd182b981c1fbb30fceaae48
Opcode Fuzzy Hash: bd922ba66e21d65a888f0eafe6d5e5ac88353f193d8e29bcb4db4813b54eda65
Instruction Fuzzy Hash: 7141C0B5908341ABC708DF68DD84A6F77E8AFE9704F001A2DF48A93110E770D984CBA6

Function 2296AAD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130COMMON

Download Yara Rule

Strings

misuse, xrefs: 2296AB15, 2296AB56, 2296ABAA
%s at line %d of [%.10s], xrefs: 2296AB1A, 2296AB5B, 2296ABAF
bind on a busy prepared statement: [%s], xrefs: 2296AB94
API called with NULL prepared statement, xrefs: 2296AAD9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2296AB0B, 2296AB4C, 2296ABA0
API called with finalized prepared statement, xrefs: 2296AAEF

Memory Dump Source

Source File: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3679126755
Opcode ID: 2bf879b5dbd709c60140815a7817e1b2c3e771956243037f3115c6dd3f41c52f
Instruction ID: a60d14d5a0622c574c60d47d346bf7b09c5b206af5b317f368ebf47b2f32ffd2
Opcode Fuzzy Hash: 2bf879b5dbd709c60140815a7817e1b2c3e771956243037f3115c6dd3f41c52f
Instruction Fuzzy Hash: 5A41FF303007019BEB108F78EC95FA677E9BF94319F040468FA5AAB289E679D580C761

Function 2290ECF0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

docsize, xrefs: 2290F020
content, xrefs: 2290EFDF

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: content$docsize
API String ID: 0-1024698521
Opcode ID: fef5bfc4cdca3d06c1a0b89eb13427dcca2ec25024aac875b183e77e87e1cd29
Instruction ID: f453a2f361b5722d39fc22ff6b4a339bc1bee3816d1f8c364afe04e731652cff
Opcode Fuzzy Hash: fef5bfc4cdca3d06c1a0b89eb13427dcca2ec25024aac875b183e77e87e1cd29
Instruction Fuzzy Hash: E5C1E071904309ABD311CF14C980B6BB3F8AF94354F450A68FD85AB251DB75EB85CBA2

Function 22812B70 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

ABLE x, xrefs: 22812BB6
,arg HIDDEN, xrefs: 22812C7A
%c"%s", xrefs: 22812C1B
,schema HIDDEN, xrefs: 22812CD2
("%s", xrefs: 22812C4A

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %c"%s"$("%s"$,arg HIDDEN$,schema HIDDEN$ABLE x
API String ID: 0-1763475469
Opcode ID: 5e971376d57d7472905bfd923109798603dca77e8fcd7450e7ded788870175a3
Instruction ID: 218aeb7a64260e0b231b4b0b2aad955682ff2a77a632f92a1e783a5207521300
Opcode Fuzzy Hash: 5e971376d57d7472905bfd923109798603dca77e8fcd7450e7ded788870175a3
Instruction Fuzzy Hash: 8171AE74908385DBD300CF24C950B6ABBE4FF98308F004A5EF99997295E3B5E649CB93

Function 2288AA40 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 334COMMON

Download Yara Rule

Strings

misuse, xrefs: 2288AAC2, 2288AD8C
%s at line %d of [%.10s], xrefs: 2288AAC7, 2288AD91
API called with NULL prepared statement, xrefs: 2288AA87
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2288AAB8, 2288AD82
API called with finalized prepared statement, xrefs: 2288AA9C, 2288AD76

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: c236e368763dc7fb011c7ebc4baf50aebf14dd34e969ef13295b5f01164cf242
Instruction ID: 792a83c4eb7c9f91f166d5c529f526e5df7ec7296770ba568b6668c4f3f74197
Opcode Fuzzy Hash: c236e368763dc7fb011c7ebc4baf50aebf14dd34e969ef13295b5f01164cf242
Instruction Fuzzy Hash: 3AB112B9A00708DBE7108F289D44B5B77D9AF50319F00052CEA9A972C2FB7DE945C7A3

Function 2280A170 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

malformed JSON, xrefs: 2280A283
JSON path error near '%q', xrefs: 2280A3D7

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'$malformed JSON
API String ID: 0-560895927
Opcode ID: 56b424673437d72e9ef2803977750b36ca615b32fadd664ab8983929d92a5720
Instruction ID: 7507fa8fedd34417946b6464f53636a03e77eb6083f3ac292645a514b0fffd21
Opcode Fuzzy Hash: 56b424673437d72e9ef2803977750b36ca615b32fadd664ab8983929d92a5720
Instruction Fuzzy Hash: 9CA138B9A04300DFD710CF24DC44B6AB7E5EF94308F24852DEA8D8B242E77AEA45C791

Function 229170B0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 227COMMON

Download Yara Rule

Strings

invalid rootpage, xrefs: 2291715C, 2291730E
misuse, xrefs: 22917217
%s at line %d of [%.10s], xrefs: 2291721C
orphan index, xrefs: 229172C2
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2291720D
API called with finalized prepared statement, xrefs: 22917201

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid rootpage$misuse$orphan index
API String ID: 0-165706444
Opcode ID: 338056bf5d6d0fdc0017e9b2fb7d24bf0eb70902b25ff526ebd5dd7089b29710
Instruction ID: 6d2ab61278e881d7cc1f519a833f51be487c380f15896782513eeea3b03e10cc
Opcode Fuzzy Hash: 338056bf5d6d0fdc0017e9b2fb7d24bf0eb70902b25ff526ebd5dd7089b29710
Instruction Fuzzy Hash: 8E619B75A0434A6BE7218B26AD80FD777ACAF91319F1409B9FD4486247E733E245C3B2

Function 22928340 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 145COMMON

Download Yara Rule

Strings

misuse, xrefs: 22928387
%s at line %d of [%.10s], xrefs: 2292838C
unopened, xrefs: 229283BD
API call with %s database connection pointer, xrefs: 2292836E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2292837D
invalid, xrefs: 229283B6
NULL, xrefs: 22928369

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-538076154
Opcode ID: e7915242f4f67ad99fa881a5a6658ddb2dff6d66d9dd3e5703d24af453ab5d04
Instruction ID: 573724accb2074954b326342ed5e6513e2e36303cb2b98d417774c71f91d207b
Opcode Fuzzy Hash: e7915242f4f67ad99fa881a5a6658ddb2dff6d66d9dd3e5703d24af453ab5d04
Instruction Fuzzy Hash: 2F412471604B406BE7108B289E80F6B7B9DBF91718FC447ACF9485B24EE635E50583B2

Function 2291B0E0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

misuse, xrefs: 2291B112
%s at line %d of [%.10s], xrefs: 2291B117
unopened, xrefs: 2291B145
API call with %s database connection pointer, xrefs: 2291B0F9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2291B108
invalid, xrefs: 2291B13E
NULL, xrefs: 2291B0F4

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-538076154
Opcode ID: b565511b6a76242b95ab8e3cf585ac03dac806ec0bbc0cc3bf32c2570530c997
Instruction ID: bb4f0f2736d612ee21763e5d06003e3fed0df24344c31914ee1ec61325f413b0
Opcode Fuzzy Hash: b565511b6a76242b95ab8e3cf585ac03dac806ec0bbc0cc3bf32c2570530c997
Instruction Fuzzy Hash: 8731CC3150830CABE7110E5E5C60B5B77AFAF85328F02066CF9A162106E375E705C393

Function 22816F30 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 83COMMON

Download Yara Rule

Strings

bad parameter or other API misuse, xrefs: 22816F7E
misuse, xrefs: 22816F6A
%s at line %d of [%.10s], xrefs: 22816F6F
API call with %s database connection pointer, xrefs: 22816F54
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22816F60
invalid, xrefs: 22816F4F
out of memory, xrefs: 22816F39, 22816FA0

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$bad parameter or other API misuse$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$out of memory
API String ID: 0-2911740470
Opcode ID: 2615dfbcfae03a58c37311ab7cca6e6e42e3964cef9ad26722eaff122112c2a2
Instruction ID: e048da1ae756260d628e1c843a474518490a335b20ddd30aa65ff6b18f06cf47
Opcode Fuzzy Hash: 2615dfbcfae03a58c37311ab7cca6e6e42e3964cef9ad26722eaff122112c2a2
Instruction Fuzzy Hash: B921687E204320D7EB214318AD84FA723A26BC0318F29856DF5DE57ACAD635E987C381

Function 228006F0 Relevance: 15.2, APIs: 10, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9269d132b91cd39a9158fd419402884364f2e926ebec1f2b2156d249bc669345
Instruction ID: 58109988d89fba7b0304d5ef2ecfd33f371709141c39de747c0cb9c33ca90f22
Opcode Fuzzy Hash: 9269d132b91cd39a9158fd419402884364f2e926ebec1f2b2156d249bc669345
Instruction Fuzzy Hash: 4371D1B9904305CBE714DF24CD82B6A73E5BF95308F04016DE9899B202E73AEB55CBD2

Function 228C6380 Relevance: 15.1, APIs: 10, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2fa7b754a87c5f3bb44d982f465da7448131cbb0b04540e07003a94ff8bea96
Instruction ID: c961364f29b80170a0aee52082dabd6c6568aef9a173f3f9f60e0e14d6a6808c
Opcode Fuzzy Hash: f2fa7b754a87c5f3bb44d982f465da7448131cbb0b04540e07003a94ff8bea96
Instruction Fuzzy Hash: 9141DC30444710DFC7115F68D92CA2777B8BF54308F064A38ED1A82A2DDBB9E896CB65

Function 227FE170 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 445COMMON

Download Yara Rule

Strings

fts5vocab, xrefs: 22871340
snippet, xrefs: 22871200
porter, xrefs: 228712BF
fts5, xrefs: 22871053, 22871395, 228713E7
unicode61, xrefs: 22871279, 2287130F
unable to delete/modify user-function due to active statements, xrefs: 228713BF, 228714B8
fts5_source_id, xrefs: 2287148D, 228714E0

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: fts5$fts5_source_id$fts5vocab$porter$snippet$unable to delete/modify user-function due to active statements$unicode61
API String ID: 0-2986783930
Opcode ID: bc5050dcbfe3953b422f72901630b3c187e98ffab9e0233173db337c62c4d2a5
Instruction ID: 7516f22dd6cece2d5f0557660808f19ba92c275c879fd257e6d922f195bc1d25
Opcode Fuzzy Hash: bc5050dcbfe3953b422f72901630b3c187e98ffab9e0233173db337c62c4d2a5
Instruction Fuzzy Hash: 92F1F3BC504300DFE700CF64DD95B2BBBB4BF40348F014A28F9099AA59E7B9D655CBA2

Function 2283E320 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

misuse, xrefs: 2283E380
%s at line %d of [%.10s], xrefs: 2283E385
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2283E376
API called with finalized prepared statement, xrefs: 2283E36A

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3620335220
Opcode ID: c2f7124ebf4cded625e931f4556d02a1baf714b2f1663d0e2fdc3479023be7cd
Instruction ID: d7faecc614c5474877a5c12ac74e3a37d9745f544cde0c7136840344a343017a
Opcode Fuzzy Hash: c2f7124ebf4cded625e931f4556d02a1baf714b2f1663d0e2fdc3479023be7cd
Instruction Fuzzy Hash: AA512776844704EFEB028FA4CC58B6A3764AF04319F058624FD0D96649D77DEA46CBF2

Function 228E32F0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228E36C7, 228E370C, 228E376C, 228E381D
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228E36B8, 228E36FD, 228E375D, 228E380E
database corruption, xrefs: 228E36C2, 228E3707, 228E3767, 228E3818

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 00060c35a0ec618f56ec835e6ae3a71f4f23d9686c23f995e0cc9fabe20a46f1
Instruction ID: f93dc57323eae815bf25c8852c7cb43ae86736d1f5f8d2ba7c3801982c708a48
Opcode Fuzzy Hash: 00060c35a0ec618f56ec835e6ae3a71f4f23d9686c23f995e0cc9fabe20a46f1
Instruction Fuzzy Hash: 15F11F786047019BD300CF28C980B76BBE0FF96318F4446A9F94D8B656E336EE56C7A1

Function 2280E420 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 380COMMON

Download Yara Rule

Strings

d, xrefs: 2280E71D
abort due to ROLLBACK, xrefs: 2280E795
unknown error, xrefs: 2280E76B
another row available, xrefs: 2280E7A3, 2280E7AE
%c%04d-%02d-%02d %02d:%02d:%06.3f, xrefs: 2280E717
no more rows available, xrefs: 2280E79C

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %c%04d-%02d-%02d %02d:%02d:%06.3f$abort due to ROLLBACK$another row available$d$no more rows available$unknown error
API String ID: 0-322231948
Opcode ID: f629ceb5fc3d3c1fd5a40e03a99bda2410780130e12b082bc57f78eb904bb1c1
Instruction ID: f57132fbf322fdd007e3c7144bb2c0149657f2a2e764074a621b1822c2ece324
Opcode Fuzzy Hash: f629ceb5fc3d3c1fd5a40e03a99bda2410780130e12b082bc57f78eb904bb1c1
Instruction Fuzzy Hash: A4E1DE7A518340DFD704CF68CD84B6BB7E5AF88304F504A2DFA8997241E376EA45CB92

Function 228128E5 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 346COMMON

Download Yara Rule

Strings

INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 228129F1
unable to validate the inverted index for FTS5 table %s.%s: %s, xrefs: 22812AA0
malformed inverted index for FTS5 table %s.%s, xrefs: 22812A8A

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS5 table %s.%s$unable to validate the inverted index for FTS5 table %s.%s: %s
API String ID: 0-3572959941
Opcode ID: 19d65bde00608d23efb7f4022545af10aacece65fe38659752288398619dbdbe
Instruction ID: 29da27f44506e90f950baf90f219b7506dfc0d1807357f2f4944ae7eab22c0ed
Opcode Fuzzy Hash: 19d65bde00608d23efb7f4022545af10aacece65fe38659752288398619dbdbe
Instruction Fuzzy Hash: 58410271905310EFE3108BA8DC58EBB77A8EF40359F050A29FD0982588D779DA56CBB6

Function 228300A0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 334COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 22830113, 2283026B, 22830416, 22830441
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22830104, 2283025C, 22830407, 22830432
database corruption, xrefs: 2283010E, 22830266, 22830411, 2283043C

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 0ff552d795f5bfea5e44b92bbf539322ff3ca0b88ce3c4468966a0d33f01ed78
Instruction ID: 4caaf6d017bfe2463972ba3d25ed951a5e50e6b59bda992f497b0d91e9846921
Opcode Fuzzy Hash: 0ff552d795f5bfea5e44b92bbf539322ff3ca0b88ce3c4468966a0d33f01ed78
Instruction Fuzzy Hash: 93B11875A083509FC305CB19D8C166BFBE0FB85215F4846AEF5899B342D23AD649CBA2

Function 2283CEA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 2283CF57, 2283CF87, 2283D0A7, 2283D130
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2283CF48, 2283CF78, 2283D098, 2283D121
database corruption, xrefs: 2283CF52, 2283CF82, 2283D0A2, 2283D12B

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 12b79eae720c341aa9981fb8214b5b9843709666e0db95000b340ad84f033cb0
Instruction ID: 49af6471953cd1b8dbcd9a6fd832ade47487979131f7069137e5c38fb4138c3e
Opcode Fuzzy Hash: 12b79eae720c341aa9981fb8214b5b9843709666e0db95000b340ad84f033cb0
Instruction Fuzzy Hash: AB914A3570C3955BC305DE2CA8905BABFE0EB95215F8445BEF9C8DB642E12DC609C7E2

Function 22978D80 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 271COMMON

Download Yara Rule

Strings

winOpenShm, xrefs: 22978FB9
%s-shm, xrefs: 22978DF2
readonly_shm, xrefs: 22978F52

Memory Dump Source

Source File: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 0-2815843928
Opcode ID: 7332dc46be24dde0b98a69e83d6617f9e16136a6eda74faf521eccd857cfa67d
Instruction ID: 4422ab7b48de3d1126696cba4fe64a039976661061d8e36b68ded6720f92504b
Opcode Fuzzy Hash: 7332dc46be24dde0b98a69e83d6617f9e16136a6eda74faf521eccd857cfa67d
Instruction Fuzzy Hash: 6691FDB0A443019FEB109FA4CD54B3AB7B8FF00304F810A69FD4597649E779E919DBA2

Function 2280EB00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 2280ECDA
%.*s%s, xrefs: 2280EC88
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2280ECCB
database corruption, xrefs: 2280ECD5

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %.*s%s$%s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-894757972
Opcode ID: 91368869c6606ef87901d9c725a091ea9f27dbbf0b068a9be47fc6bf3c5f58d5
Instruction ID: 9c61ae35d04ff362f062a432c32957c00b5c59188aa303e9b732e33e18e32337
Opcode Fuzzy Hash: 91368869c6606ef87901d9c725a091ea9f27dbbf0b068a9be47fc6bf3c5f58d5
Instruction Fuzzy Hash: 1F61027A624305CFE715CF24CD80AABB7E1EF89314F04496DE849AB341D736EA05CB91

Function 22899030 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 2289905E, 22899191, 228991C8, 228991F3
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2289904F, 22899182, 228991B9, 228991E4
database corruption, xrefs: 22899059, 2289918C, 228991C3, 228991EE

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 743feadb0bea4b0d6f877e53d7ab3451a506293458a1527d20fe87125b8ed17f
Instruction ID: d11f689fcff6e28a3b5d4b81507fd3dc163fef1a838a0013a2fde3ca5df0ec5b
Opcode Fuzzy Hash: 743feadb0bea4b0d6f877e53d7ab3451a506293458a1527d20fe87125b8ed17f
Instruction Fuzzy Hash: 11510575304340ABD310DA19DDC5B6BB7E0FB88315F944869F58EC7B42D33AE6458B62

Function 2280F330 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

unable to validate the inverted index for FTS%d table %s.%s: %s, xrefs: 2280F418
INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 2280F33F
malformed inverted index for FTS%d table %s.%s, xrefs: 2280F3F3

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS%d table %s.%s$unable to validate the inverted index for FTS%d table %s.%s: %s
API String ID: 0-2809892521
Opcode ID: fd607a01563192ea65d67c60722c78866579529e024200b1bdf76ccfde665dd9
Instruction ID: c4bb845fe05b0800ee015e109d837a148d9b6e9971967b3a131630273c1723af
Opcode Fuzzy Hash: fd607a01563192ea65d67c60722c78866579529e024200b1bdf76ccfde665dd9
Instruction Fuzzy Hash: 26412471945300DFD3109BA4EC08A6B3768FF50355F058A29FC0AC2548DB39DB56CBB2

Function 22816E30 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 30COMMON

Download Yara Rule

Strings

misuse, xrefs: 22816E62
%s at line %d of [%.10s], xrefs: 22816E67
API call with %s database connection pointer, xrefs: 22816E4C
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22816E58
invalid, xrefs: 22816E47

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse
API String ID: 0-3670841456
Opcode ID: d305fcf2434ba99092d066b374dba27af93a0536f3a0c3951d09113176136dc1
Instruction ID: b7801bbef539f63751876c6d4c66b8d9b4aff887bd2df9f3009bd8144155396d
Opcode Fuzzy Hash: d305fcf2434ba99092d066b374dba27af93a0536f3a0c3951d09113176136dc1
Instruction Fuzzy Hash: 7EF0E528744354EBFF045208DED1BA93B963B85719FA0015CE3D8AE1DAC25EC5435381

Function 22816EB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 29COMMON

Download Yara Rule

Strings

misuse, xrefs: 22816EE5
%s at line %d of [%.10s], xrefs: 22816EEA
API call with %s database connection pointer, xrefs: 22816ECF
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22816EDB
invalid, xrefs: 22816ECA

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse
API String ID: 0-3670841456
Opcode ID: 1a23ba2d07104eac07fe8d9bc26d99a6fb5beae9624146c0e1169078e785791e
Instruction ID: ec0c1a4c2a83beb619af0ea25f5646593fab08937da6bca25b98c6bfd926d12e
Opcode Fuzzy Hash: 1a23ba2d07104eac07fe8d9bc26d99a6fb5beae9624146c0e1169078e785791e
Instruction Fuzzy Hash: E1F02224708B98EFFF104218DEF1FA62BC62B80706F9001E4F39C6E9E6E62CC5404341

Function 228030F0 Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746209408b212aec6d50d20b2c65f2b55b40d95ba25dad0565cfdd7b215be729
Instruction ID: 3c9d33bd7681703263b453cb68c1e58698e7f6f8fe3256d853e49a2a5f018b93
Opcode Fuzzy Hash: 746209408b212aec6d50d20b2c65f2b55b40d95ba25dad0565cfdd7b215be729
Instruction Fuzzy Hash: 51516F7260C300AFDB41EB68FC04EAA7BE2AF95320F1945A8F55C8B2B1E271DD519B51

Function 227FE260 Relevance: 10.8, APIs: 7, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e6ba1fcd22c88c6a5db8640358bb1a76e3c8dbd861f2eb928227c4749ae927
Instruction ID: 8ae281eba2235add58e7f7abc78fee6d8550c296729d07202c9a085e0a4f4751
Opcode Fuzzy Hash: 54e6ba1fcd22c88c6a5db8640358bb1a76e3c8dbd861f2eb928227c4749ae927
Instruction Fuzzy Hash: 63A12671A0C3508FD704CF28C994B6ABBE2AF85318F440A6DF99D97352E331D945CB52

Function 228FF0E0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

misuse, xrefs: 228FF1E6, 228FF327
%s at line %d of [%.10s], xrefs: 228FF1EB, 228FF32C
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228FF1DC, 228FF31D
unable to delete/modify user-function due to active statements, xrefs: 228FF157, 228FF298

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 6b3e12e0f1255cb1ee32028abca27bae62bfa6a1afdd57d2057eaf69b5ddddc5
Instruction ID: 781876cd2fe87db13ab780acef3f3314212a15e44452ff8d89980b80a17bb1e8
Opcode Fuzzy Hash: 6b3e12e0f1255cb1ee32028abca27bae62bfa6a1afdd57d2057eaf69b5ddddc5
Instruction Fuzzy Hash: B56144B9600B01EBF7018B24DD45F967794AF61308F440228F9195B6C6EFB9E2A4C7E6

Function 228844F0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 208COMMON

Download Yara Rule

Strings

col, xrefs: 22884679
fts5vocab: unknown table type: %Q, xrefs: 228846DE
row, xrefs: 228846A1
instance, xrefs: 228846BF

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: col$fts5vocab: unknown table type: %Q$instance$row
API String ID: 0-195232091
Opcode ID: 9059fc1551cf87a0dd9e16000d718c3d0ed6b1d5423023a5eca54671344d0c30
Instruction ID: 4ef1e2b5f65b15967269f968d6da0f1d8dff8207b8d6ed8ef152cb82fe6425c6
Opcode Fuzzy Hash: 9059fc1551cf87a0dd9e16000d718c3d0ed6b1d5423023a5eca54671344d0c30
Instruction Fuzzy Hash: 3361487A941318CFE700DF64995472A77E0BB40309F410B35ED0987609E339EA5ACBB7

Function 228109C2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

cannot UPDATE a subset of columns on fts5 contentless-delete table: %s, xrefs: 22810B3B

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: cannot UPDATE a subset of columns on fts5 contentless-delete table: %s
API String ID: 0-2869280805
Opcode ID: dd379ba37d5a3ace545d477237dafbf9d41324da83ff2cb135e441c6f02a2bf5
Instruction ID: d46fcf2375539a9931760b672f34fcb10b07ffe0ad738ee77d9a2e2691cbcaad
Opcode Fuzzy Hash: dd379ba37d5a3ace545d477237dafbf9d41324da83ff2cb135e441c6f02a2bf5
Instruction Fuzzy Hash: CF41E17A705301AFD7009F58EC80A66F3E4FF94325F0006BEEA4997691E772E924C7A0

Function 227F8C40 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 227F8D35
winAccess, xrefs: 227F8D60

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winAccess
API String ID: 0-1873940834
Opcode ID: 8cd2171b76f9f4ca5f7878831ff7c07bdd0361a783cbf3dd4de36defa17288c1
Instruction ID: 1127c10d8efcffea66d59b5287ecfef0ed74614b642e810b1f028184d964ad8e
Opcode Fuzzy Hash: 8cd2171b76f9f4ca5f7878831ff7c07bdd0361a783cbf3dd4de36defa17288c1
Instruction Fuzzy Hash: 194148B390D3019BC3019B698D95A5AFBE0BFB9314FE10A29FD66533A0E770D544C682

Function 2291E5B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 147COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 2291E67A
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2291E66B
database corruption, xrefs: 2291E675
tVj, xrefs: 2291E6F7
d., xrefs: 2291E6E7

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$tVj$d.
API String ID: 0-1527448856
Opcode ID: a9769aaa7d971efd037f52bffeebf22aa09f88a6a1c09aab147c5c29db3bafb5
Instruction ID: 4607ff21e4d94bcfe5906058ad364ab1d421c9f860651215162ad4227678cfc2
Opcode Fuzzy Hash: a9769aaa7d971efd037f52bffeebf22aa09f88a6a1c09aab147c5c29db3bafb5
Instruction Fuzzy Hash: CD418B715007089BD7019F62DD80B6BB7ECAF50788F0441B8F9C886517E7B6E516CFA2

Function 22909350 Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631552a145db824db9bb32cbac3ccc75888e79e6666b5ca4901d6c216ec68a47
Instruction ID: 601d87ad66b94e020ecc0a4e233ea3cc8a17db4c641c6b28ea262ccc45ecd8c9
Opcode Fuzzy Hash: 631552a145db824db9bb32cbac3ccc75888e79e6666b5ca4901d6c216ec68a47
Instruction Fuzzy Hash: B151A2704843109FE7205BB4DD6CA3733BCBF10709B424A24FD0A8291CDB79EA56CB66

Function 2286C650 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

PRAGMA %Q.data_version, xrefs: 2286C67C

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.data_version
API String ID: 0-2870853266
Opcode ID: 5858f006e408999f3592b8a8ed5a8f9db93805020a13e76e3705945c4cb6f184
Instruction ID: a18840ed0a4934ed3fe663df2b9a2bf131a2a7ef6a796fa38d09d974c71209a0
Opcode Fuzzy Hash: 5858f006e408999f3592b8a8ed5a8f9db93805020a13e76e3705945c4cb6f184
Instruction Fuzzy Hash: 6D11F97AB043049BD700DE19FC41667F7D1EF94325F50453AE90983611EB36E91D8B72

Function 229C05B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,02176813,?,229C06F5,?,?), ref: 229C0675

Strings

api-ms-, xrefs: 229C060B
ext-ms-, xrefs: 229C061F

Memory Dump Source

Source File: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 8eb07b0ced77f273546aabf267193aa67bbe9d5ece2ae2cf420f13448d9177fa
Instruction ID: aa68b2f386f62d37317c9091b565c8a6d3e1a052e361709854b8b7e0cd92a490
Opcode Fuzzy Hash: 8eb07b0ced77f273546aabf267193aa67bbe9d5ece2ae2cf420f13448d9177fa
Instruction Fuzzy Hash: A6213A31A00331ABE711AFA5CEA4B9A375CEF89770F110750EE56A7285D734EE05CAE1

Function 22814E00 Relevance: 9.2, APIs: 6, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd41a585291ed9db078dd501863886b1b4239cb8aaa5891cd80846e5e6b0e45
Instruction ID: 982dc4505f196b4cc7afb3937bff73635466cb1d114af8c5d0c4af751487692a
Opcode Fuzzy Hash: 0bd41a585291ed9db078dd501863886b1b4239cb8aaa5891cd80846e5e6b0e45
Instruction Fuzzy Hash: FF81C075608300CFD700DF98D958B6AB7E4FF80319F450929FD4997684D73AE949CBA2

Function 229173E0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 2291776D
sqlite_master, xrefs: 229173FD
ase, xrefs: 2291768D
sqlite_temp_master, xrefs: 229173F2

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master
API String ID: 0-231581592
Opcode ID: 91eb97a12efbe894afe0cd589658dcd9d50ee15054c50b3c0180592a9e9cc50a
Instruction ID: 9928a92852afdb6cabba9720bdd22446637c3f11b0d1c266da7498d01b99794f
Opcode Fuzzy Hash: 91eb97a12efbe894afe0cd589658dcd9d50ee15054c50b3c0180592a9e9cc50a
Instruction Fuzzy Hash: 6FE10AB0A043469FD701CF29C980BEABBF8BF55308F04469CF95997252E776E944CB92

Function 22806DA0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

recursively defined fts5 content table, xrefs: 22806DE2

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: recursively defined fts5 content table
API String ID: 0-437020801
Opcode ID: bd925d524b71a69c97da0af8fe1a527308bfed561c72d037190042e7253ca30a
Instruction ID: e4606e95fa8c7a2766d0b615c87c2ebd81108a263664aae3e41e9ffa743f6885
Opcode Fuzzy Hash: bd925d524b71a69c97da0af8fe1a527308bfed561c72d037190042e7253ca30a
Instruction Fuzzy Hash: 75D1F279504310CFD704CF19C980B96BBE1FF89368F444A5EEC898B246D779DA86CB92

Function 22886180 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 22886436
NEAR, xrefs: 2288642A
expected integer, got "%.*s", xrefs: 2288648D
fts5 expression tree is too large (maximum depth %d), xrefs: 22886349

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: NEAR$expected integer, got "%.*s"$fts5 expression tree is too large (maximum depth %d)$fts5: syntax error near "%.*s"
API String ID: 0-2846580575
Opcode ID: e7d0acb10f8b7757a5598f3f6a8a44dd24d128ffd73342328ff311faf0c39728
Instruction ID: 87ffca1e808ceb597c2dd0ab1419c6c13e964d1a3272ad5842a192eba4bcf6a4
Opcode Fuzzy Hash: e7d0acb10f8b7757a5598f3f6a8a44dd24d128ffd73342328ff311faf0c39728
Instruction Fuzzy Hash: 4AC1C4B990432EEFD7118F64C940F2EF7A4FF18314F148A59E9595B242E371E660CBA2

Function 2281C0F0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 276COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 2281C124, 2281C16F
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2281C115, 2281C160
database corruption, xrefs: 2281C11F, 2281C16A

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 529595e21d91c5cced958f0641489ddd196a6a5ff05228c24eecf8192a596390
Instruction ID: fe9b727b77e1796ea5f749e9035c5a21d62d4aa7500ef449021ac324288cd3de
Opcode Fuzzy Hash: 529595e21d91c5cced958f0641489ddd196a6a5ff05228c24eecf8192a596390
Instruction Fuzzy Hash: D0A1BE796083019BC704DF6CD880A6ABBE1FFD8714F484A6DFA489B345E731E905CB92

Function 2288E4B0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 218COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 2288E58E, 2288E5C1
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2288E57F, 2288E5B2
database corruption, xrefs: 2288E589, 2288E5BC

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: cc1f73541f62590842fa8454a7ae8d0e754e73044da30867bd20cf3e42c23506
Instruction ID: a5905f88945dce8ea7e15ca6233a2ea313883c1f294c806cb3d5580c3f57acda
Opcode Fuzzy Hash: cc1f73541f62590842fa8454a7ae8d0e754e73044da30867bd20cf3e42c23506
Instruction Fuzzy Hash: B3711576604349AFD700DF29DD80A6ABBE0FF44315F44457DF999C3642E324EA58C7A2

Function 22820970 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 207COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 22820AA0, 22820B82
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22820A91, 22820B73
database corruption, xrefs: 22820A9B, 22820B7D

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 3467ca61ea15d4ca081d5d2c4d978d839285c1b5ff60edb8858a64e56d093a42
Instruction ID: c8b96a696aad16f8575b09a6f0e52b15eb0974eb0467697cd9c56884277ada17
Opcode Fuzzy Hash: 3467ca61ea15d4ca081d5d2c4d978d839285c1b5ff60edb8858a64e56d093a42
Instruction Fuzzy Hash: DB61D0B9700744CFCB14DF28D980B1A7BE0FBA8714F4506A9EC4A9B31AE771D994CB91

Function 228EABF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

misuse, xrefs: 228EAE18
%s at line %d of [%.10s], xrefs: 228EAE1D
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228EAE0E
unable to delete/modify user-function due to active statements, xrefs: 228EAD61

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 7396533f72afe5729e7a4d47db61d620ec0ea59876885e63d3e718cfe76869a6
Instruction ID: 8f9b10817238b6e7f9ae2e8bb72c55ac148a4fc2a9c50644fbf57290f946ca6e
Opcode Fuzzy Hash: 7396533f72afe5729e7a4d47db61d620ec0ea59876885e63d3e718cfe76869a6
Instruction Fuzzy Hash: BB51C07A204304EFD7109E24DDC0B6FB7E8EF8AB55F04492DF68A96251D736E901CB62

Function 227EA230 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

misuse, xrefs: 227EA469, 227EA4A7
%s at line %d of [%.10s], xrefs: 227EA46E, 227EA4AC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 227EA45F, 227EA49D

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: f08a89ff80d2e6441de536f99ef8bfb66ad0a287b0b72ef6cdef8d760130be01
Instruction ID: e89425c8c7cec097c303784401ef29bcf48bc8c7a9f17f352b37f41f0f5e21ca
Opcode Fuzzy Hash: f08a89ff80d2e6441de536f99ef8bfb66ad0a287b0b72ef6cdef8d760130be01
Instruction Fuzzy Hash: 55713870608740AFE711CF28D984BABB7E4BF95308F04452CE95E8B242E779E945C7A2

Function 227FA860 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

tables_used, xrefs: 227FA973, 227FA97B
argument to %s() is not a valid SQL statement, xrefs: 227FA97C
stmt-pointer, xrefs: 227FA928
bytecode, xrefs: 227FA96E

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: argument to %s() is not a valid SQL statement$bytecode$stmt-pointer$tables_used
API String ID: 0-361449301
Opcode ID: d40dcb5b10b93a2dafec5809502460d747903dae42015f26e2db4191829eeee8
Instruction ID: cc220681d0df7aa093872609274ecc33634dd91cc8e9ea147d5a3ee55950ae62
Opcode Fuzzy Hash: d40dcb5b10b93a2dafec5809502460d747903dae42015f26e2db4191829eeee8
Instruction Fuzzy Hash: 7A61BF7150C7019FE710CF24CA95B62B7E4EF44304F014A29ED96967A2E77AEA48CBA1

Function 227E2AF4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,22A294C2,00000104), ref: 229DEFDB

Strings

Runtime Error!Program: , xrefs: 229DEFA7
<program name unknown>, xrefs: 229DEFEA
..., xrefs: 229DF029
Microsoft Visual C++ Runtime Library, xrefs: 229DF070

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 220d700854f3d7cacf487e860fecde7699b2bcb8f928f1c3efd353b7db3e2113
Instruction ID: b2a237a6c8466d44ab5cdfb9bf262ecef761fcba3a62500c1916771fc19ec665
Opcode Fuzzy Hash: 220d700854f3d7cacf487e860fecde7699b2bcb8f928f1c3efd353b7db3e2113
Instruction Fuzzy Hash: 41216733A4130272E231B6648E8AF9B379CABB5B94B418A64FC0DA7905FA15C705D2A1

Function 228123D0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 150COMMON

Download Yara Rule

Strings

no such database: %s, xrefs: 228124B4
cannot detach database %s, xrefs: 228124C3, 22812547
database %s is locked, xrefs: 22812541
main, xrefs: 22812491

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: cannot detach database %s$database %s is locked$main$no such database: %s
API String ID: 0-3838832555
Opcode ID: d142ea99f8249155cb665fb8af545c0e602eda2794cc62d1cc3e58ce3c1c25a5
Instruction ID: 19bb613be2f37405789120354e997ba341cade6fa7160ff5553b684d07b34562
Opcode Fuzzy Hash: d142ea99f8249155cb665fb8af545c0e602eda2794cc62d1cc3e58ce3c1c25a5
Instruction Fuzzy Hash: 9551D0B9604320DFD718CF18C991B56B3A1BF94318F11865CE8598B2D6DBB1E841CFA2

Function 22814C00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

CREATE TABLE x(term, col, documents, occurrences, languageid HIDDEN), xrefs: 22814CCB
invalid arguments to fts4aux constructor, xrefs: 22814C9E
temp, xrefs: 22814C3E

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(term, col, documents, occurrences, languageid HIDDEN)$invalid arguments to fts4aux constructor$temp
API String ID: 0-537686372
Opcode ID: 30a4ac49d6e7627191128e085023152de34211eb4d70b72ba29ad531f7f9a8be
Instruction ID: e53127247876455083bae5c2ac12434ad78e1a611b1c0a8caa5f55815ab1f077
Opcode Fuzzy Hash: 30a4ac49d6e7627191128e085023152de34211eb4d70b72ba29ad531f7f9a8be
Instruction Fuzzy Hash: 1241587A104315DFDB158F18D980BA67BF0EF94324F0584A9EDEE8B242D632DA12CB70

Function 2281E030 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 2281E0F7, 2281E12D
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2281E0E8, 2281E11E
database corruption, xrefs: 2281E0F2, 2281E128

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 3e98ae4b7ef2e4e4842f2eb696e5ea125024233e8b6617f51905a712ef7b56f7
Instruction ID: 4ab10512c9eb8b437b51ae715d3dc9c691a0533bcb7439447d6a2924dc2be759
Opcode Fuzzy Hash: 3e98ae4b7ef2e4e4842f2eb696e5ea125024233e8b6617f51905a712ef7b56f7
Instruction Fuzzy Hash: C94142767043019AD304DE29EDC0BAABBE0FB81612F44453DF99983681E369E648C772

Function 227FC2B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

%!.*f, xrefs: 227FC3AE

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %!.*f
API String ID: 0-786758813
Opcode ID: 96c2c5038dbbb3c8b777415c3a234851e37e4a95625c90e8b8a2c5d12a641e27
Instruction ID: c87476e6808badf7e4a3f67c157b1e9d7eeb0746971e7a8d1903157b460fb186
Opcode Fuzzy Hash: 96c2c5038dbbb3c8b777415c3a234851e37e4a95625c90e8b8a2c5d12a641e27
Instruction Fuzzy Hash: 50312B32C0CB1086D303DA38891266B7794AFA67D5F45475DEC9A3B202E735995BC2E3

Function 228BEBD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228BEC51
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228BEC42
database corruption, xrefs: 228BEC4C
CREATE , xrefs: 228BEBFF

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$CREATE $database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1360532505
Opcode ID: 93b49c61df432dde582b1227c8953abde94d840894617687795d44315ff57060
Instruction ID: 6088d2f60dec21b20dbb51f7511779cc753eeb4d248dacbb4f3da8edaa989f28
Opcode Fuzzy Hash: 93b49c61df432dde582b1227c8953abde94d840894617687795d44315ff57060
Instruction Fuzzy Hash: AA314B675043C1DDF7220A599D90B92BFD0AF5131AF5401BEF8988E247D366D280D731

Function 22817050 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

out of memory, xrefs: 22817059, 228170A2
API call with %s database connection pointer, xrefs: 22817074
invalid, xrefs: 2281706F
bad parameter or other API misuse, xrefs: 22817083

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$bad parameter or other API misuse$invalid$out of memory
API String ID: 0-453588374
Opcode ID: f0ad34664aaefd6aa4acbc33e6fe20ede0890ffb3a31f223d4b68a27db7fb782
Instruction ID: af72f963150b1b821bce31510e946b5dd9f9a3de83a338833769e51eb62241f8
Opcode Fuzzy Hash: f0ad34664aaefd6aa4acbc33e6fe20ede0890ffb3a31f223d4b68a27db7fb782
Instruction Fuzzy Hash: BC317CA9A44300C7EB1447249D06FEB23966BC1318F29042DE54D9B3CBE729D987C392

Function 228993A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 22899455, 22899499
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22899446, 2289948A
database corruption, xrefs: 22899450, 22899494

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 41c46a290f7bb171c5de036b04465c1df1ad5a2533324bbd944082135299320b
Instruction ID: f31e7a2533c4987a58f315311ee7c00836bfba53680e6f1e75d305d301c4d44f
Opcode Fuzzy Hash: 41c46a290f7bb171c5de036b04465c1df1ad5a2533324bbd944082135299320b
Instruction Fuzzy Hash: 2E316839600B508AD325DF28D8D0AB3BBF2AF85305B54805CE6C64BB4AE332E942C760

Function 22824F40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 22824F71, 22825002
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22824F62, 22824FF3
database corruption, xrefs: 22824F6C, 22824FFD

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: d68020944b11b6cd0ef8531bf9154be058dafcbcf94519c58fc2746aa5bbd2ab
Instruction ID: 0f47819832760bff85003598bb246b553c7aaec6f8e8ca5c7b2518ef2b003f50
Opcode Fuzzy Hash: d68020944b11b6cd0ef8531bf9154be058dafcbcf94519c58fc2746aa5bbd2ab
Instruction Fuzzy Hash: 433147762047816BC3019B29ED80BA6BBE0FF55311F084266F458CBA82D329E960D7A0

Function 2291C6F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

a generated column, xrefs: 2291C722
a CHECK constraint, xrefs: 2291C714, 2291C72B
non-deterministic use of %s() in %s, xrefs: 2291C732
an index, xrefs: 2291C71D

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s
API String ID: 0-3705377941
Opcode ID: 54a0f9ef19e5f2e7fc5f3755fe3ee161bb9e1bf4c7a045c1af2cb77b18ac0caf
Instruction ID: f93004180195aa0b67cd2811f8a04c86fbee1127daa9b2bf0f4e2bd8fc3f7a07
Opcode Fuzzy Hash: 54a0f9ef19e5f2e7fc5f3755fe3ee161bb9e1bf4c7a045c1af2cb77b18ac0caf
Instruction Fuzzy Hash: DE2166B0604311AFDB009F68DC58F6677A8BF05364F050764FD14D7298DBB9D892C7A2

Function 22899290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228992AB, 22899339
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2289929C, 2289932A
database corruption, xrefs: 228992A6, 22899334

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 799a5f791320ccd294e1820136c820eeb4d667d28113318ed69afe66a1338112
Instruction ID: 3afe559f00b74c3dac59ce0e6f68db5e4f9f71bb60fb017d5084ed9b437b824f
Opcode Fuzzy Hash: 799a5f791320ccd294e1820136c820eeb4d667d28113318ed69afe66a1338112
Instruction Fuzzy Hash: B1216B35244B909BD721DF3899D0BA7BFF1AF15300B48449CE2D69779AF232E581C751

Function 228033C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN), xrefs: 228033D6

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN)
API String ID: 0-1935849370
Opcode ID: 146407a03c8dba9e14c1010a80e334155814d91a9b0df658f91355fc282d3a96
Instruction ID: 947e3a36c59578822b75dc11ef713fd9dd0864d9f14dea38ab05dae3f4f2cd9e
Opcode Fuzzy Hash: 146407a03c8dba9e14c1010a80e334155814d91a9b0df658f91355fc282d3a96
Instruction Fuzzy Hash: D10192397087169AD302DF29E800B8AB3D6EFD5311F498166F6089F240EBB0E58787A1

Function 22906A20 Relevance: 8.0, APIs: 5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae8af4f52e35e1b463de9cdbbb17546245fad1a015f7f6d845ebf689fe38cc6
Instruction ID: d4f4cb18fd35e30af88157a2df1e6a061e0aae9fda7f040ee4dc5a92253f7ead
Opcode Fuzzy Hash: fae8af4f52e35e1b463de9cdbbb17546245fad1a015f7f6d845ebf689fe38cc6
Instruction Fuzzy Hash: C1029DB0908319CFD300DF69D954B2AB7E8BF44308F404A6DFD4597245E774EA99CBA2

Function 2286AF80 Relevance: 7.8, APIs: 5, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41698e5d0649d46a3fa71397526992320d9caa196e22e5329f801b192b513252
Instruction ID: e3a457f78952a13422c3924bcd5974d386892353e84a77574641c69b5577d7af
Opcode Fuzzy Hash: 41698e5d0649d46a3fa71397526992320d9caa196e22e5329f801b192b513252
Instruction Fuzzy Hash: 68A1A474945710DFD7109FA4D968A3A37A4BF0034DF060A24FD09A3A48D778EA5ACBE6

Function 229073C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 2290751C

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: fts5: syntax error near "%.*s"
API String ID: 0-498961494
Opcode ID: 139c66c555fa3919b49881db106649e4468a29014585a73c1400d77212d90922
Instruction ID: 2488d0c906c64b9a9b24ecfbc4ebfb752eb339f7f2befccb5460cbbf79d25905
Opcode Fuzzy Hash: 139c66c555fa3919b49881db106649e4468a29014585a73c1400d77212d90922
Instruction Fuzzy Hash: 70B1C170904349DFD310CF68C980BEABBE8BF44358F04495DF88987241D376EA85CBA6

Function 22820F60 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 264COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 22821287
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2282126C, 22821278
database corruption, xrefs: 22821282

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: b8a7d26b31b73318f2456c907bd9ffa3135c0bf62e2d4d768d7f34a854786f15
Instruction ID: f2a2308a5c7a3d902526a464f049c44c56d91ef0eafe7e9ea050651c9bf9df5b
Opcode Fuzzy Hash: b8a7d26b31b73318f2456c907bd9ffa3135c0bf62e2d4d768d7f34a854786f15
Instruction Fuzzy Hash: 9BA1BC78544B81CFD714CF64CA90B3777E4FB50304F150A68ED4A8B62AE735E986CBA2

Function 228082E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

[%d], xrefs: 228084C7

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: [%d]
API String ID: 0-394612830
Opcode ID: ecb14b1a5b2ad17f90dbfa6b6d7631afe4dd9c1c1c1167f93f1e3bdfde86c70f
Instruction ID: 5dae8ab54e67dab0c432e1bbf79b113fce226a5db3a482070c146147c924d204
Opcode Fuzzy Hash: ecb14b1a5b2ad17f90dbfa6b6d7631afe4dd9c1c1c1167f93f1e3bdfde86c70f
Instruction Fuzzy Hash: C87108B9908304EFD720CB24DC80FAB77E9AF95704F848A1DE58983291E335E759C762

Function 228E6180 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 216COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228E6396
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228E6387
database corruption, xrefs: 228E6391

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: eaffc2b94aba11d88cd91073ef1035bb7c694072e2748aba58fd05fe1ab657f1
Instruction ID: 1002a201b0d23515e10e0e15198a1b5e4c618ae37c2f0acdb63ad27af22a300c
Opcode Fuzzy Hash: eaffc2b94aba11d88cd91073ef1035bb7c694072e2748aba58fd05fe1ab657f1
Instruction Fuzzy Hash: 3171C179A08320CBDB00DF28D9C17AA7BE0EF56324F945959F89E8B243E335D945C752

Function 228213A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 22821468
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22821459
database corruption, xrefs: 22821463

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 17ae446f121c726381e66d21996fe00e5142a02be587315298a9aeb3c898922e
Instruction ID: 3e802aff06175ccd2bb3985c56684da0542534f1b2d9e7ee4f7ccd7cdae1290d
Opcode Fuzzy Hash: 17ae446f121c726381e66d21996fe00e5142a02be587315298a9aeb3c898922e
Instruction Fuzzy Hash: 827117B5604740DFC705CF24C980B677BE5AF98314F298A99F88D9B253D731E981CB92

Function 22990FC2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 22990FE7
CatchIt.LIBVCRUNTIME ref: 229910CD

Strings

RCC, xrefs: 22991001
MOC, xrefs: 22990FF9

Memory Dump Source

Source File: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 6eccce2cc6589e5502386c727d2c6e67636438b0fcd53cbcf730a51f982706f9
Instruction ID: e5388b575ef49b03ddd1acf32f2654595530cf6a739da7e2f05b08d01e75365c
Opcode Fuzzy Hash: 6eccce2cc6589e5502386c727d2c6e67636438b0fcd53cbcf730a51f982706f9
Instruction Fuzzy Hash: 5C413771900349AFDF06CF94CE81AAE7BB9FF58314F148199EA19B7221D2369A50DF50

Function 22823060 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 184COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228230A1
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22823092
database corruption, xrefs: 2282309C

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 22eef7a14bb7952689e9d8d54d21ed3cd766d8586575564878a7e50487760a18
Instruction ID: 5aaded17a1ba35adfd4519dc3fb8d91bc3c4ae43c4a435173769be1fb9717966
Opcode Fuzzy Hash: 22eef7a14bb7952689e9d8d54d21ed3cd766d8586575564878a7e50487760a18
Instruction Fuzzy Hash: 1661BF756083459FC704CF68C990A6BBBE4FF88704F404A5DF9898B342E735D985CBA2

Function 227F4CE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

temp, xrefs: 22883F91
wrong number of vtable arguments, xrefs: 22883FA9

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: temp$wrong number of vtable arguments
API String ID: 0-2849069181
Opcode ID: 98046e6c8423f28cce5d19117c748b50f987ff7fe67959e8786f50448000c648
Instruction ID: 2b453816897546070a068e8fd9a9101be80fef9eb6fcaec532fb842135514635
Opcode Fuzzy Hash: 98046e6c8423f28cce5d19117c748b50f987ff7fe67959e8786f50448000c648
Instruction Fuzzy Hash: 7A51A4B9504309CFC714CF14D55096ABBF1BF99308F404A6DE58A5B702D732EA4ACB97

Function 228BC640 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228BC7EC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228BC785, 228BC791, 228BC7DD
database corruption, xrefs: 228BC7E7

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 89a3f3f03b2dd0dbb9d66bb80f8f798218a77ff3e8a1e27a160d6edd5572b888
Instruction ID: 7c2c2f04178eb410b02c8739c3eb2b0263123aa0724e56488bcd897e6555c596
Opcode Fuzzy Hash: 89a3f3f03b2dd0dbb9d66bb80f8f798218a77ff3e8a1e27a160d6edd5572b888
Instruction Fuzzy Hash: 6A519375608341DFC308CF28C8D096ABBF1FF99204F58599DE5969B702D331E946CBA6

Function 227F0300 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON

Download Yara Rule

Strings

winWrite2, xrefs: 227F043B
delayed %dms for lock/sharing conflict at line %d, xrefs: 227F03FF
winWrite1, xrefs: 227F045E

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winWrite1$winWrite2
API String ID: 0-1808655853
Opcode ID: 1eb06a22d509ac5fb448f17e86a837d5655d2bfe94373b862e33df0f18d0ee2a
Instruction ID: f527a19811581d3ef32bcd2a5b9eaaf53dd6cfa0a0c4444ba1700309398af851
Opcode Fuzzy Hash: 1eb06a22d509ac5fb448f17e86a837d5655d2bfe94373b862e33df0f18d0ee2a
Instruction Fuzzy Hash: 414142B260C3029BC3048F28C98097FB7E9FFA5324F510A2EFA11D6399D335C1458B92

Function 228BD2E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228BD306
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228BD2F7
database corruption, xrefs: 228BD301

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 8e4f3170ebb480a8649ef2dc760f85d6bf05dfbd52f80e0125801d46c60b7468
Instruction ID: be50bb288409ad0655f60712c1ec2f2d84d2f76ac0f4ec36e6d61a2ece6ef67b
Opcode Fuzzy Hash: 8e4f3170ebb480a8649ef2dc760f85d6bf05dfbd52f80e0125801d46c60b7468
Instruction Fuzzy Hash: 743107B6905304BFD7118A19DC40F5BBBE8FF98364F04452DFA4997312F622E951CBA2

Function 22978850 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 2297895F
os_win.c:%d: (%lu) %s(%s) - %s, xrefs: 229788E2

Memory Dump Source

Source File: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$os_win.c:%d: (%lu) %s(%s) - %s
API String ID: 0-1037342196
Opcode ID: 5217dc43e1d001f0a4f0d20fb8fae6cdc7e79f5507af5fd21848de7a241f9aab
Instruction ID: 382394aac3738e482cc636ee27382a5d5fbd3499fe667ef5a3b99b1ec714bb8c
Opcode Fuzzy Hash: 5217dc43e1d001f0a4f0d20fb8fae6cdc7e79f5507af5fd21848de7a241f9aab
Instruction Fuzzy Hash: 62215BB1608346AFE7219714C989BFBBBE9BFD4304F944C6CE59C87192D63598448353

Function 22825390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 2282540D
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228253FE
database corruption, xrefs: 22825408

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: f932bd2ddc1f3c08a2e160dab58bf589ae2528e56042a9bfe86d009d832ae80b
Instruction ID: 945dcec561c0e67d9dc05b871ba69c3edebc261261872e977a6a7d03f8320f72
Opcode Fuzzy Hash: f932bd2ddc1f3c08a2e160dab58bf589ae2528e56042a9bfe86d009d832ae80b
Instruction Fuzzy Hash: B0318CAD280FD0C6D3258F2899607A7B7D09F51717F48466AE9CDD7682E32AE4C2C361

Function 22824130 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 2282425D
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228241A3, 228241EE, 228241FE, 2282424E
database corruption, xrefs: 22824258

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 2c6e1b3e7b2e3a4aa455cf0f9fad3e8ef49156e32f5ec36e6efcd7e54f3ddf55
Instruction ID: 051f3b172eb7f63f04c8cb3cab9b96e6eda78f0495a017db663db07079b81e9e
Opcode Fuzzy Hash: 2c6e1b3e7b2e3a4aa455cf0f9fad3e8ef49156e32f5ec36e6efcd7e54f3ddf55
Instruction Fuzzy Hash: 6C31B1357087E156C314CA1D98909B6BBE1FB81206F01876EFDD5AB2C6C23CD684C7B1

Function 228A0010 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228A009B
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228A008C, 228A00C2, 228A00FE
database corruption, xrefs: 228A0096

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 637dfda7746627df2e97777f2b86ba6863bd6e5d016c5782fab584a7b9b927a4
Instruction ID: 256b1699ee6ffb4f988fc4466e14036d9c43c05116a290df2701429b15eee5b2
Opcode Fuzzy Hash: 637dfda7746627df2e97777f2b86ba6863bd6e5d016c5782fab584a7b9b927a4
Instruction Fuzzy Hash: CD3156342083908BC7048E289CE1666FBE1FFCA311F048A5EE598CB382C235D509CB62

Function 227EF000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

second argument to nth_value must be a positive integer, xrefs: 227EF0C4

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: second argument to nth_value must be a positive integer
API String ID: 0-2620530100
Opcode ID: cad3a255d6bbe6d70791de5142d01a7d2aeba6f2db5859788e99a3f6f14674dd
Instruction ID: 69c170e57d33ca47744b89e4965ac8bb2b2a1ea8bffefc00a2680a6ee10adf1b
Opcode Fuzzy Hash: cad3a255d6bbe6d70791de5142d01a7d2aeba6f2db5859788e99a3f6f14674dd
Instruction Fuzzy Hash: D7315AB29087119BDB11AF24DD41B1A77E0BF20324F504665F85EA7682EF32EA54C6B3

Function 228005D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

rbu/zipvfs setup error, xrefs: 2280061A
rbu(%s)/%z, xrefs: 22800697

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: rbu(%s)/%z$rbu/zipvfs setup error
API String ID: 0-199214844
Opcode ID: c5544b097654decd7b2ce9ee37f7097b74910771d77b11a8a3a25fed642e1505
Instruction ID: 0c803610fa3200c8558a67529fd9b666408dfac76945d0810defcc21e252212f
Opcode Fuzzy Hash: c5544b097654decd7b2ce9ee37f7097b74910771d77b11a8a3a25fed642e1505
Instruction Fuzzy Hash: 1D21E1B67043059FD7108F99DD80B5AB7E6EBC8321F11447AE96D87202DB72EA048BA1

Function 22825280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 22825301
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228252F2
database corruption, xrefs: 228252FC

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 54715ff1fb7aa7ab15c803025ecb7a968ea5e0a1043faa3a8ea5ae98e710b3e9
Instruction ID: d12d8af10cbeb1493255f15fe4a65d12555fffa66ed00c5d2047b8a4d36796e3
Opcode Fuzzy Hash: 54715ff1fb7aa7ab15c803025ecb7a968ea5e0a1043faa3a8ea5ae98e710b3e9
Instruction Fuzzy Hash: 2711357B600310A7CB115A5CBC40DDBBFE5EFC53B6F090565FA4C56222D623C961D3A2

Function 22948490 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 229484D0
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 229484C1
database corruption, xrefs: 229484CB

Memory Dump Source

Source File: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: b5b4bf51eb0319aeefdd34a423dd63563aebc035d1cfac176fbbef66f910f1ec
Instruction ID: c807e471b5a71860bb17a9ea87f8b04bedd83a56ad8b04b28266800069cb8266
Opcode Fuzzy Hash: b5b4bf51eb0319aeefdd34a423dd63563aebc035d1cfac176fbbef66f910f1ec
Instruction Fuzzy Hash: 3C21D0767007409BD7208F58DC80B97B3E9FB94311F4049AEF94A97742EB32EA45C762

Function 227EB220 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

Strings

misuse, xrefs: 227EB233
%s at line %d of [%.10s], xrefs: 227EB238
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 227EB229

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: c4a5c442417349ccc8b9077eedefb95a64f3407d9fc96ac68190860e9194dcd5
Instruction ID: 834237bd2dfba0d28eabefb06ba7c31cbd3263568c91230d6da3707ee9a98301
Opcode Fuzzy Hash: c4a5c442417349ccc8b9077eedefb95a64f3407d9fc96ac68190860e9194dcd5
Instruction Fuzzy Hash: 3C11E4B5608701ABD7018E28AD84F6B7BEDBFD4304F414528F91E97206EB31E545C7B2

Function 22906140 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

Strings

fts5: error creating shadow table %q_%s: %s, xrefs: 22906197
WITHOUT ROWID, xrefs: 22906150, 22906162
CREATE TABLE %Q.'%q_%q'(%s)%s, xrefs: 22906175

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: WITHOUT ROWID$CREATE TABLE %Q.'%q_%q'(%s)%s$fts5: error creating shadow table %q_%s: %s
API String ID: 0-1971204597
Opcode ID: 4f4ec96246f852a5cfa7439f7d820f4a75ec083c17c23ccf88ebf731e5f4b5ae
Instruction ID: 498c37d7ca53f76f2f4c1fa71284cccaab42dfaedb6b2ae3110cf3b7965d0784
Opcode Fuzzy Hash: 4f4ec96246f852a5cfa7439f7d820f4a75ec083c17c23ccf88ebf731e5f4b5ae
Instruction Fuzzy Hash: 1511E471604310AFD7014F98DC98A3BB7B8FF84349F014A68FD05C6609C739CA59DBA2

Function 2288A6B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 2288A6D2
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2288A6C3
database corruption, xrefs: 2288A6CD

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 34fcec457f4bd0c3f9006375929b232911018295facb5c3ba385100547e160a3
Instruction ID: 22108c74d34f6695f183b98d67da393add7af6da93f5accf7ffc17638de42b62
Opcode Fuzzy Hash: 34fcec457f4bd0c3f9006375929b232911018295facb5c3ba385100547e160a3
Instruction Fuzzy Hash: 92119DB62043019FE700DF58EC80F5BB7E8EBC0310F0408A9F684AB291D336D845CB62

Function 22824DA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 22824E27
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 22824E18
database corruption, xrefs: 22824E22

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 0e26b299c7a1334a8be4cd6b197a6e8cc0df0fcacb7b5a046f37877dfadac294
Instruction ID: 74440bbf931f3a458297d4eaafa95b553df03b923df5579a9599a537cff9c902
Opcode Fuzzy Hash: 0e26b299c7a1334a8be4cd6b197a6e8cc0df0fcacb7b5a046f37877dfadac294
Instruction Fuzzy Hash: E1119DB2601311DFD300DF58D880A8AFFE5EFA4728F15849AF1489B312C332E842CBA1

Function 227F2380 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON

Download Yara Rule

Strings

misuse, xrefs: 227F2406
%s at line %d of [%.10s], xrefs: 227F240B
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 227F23FC

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 35ee4233095853d1741d0eac375bc629411c3c644e07c0f25687b8135a3bf76f
Instruction ID: c468fcddc842c58455b4ed18516b41abe992a6ed55c90dd2b26e66104a8eb1d2
Opcode Fuzzy Hash: 35ee4233095853d1741d0eac375bc629411c3c644e07c0f25687b8135a3bf76f
Instruction Fuzzy Hash: B7117C75308302AFEB18CE1CDC90F5ABBA4BFA8304F414498E6459B396D771E986DB91

Function 2280F0E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 2280F105

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: 29f136dc5cf06d1061373d0ff19c198f61d69b89aaa47c03e054f9feec4e13f6
Instruction ID: 4ee657bb5f04e1387d80129173d8e0cb316dd586947f477475533efb68995aff
Opcode Fuzzy Hash: 29f136dc5cf06d1061373d0ff19c198f61d69b89aaa47c03e054f9feec4e13f6
Instruction Fuzzy Hash: A4019E3A308341AED322866EFC40F97B7D8EBE4725F04446AF5ADC3201DB61AC858271

Function 22810D70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 22810D87

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: 3a27c3aa91d9d3fdaa678f6ae4af2cab856a424244cd387d154e8a4d9354e949
Instruction ID: d93789dc43a62942cc661ca52f7769f8036dc201e1df7b5686691163f6353dec
Opcode Fuzzy Hash: 3a27c3aa91d9d3fdaa678f6ae4af2cab856a424244cd387d154e8a4d9354e949
Instruction Fuzzy Hash: 35018C76204304AFE3109A5DED80F52B7E9EB88724F044569FA8DEB680E7B2FC458761

Function 227EEF30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

Strings

misuse, xrefs: 227EEFB0
%s at line %d of [%.10s], xrefs: 227EEFB5
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 227EEFA6

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 2908f748ccc6989964e0786e1b8582628142a160f3b4fa12e59594572d807e4e
Instruction ID: 209e4ce411717e02901c680e27d7d7bd3d12c0146ae16bab912a7dbfe861fcd3
Opcode Fuzzy Hash: 2908f748ccc6989964e0786e1b8582628142a160f3b4fa12e59594572d807e4e
Instruction Fuzzy Hash: 510128B06097119FD7008F4CE854B1A7BE1BF82318F464968F9096B748C375E846CBE7

Function 228200B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228200EA
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228200DB
database corruption, xrefs: 228200E5

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 216ecaeb941bddfd32e537a39d50ca709a3a559be36c79a7dd1bf412e459c228
Instruction ID: 97c047830c7d0a234e354b01801be8a58a65064184c249c264249ddff731223b
Opcode Fuzzy Hash: 216ecaeb941bddfd32e537a39d50ca709a3a559be36c79a7dd1bf412e459c228
Instruction Fuzzy Hash: 51E09278340748AFF704CA28CAC1F537BD1BB64700F464294E409AB25AEB21DEC0D771

Function 2299066B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,22990513,?,?,?,?,?,?,229907BD,00000003,FlsSetValue,22A07770,22A07778), ref: 22990678
GetLastError.KERNEL32(?,22990513,?,?,?,?,?,?,229907BD,00000003,FlsSetValue,22A07770,22A07778), ref: 22990682
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 229906AA

Strings

api-ms-, xrefs: 2299068F

Memory Dump Source

Source File: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 5eb6b965aa8959e963c480ba954f24e4a06c5e1fea80bd12a2c9527b6e3ec3d8
Instruction ID: c7d8400c7c102a3cd5884cc18672786d817de3bc83ea86068407bf1a9d005eaa
Opcode Fuzzy Hash: 5eb6b965aa8959e963c480ba954f24e4a06c5e1fea80bd12a2c9527b6e3ec3d8
Instruction Fuzzy Hash: 63E02030284715BBFB101EA0DC09B183F58AF40760F104570FD0DE89D3D775E9558A48

Function 2291C1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

misuse, xrefs: 2291C1F9
%s at line %d of [%.10s], xrefs: 2291C1FE
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 2291C1F0

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 9129d30f380b811bcbcb4044dda89b608280ee3ad5f0df79f293e6078a160a7f
Instruction ID: 5f758a732c798fb31494224ba649b576e50baafd8dfcffa724101080c33c3295
Opcode Fuzzy Hash: 9129d30f380b811bcbcb4044dda89b608280ee3ad5f0df79f293e6078a160a7f
Instruction Fuzzy Hash: 5BB09B6571474475FF0111449CD2FC55F1077D5306F818064B1556D69DD07642505116

Function 228EA570 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228EA57E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228EA570
database corruption, xrefs: 228EA579

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: fe4ef4aa9da04674b86cb9e2f6a282021a8c6d325aa06a242f2af40206c0b99b
Instruction ID: d8c0204a77c0d2e5502e7d1a9989f52982652f0200c9f679ebf0619224dd46bd
Opcode Fuzzy Hash: fe4ef4aa9da04674b86cb9e2f6a282021a8c6d325aa06a242f2af40206c0b99b
Instruction Fuzzy Hash: 13B0926970430032FE012158ADD2F8B3F107764700F828864B15A2AA9AE22A86108266

Function 228E6B50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 228E6B5E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 228E6B50
cannot open file, xrefs: 228E6B59

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$cannot open file$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1799306995
Opcode ID: 98885045a2e7a48d1259f7f3feeb11fd6b29988fc72937ff6d4d9d236777ca24
Instruction ID: 673326ec14d6a5b63d3e1fd98d9df3113ebaf2385894d679b0e2d536218243a7
Opcode Fuzzy Hash: 98885045a2e7a48d1259f7f3feeb11fd6b29988fc72937ff6d4d9d236777ca24
Instruction Fuzzy Hash: BDB0925670438036FE012958ECD2F862F107765700F8188A4B18A3AAAEE0ABC2908226

Function 228425E0 Relevance: 6.4, APIs: 4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae8ae0ddda98952cd19a4ebda0475c40f3a1d2383f606c787eb11d3b2ebd695
Instruction ID: a75da3afd9006b7b693d8ba705a2a3218b885ab7a0111c7885fcd9ba3821a74b
Opcode Fuzzy Hash: aae8ae0ddda98952cd19a4ebda0475c40f3a1d2383f606c787eb11d3b2ebd695
Instruction Fuzzy Hash: F5D1B574A48305DFD700DFA5C958B2A77A4FF04349F410A29FD09C264DDBB8DA5ACBA2

Function 229D67F5 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(02176813,00000000,00000000,?), ref: 229D6858
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 229D6AAA
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 229D6AF0
GetLastError.KERNEL32 ref: 229D6B93

Memory Dump Source

Source File: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: c6aad403941a7f5de4beee6841305902da7f18a35b6f916aefa9f7b83dafe8be
Instruction ID: 034a3d8eac176448b2cb7cf71fa4997e0c059b00084dc1c03590636f5cbad807
Opcode Fuzzy Hash: c6aad403941a7f5de4beee6841305902da7f18a35b6f916aefa9f7b83dafe8be
Instruction Fuzzy Hash: 36D17BB6D043589FCB05DFE8D8909EDBBB8FF09304F24856AE956EB241D634A942CF50

Function 22888EB0 Relevance: 6.2, APIs: 4, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953827dedc520dbfd81beda1f7dd63955ed929cc61c500fd9a6a4e897263e7dc
Instruction ID: 770e1158f344ec475a8af43b597bdc3443f999946e12b0ac32cfe7c6bd5bc3b6
Opcode Fuzzy Hash: 953827dedc520dbfd81beda1f7dd63955ed929cc61c500fd9a6a4e897263e7dc
Instruction Fuzzy Hash: 4E51367560839DCED7218F74994879AFBE49F11314F080AA9E9CCCB342E369D689C763

Function 2280CAE0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2715a04739c44094fa19d7091b8ae7e8e65d849d038f3c530013d9041054c9ca
Instruction ID: ed098f8d8d97432af0170b91b8720443a7e049a4a065bae0354c7d0f3666fcaa
Opcode Fuzzy Hash: 2715a04739c44094fa19d7091b8ae7e8e65d849d038f3c530013d9041054c9ca
Instruction Fuzzy Hash: E931ADBA6043019FD7149F68E944B66B3E4FF94361F00097AEA09C7660E361EA48D7A2

Function 2287CFE0 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f155ee4936aae19aec06cb809ffc92085dd37a0bce870209c165f40ac7d322
Instruction ID: 7a4dddfb6d8ae37de03a24cb0a97f66ee48b3402e660419b696dea4f7aeedc05
Opcode Fuzzy Hash: 67f155ee4936aae19aec06cb809ffc92085dd37a0bce870209c165f40ac7d322
Instruction Fuzzy Hash: 5721D375504705DFC750EF68CC84A5ABBF0EFA8340F50082DF599D3221E331E6588B92

Function 227E2ABD Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 229E1382
GetLastError.KERNEL32 ref: 229E138E
___initconout.LIBCMT ref: 229E139E

Part of subcall function 229E1303: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,229E13A3), ref: 229E1316

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 229E13B3

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: de5f6a4555f223c14ae9a698b14cb28eea74f35d8758f4c6b10edcf356733199
Instruction ID: 657b355e777135d88db25bc2cdf856ab95b24c199e2c40451365e3373883953e
Opcode Fuzzy Hash: de5f6a4555f223c14ae9a698b14cb28eea74f35d8758f4c6b10edcf356733199
Instruction Fuzzy Hash: 4EF05836140225BBDF121EE5CC18A993F66FB083A0F024610FE1E86935DA3ACD619B90

Function 22967300 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

-, xrefs: 22967538
%!.15g, xrefs: 229675C3

Memory Dump Source

Source File: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: %!.15g$-
API String ID: 0-583212262
Opcode ID: 32aa4c7c0524cf7d032decc9b435c1887b6fcf369c0ddb1fbdaffc7486a5aa81
Instruction ID: 502305abe27d3c349625dfbfe2e0b860a5b59ef110f6834c2474080783a61a08
Opcode Fuzzy Hash: 32aa4c7c0524cf7d032decc9b435c1887b6fcf369c0ddb1fbdaffc7486a5aa81
Instruction Fuzzy Hash: 96918C70A083418FD304CF6CD9917AAFBE4EBC8304F04496DE988C7351E7B9C9098B92

Function 2282CBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 2282CE39

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 7f21a2ec38c88200d0398a97cb7185f52e5bb31fa107496b5ff76acbcbf05400
Instruction ID: 2458a684f7ac5571a0ee0245751f878a757c469af42b608118b34b252ff98224
Opcode Fuzzy Hash: 7f21a2ec38c88200d0398a97cb7185f52e5bb31fa107496b5ff76acbcbf05400
Instruction Fuzzy Hash: 08812479A04B85CBD300CF18CD81B2677E5EF94314F060B18FB48972A2E375EA84C792

Function 227FC8E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

LIKE or GLOB pattern too complex, xrefs: 227FC94F
ESCAPE expression must be a single character, xrefs: 227FCA43

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 0-264706735
Opcode ID: 50a27e67314827bf74e5ebc59d4699b6e2c61c45f640f1a2f06b41421dbce6e3
Instruction ID: 5aec4713139ff041044b09d5b0a90ac95dffc4d3a61a254052dbdb6955605f5d
Opcode Fuzzy Hash: 50a27e67314827bf74e5ebc59d4699b6e2c61c45f640f1a2f06b41421dbce6e3
Instruction Fuzzy Hash: 3E618971A0C3508FDB08CF24C981B6677D5AF42328F28428DF9A5AB3D3D676E685D391

Function 227FD0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 227FD213

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 99eb74d5a2ce8c80cb06a5b5970a2cce800e9d74787c862f5f922d2663ff295d
Instruction ID: e648a4faae74d89f7f4017c4c8f3a446f460c524704652bf698b8e53f1e4407a
Opcode Fuzzy Hash: 99eb74d5a2ce8c80cb06a5b5970a2cce800e9d74787c862f5f922d2663ff295d
Instruction Fuzzy Hash: 2D41587390C3418FE7118A389C41B9B7B96AF65320F550A2CFDA5533D3E626D648C393

Function 227FD300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 227FD3D5

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 789745a235cf458bf9dc0ef6a7fa6279803c1571cf9f2f1ed4a3c4c38b065859
Instruction ID: bdb637df702d63204f6828d6daa36cb793ccf62bccc8f9f46a5b235eb66b121d
Opcode Fuzzy Hash: 789745a235cf458bf9dc0ef6a7fa6279803c1571cf9f2f1ed4a3c4c38b065859
Instruction Fuzzy Hash: 60317BB2A0C324DBE7154A289D40B663B599F92328F1803A9FF557B3C2D267D906C3A1

Function 228187A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

ALTER TABLE %Q.'%q_node' RENAME TO "%w_node";ALTER TABLE %Q.'%q_parent' RENAME TO "%w_parent";ALTER TABLE %Q.'%q_rowid' RENAME TO "%w_rowid";, xrefs: 228187B9

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: ALTER TABLE %Q.'%q_node' RENAME TO "%w_node";ALTER TABLE %Q.'%q_parent' RENAME TO "%w_parent";ALTER TABLE %Q.'%q_rowid' RENAME TO "%w_rowid";
API String ID: 0-2843444156
Opcode ID: 46839a2fa3b5e236009bf4bff711752f90b29e080184dca2243ccab0fbaf988c
Instruction ID: 731a4b6c19c47bc0795b9d9d182bc99fefa9c59d14bdd42fb06e13757ae86149
Opcode Fuzzy Hash: 46839a2fa3b5e236009bf4bff711752f90b29e080184dca2243ccab0fbaf988c
Instruction Fuzzy Hash: A91101B1A40200AFE3009768EC19F7B73A8EB80356F454634FD08C2648D778EC96C7B5

Function 22815350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 2281539B

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 279fdda9cc7511d26bb9f667994e78a1bb22ab437c19f3eb4a5b7a5c872d9187
Instruction ID: adfb651764021ff03c1e5032ddadea1ad815d59d6c7cef0e848917a7cba765e9
Opcode Fuzzy Hash: 279fdda9cc7511d26bb9f667994e78a1bb22ab437c19f3eb4a5b7a5c872d9187
Instruction Fuzzy Hash: E6115EB56083408BC704CF15C95579BB7E4AFD8314F84486EE88E87290E778D548CB97

Function 2283EFE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

SELECT %s WHERE rowid = ?, xrefs: 2283F017

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: SELECT %s WHERE rowid = ?
API String ID: 0-866778640
Opcode ID: afb4e06d7422c0d6ecfad6ce2a0c403722c6ac4f509128baf853b756beb8b20b
Instruction ID: 3d3c361c7f770373f642826e7c5457847ff5f82ae4801351496b54276fe65f35
Opcode Fuzzy Hash: afb4e06d7422c0d6ecfad6ce2a0c403722c6ac4f509128baf853b756beb8b20b
Instruction Fuzzy Hash: 8D112536200309ABD7208F9AEC40F96F794FB60321F10852EF65A96640EB72F45187F0

Function 22817200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 22817220
invalid, xrefs: 2281721B

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$invalid
API String ID: 0-3574585026
Opcode ID: 72fec32558fde9d696a6167a165521a99a31dd5f521c0ea328b1e1c870194377
Instruction ID: 62db7e6f7962c80c26fc19779d4fa082b4501f94c92188ebf96ad790fe304753
Opcode Fuzzy Hash: 72fec32558fde9d696a6167a165521a99a31dd5f521c0ea328b1e1c870194377
Instruction Fuzzy Hash: 1FF0F639B057108BDA144668BD24BE377DA5F40325F000A6DF76F922D4C324E896C791

Function 227F85B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

CREATE TABLE x(sql,ncol,ro,busy,nscan,nsort,naidx,nstep,reprep,run,mem), xrefs: 227F85B6

Memory Dump Source

Source File: 00000004.00000002.3363366661.00000000227E8000.00000020.00001000.00020000.00000000.sdmp, Offset: 227E0000, based on PE: true

Associated: 00000004.00000002.3363339337.00000000227E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000227E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.0000000022946000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3363366661.00000000229ED000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229EF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364573446.00000000229F8000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364756825.0000000022A22000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3364794204.0000000022A2F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_227e0000_MSBuild.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(sql,ncol,ro,busy,nscan,nsort,naidx,nstep,reprep,run,mem)
API String ID: 0-3640693396
Opcode ID: 96d099a7457aa2ac4ddb581c844276c053ca9e5591e4d64d5bdbd7eace514fa3
Instruction ID: cc8acd443678a05f6745e02775070659ba4e9c7fa00c01f142713e842d0ffde5
Opcode Fuzzy Hash: 96d099a7457aa2ac4ddb581c844276c053ca9e5591e4d64d5bdbd7eace514fa3
Instruction Fuzzy Hash: 27F0B43260C3214BC3015B1EF900B8AB3D5AFE1765F154166F818DB250E7B0E9828BE1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BAFCFBAEGDHI\AAAAKJ

C:\ProgramData\BAFCFBAEGDHI\AAEHDA

C:\ProgramData\BAFCFBAEGDHI\AFCBKF

C:\ProgramData\BAFCFBAEGDHI\EBGDAA

C:\ProgramData\BAFCFBAEGDHI\ECFCBK

C:\ProgramData\BAFCFBAEGDHI\EHDGIJ

C:\ProgramData\BAFCFBAEGDHI\GCBGII

C:\ProgramData\BAFCFBAEGDHI\GIEHJK

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
file.exe

Function 05399AEB Relevance: 46.9, Strings: 37, Instructions: 655
COMMON

Function 0539439B Relevance: 46.9, Strings: 37, Instructions: 604
COMMON

Function 053943A8 Relevance: 46.9, Strings: 37, Instructions: 601
COMMON

Function 053965BB Relevance: 46.8, Strings: 37, Instructions: 590
COMMON

Function 0539734F Relevance: 46.8, Strings: 37, Instructions: 533
COMMON

Function 05397360 Relevance: 46.8, Strings: 37, Instructions: 532
COMMON

Function 0539B008 Relevance: 1.8, Strings: 1, Instructions: 578
COMMON

Function 053954FD Relevance: 4.5, Strings: 3, Instructions: 704
COMMON

Function 05ACFA10 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Function 05ACF5E0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 05ACCEC0 Relevance: 1.6, APIs: 1, Instructions: 112
libraryCOMMON

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre